Re: Amaya Security Issue/Windows Interoperability Issues from Laurent Carcone on 2004-05-14 (www-amaya@w3.org from April to June 2004)

From: Laurent Carcone <laurent@w3.org>
Date: Fri, 14 May 2004 19:05:52 +0200
To: Brant Gurganus <brantgurganus2001@cherokeescouting.org>
Cc: www-amaya@w3.org
Message-Id: <20040514170552.5B8FA17158@tux.inrialpes.fr>

Thanks for this report Brant,
We'll have a look at these issues.

Regards,

Laurent Carcone

> 
> Potential security issue is at end.
> 
> I ran the latest Windows binary distribution of Amaya while it was 
> monitored by Microsoft's Application Verifier.  I did not actually do 
> anything; I just started it and exited.  It was also still clean; that 
> is, it had not been run before.  Here are issues that Microsoft's 
> Application Verifier (free) pointed out:
> 
> Amaya gets the user's profile folder without using the correct API which 
> could lead to future compatibility issues:
> Designed for Windows Logo Requirement 3.2. The application wrote 
> application or user information to an unapproved file location. Use the 
> SHGetFolderPath API to obtain the My Documents, Application Data, Local 
> Application Data, or Common Application Data directories. These 
> directories are appropriate locations for files created by an application.
> 
> Amaya access the Temp folder without the appropriate API:
> The application used a Windows Temp path that was not obtained using a 
> method approved by the Designed for Windows Logo Program. Use the 
> GetTempPath API to locate appropriate storage for temporary files.
> The following parameters from the following function calls suffered from 
> this:
> lpFileName of GetFileAttributesA
> lpPathName of CreateDirectoryA
> lpFileName of FindFirstFileA
> lpFileName of CreateFileA
> 
> I then later ran Amaya and did more stuff and found the following 
> additional issues:
> ****************************************************************
> Security Issue:
> CreateProcess is called in printing with the following issue:
> The lpApplicationName argument is NULL, lpCommandLine has spaces, and 
> the exe name is not in quotes.
> 
> Because of a flaw in the CreateProcess API, this can cause issues with 
> filenames that have spaces and are not quoted.  Arbitrary executables 
> can be executed.  This is especially severe for Amaya since its code is 
> open source so you would know what to name the malicious executable.
> ****************************************************************
> 
> 
>

Received on Friday, 14 May 2004 13:06:00 UTC