Toshiba ConfigFree CF7 File Stack Buffer Overflow (ProfileName)
/------------------------------------------------------------------------=
--------\
| Toshiba ConfigFree CF7 File Stack Buffer Overflow (ProfileName) |
\------------------------------------------------------------------------=
--------/
Summary
=3D=3D=3D=3D=3D=3D=3D
There is a stack buffer overflow vulnerability in the Toshiba ConfigFree =
CF7 file format used on Toshiba laptops. An attacker could execute =
arbitrary=20
code by enticing a Toshiba laptop user to download and execute a =
malicious=20
CF7 file.=20
CVE number: CVE-2012-4980
Impact: High
Vendor homepage: http://www.toshiba.co.uk/
Vendor notified: 13/07/2012
Vendor response: Toshiba does not recognise this as a security =
vulnerability=20
and therefore will not be releasing a fix.
Credit: Joseph Sheridan of ReactionIS (http://www.reactionis.co.uk)
This advisory is posted at:
http://www.reactionpenetrationtesting.co.uk/configfree-bof-profilename.ht=
ml
Affected Products
=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D
Confirmed in latest Configfree version 8.0.38 on Windows 7 on a Toshiba=20
Satellite R850. Other versions may also be affected.
Details
=3D=3D=3D=3D=3D=3D=3D
The =E2=80=98profileName=E2=80=99 field of the cf7 file is vulnerable to =
a stack-based buffer overflow.
ConfigFree is the registered file handler for the cf7 filetype =
(CFProfile.exe=20
at HKEY_CLASSES_ROOT\cf7_auto_file\shell\open\command) so if a user =
could=20
be convinced to download a malicious cf7 file and execute it, the stack=20
buffer overflow vulnerability could be exploited to execute arbitrary =
code on the=20
victim's machine.=20
Impact
=3D=3D=3D=3D=3D=3D
If a user could be convinced to download a malicious cf7 file and =
execute it,=20
the stack buffer overflow vulnerability could be exploited to execute =
arbitrary=20
code on the victim's machine.=20
Solution
=3D=3D=3D=3D=3D=3D=3D=3D
As no fix is available, concerned users can remove this utility from =
their machine.
Distribution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
In addition to posting on the website, a text version of this notice has =
been=20
posted to the following e-mail and Usenet news recipients.
* bugtraq () securityfocus com
* full-disclosure () lists grok org uk
Future updates of this advisory, if any, will be placed on the =
ReactionIS=20
corporate website, but may or may not be actively announced on mailing =
lists=20
or newsgroups. Users concerned about this problem are encouraged to =
check the=20
URL below for any updates:
http://www.reactionpenetrationtesting.co.uk/configfree-bof-profilename.ht=
ml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
Reaction Information Security=20
Lombard House Business Centre,
Suite 117,
12-17 Upper Bridge Street,
Canterbury, Kent, CT1 2NF
Phone: +44 (0)1227 785050
Email: research () reactionis {dot} co {dot} uk
Web: http://www.reactionpenetrationtesting.co.uk
Joseph Sheridan
Director
CHECK Team Leader, CREST Infrastructure, CREST Application, CISSP
Tel: 07812052515
Web: www.reactionis.co.uk=20
Email: joe@reactionis.co.uk
Reaction Information Security Limited.
Registered in England No: 6929383
Registered Office: 1, The Mews, 69 New Dover Road, Canterbury, CT1 3DZ
=20
This email and any files transmitted with it are confidential and are =
intended solely for the use of the individual to whom they are =
addressed. If you are not the intended recipient please notify the =
sender. Any unauthorised dissemination or copying of this email or its =
attachments and any use or disclosure of any information contained in =
them, is strictly prohibited.
=EF=81=90 Please consider the environment before printing this email