When the affected function handles the notification fdintCOPY_FILE, the szName field is delivered as the file name. The vulnerability is due to a lack of input validation of the szName field in the CFFILE entry. Each time the Cabinet API handles a CFFILE and corresponding CFDATA entry in a CAB file, it sends notification fdintCOPY_FILE to the callback function NCabbingLibrary::FdiCabNotify() with all information extracted from those entries.
Trend micro code enter code#
These applications share the same code for function NCabbingLibrary::FdiCabNotify() when extracting all files inside a CAB file. Of relevance to this report is the notification type fdintCOPY_FILE, which is called at the start of the processing of each file within the cabinet, providing the opportunity for the application to request that the file be copied or skipped.Ī directory traversal vulnerability exists in several Microsoft applications when handling CAB files, including the Print Spooler application and the Print Management Console ( printmanagement.msc). The function handles multiple types of notifications during the extraction, such as fdintCABINET_INFO, fdintPARTIAL_FILE, fdintCOPY_FILE, fdintCLOSE_FILE_INFO, fdintNEXT_CABINET and fdintENUMERATE. For example, callback function NCabbingLibrary::FdiCabNotify() is observed to be used in the dynamic link library localspl.dll and the executable PrintBrmEngine.exe when handling CAB files for printer-related applications. To extract all files from a CAB file, the application commonly will use the FDICopy function and specify a callback function to handle all events during the extraction operation. Many Microsoft applications use this API. Microsoft has developed the Cabinet API to support handling Cabinet files on the Windows platform. After the CFFILE entries, there appear the CFDATA entries, which contain the file contents. The szName field is a NULL-terminated string specifying the name of the file. The structure of the CFHEADER has the following format: The compressed file data in the CFDATA entry is stored in one of several compression formats, as indicated in the corresponding CFFOLDER structure.
Trend micro code enter series#
It has been used widely on Windows platforms for multiple applications.Ī cabinet file contains a cabinet header (CFHEADER), followed by one or more cabinet folder (CFFOLDER) entries, a series of one or more cabinet file (CFFILE) entries, and the actual compressed file data in CFDATA entries.
Trend micro code enter archive#
Successful exploitation could result in the execution of arbitrary code in the security context of SYSTEM.Ĭabinet (CAB) is an archive file format invented by Microsoft to support lossless data compression and embedded digital certificates. All supported versions of Microsoft Windows are affected by this bug.Ī remote attacker could exploit this vulnerability by enticing a user into opening a crafted file or installing a remote printer. The vulnerability is due to a lack of sanitization of file paths inside a CAB file. A directory traversal vulnerability has been reported in Microsoft Windows.