Microsoft Foundation Class DLL code execution (SMB_MFC_DLL_Hijacking)

About this signature or vulnerability

Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Unix), Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Host Protection for Desktops, RealSecure Server Sensor, IBM Security Host Protection for Servers (Windows):

This event indicates an SMB transfer of the DLL file MFC-version-locale.dll when user opens a file in the MFC built application. An unintended, malicious version of MFC-version-locale.dll could then be loaded through rules of Windows DLL load order. The MFC-version-locale.dll file, if successfully delivered, is automatically run by the requesting application and it could contain code provided by a malicious attacker.


False positives

Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Unix), Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Host Protection for Desktops, RealSecure Server Sensor, IBM Security Host Protection for Servers (Windows): Backup, mass-copy or similar requests involving the given DLL may trigger this issue.

Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Network IPS: XPU 31.040, Proventia Server IPS for Linux technology: 31.040, Virtual Server Protection for Vmware: XPU 31.040, IBM Security Host Protection for Servers (Unix): 2.2.2, Proventia Network IDS: XPU 31.040, Proventia-G 1.1 and earlier: XPU 31.040, Proventia Network MFS: XPU 31.040, IBM Security Host Protection for Desktops: 2630, RealSecure Server Sensor: XPU 31.040, IBM Security Host Protection for Servers (Windows): 2.1.14.2630

Systems affected

Microsoft Visual Studio: 2005 SP1, Microsoft Visual Studio .NET: 2003 SP1, Microsoft Visual Studio: 2008 SP1, Microsoft Visual C++: 2005 SPI Redistributable, Microsoft Visual C++: 2008 SPI Redistributable, Attachmate Reflection: 14.0, Microsoft Visual Studio: 2010, Microsoft Visual C++: 2010 Redistributable, Attachmate Reflection for Secure IT: 7.0

Type

Unauthorized Access Attempt

Vulnerability description

The Microsoft Foundation Class (MFC) library and Visual Studio could allow a remote attacker to execute arbitrary code on the system. The application does not directly specify the fully qualified path to a dynamic-linked library (dwmapi.dll) when running on Microsoft Windows. By persuading a victim to open a specially-crafted file from a WebDAV or SMB share using a vulnerable application, a remote attacker could exploit this vulnerability via a specially-crafted library to execute arbitrary code on the system.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS11-025. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References

Microsoft Web site
Visual Studio
http://microsoft.com

Microsoft Security Bulletin MS11-025
Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)
http://www.microsoft.com/technet/security/bulletin/ms11-025.mspx

Attachmate Web Site
Security Updates and Reflection
http://support.attachmate.com/techdocs/1708.html

ISS X-Force
Microsoft Foundation Class DLL code execution
http://www.iss.net/security_center/static/64083.php

CVE
CVE-2010-3190
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3190