Microsoft Foundation Class DLL code execution (SMB_MFC_DLL_Hijacking)

About this signature or vulnerability

RealSecure Server Sensor, IBM Security Host Protection for Servers (Windows), Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Host Protection for Desktops, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Unix):

This event indicates an SMB transfer of the DLL file MFC-version-locale.dll when user opens a file in the MFC built application. An unintended, malicious version of MFC-version-locale.dll could then be loaded through rules of Windows DLL load order. The MFC-version-locale.dll file, if successfully delivered, is automatically run by the requesting application and it could contain code provided by a malicious attacker.


False positives

RealSecure Server Sensor, IBM Security Host Protection for Servers (Windows), Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Host Protection for Desktops, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Unix): Backup, mass-copy or similar requests involving the given DLL may trigger this issue.

Default risk level

High risk vulnerability  High

Sensors that have this signature

RealSecure Server Sensor: XPU 31.040, IBM Security Host Protection for Servers (Windows): 2.1.14.2630, Proventia Network IDS: XPU 31.040, Proventia-G 1.1 and earlier: XPU 31.040, Proventia Network MFS: XPU 31.040, IBM Security Host Protection for Desktops: 2630, Proventia Network IPS: XPU 31.040, Proventia Server IPS for Linux technology: 31.040, Virtual Server Protection for Vmware: XPU 31.040, IBM Security Host Protection for Servers (Unix): 2.2.2

Systems affected

Microsoft Visual Studio: 2005 SP1, Microsoft Visual Studio .NET: 2003 SP1, Microsoft Visual Studio: 2008 SP1, Microsoft Visual C++: 2005 SPI Redistributable, Microsoft Visual C++: 2008 SPI Redistributable, Attachmate Reflection: 14.0, Microsoft Visual Studio: 2010, Microsoft Visual C++: 2010 Redistributable, Attachmate Reflection for Secure IT: 7.0

Type

Unauthorized Access Attempt

Vulnerability description

The Microsoft Foundation Class (MFC) library and Visual Studio could allow a remote attacker to execute arbitrary code on the system. The application does not directly specify the fully qualified path to a dynamic-linked library (dwmapi.dll) when running on Microsoft Windows. By persuading a victim to open a specially-crafted file from a WebDAV or SMB share using a vulnerable application, a remote attacker could exploit this vulnerability via a specially-crafted library to execute arbitrary code on the system.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS11-025. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References

Microsoft Web site
Visual Studio
http://microsoft.com

Microsoft Security Bulletin MS11-025
Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)
http://www.microsoft.com/technet/security/bulletin/ms11-025.mspx

Attachmate Web Site
Security Updates and Reflection
http://support.attachmate.com/techdocs/1708.html

ISS X-Force
Microsoft Foundation Class DLL code execution
http://www.iss.net/security_center/static/64083.php

CVE
CVE-2010-3190
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3190