Vulnerability or Exposure Note 7254 (CVE-2018-6461)
March Hare Software WINCVS Insecure Library Loading Vulnerability
OverviewMarch Hare Software WINCVS contains an Insecure Library Loading vulnerability or exposure in the
wincvs.exe file, which may allow local users to gain privileges via a Trojan horse python or tcl dll file in the current working directory.
I. DescriptionMarch Hare Software WINCVS provides scripting capabilities through the use of Python or TCL. The
wincvs.exe contains a vulnerability or exposure in the use of DLL name to load Python or TCL, which affects WINCVS on all Windows operating systems: WINCVS 1.0 and later (including all builds of 2.0, 2.02, 2.09, 2.1.1, 2.5.0x and 2.8.01 before build 6610; CVS Suite 2.5.01, CVS Suite 2.5.02, CVS Suite 2.5.03, CVS Suite 2008 and CVS Suite 2009 before build 6610.
Exploit code for this vulnerability or exposure has been tested by March Hare Software.
II. ImpactA non-privileged user may create a module (or add files to an existing module) with a specially crafted name to gain authenticated access to your PC with the same privileges as the current logged on user when WinCVS is opened in that directory. Specifically when a user right clicks on the checked out module to 'Open in new instance' or Ctrl+F2 then the malicious DLL executes.
III. SolutionApply an update
This issue is addressed in CVS Suite 2009R2 Build 6610 (and higher), which modifies the way WinCVS handles loading DLLs to exclude the 'current directory' from the acceptable paths. Customers with an active software maintenance contract may download the update from the customer area of the march-hare.com web site.
Use Microsoft KB2264107 to mitigate this issue on affected systems
Microsoft has published KB2264107 about this issue and provided a hotfix and registry setting as a mitigation for this vulnerability or exposure.
|Vendor||Status||Date Notified||Date Updated|
|March Hare Software||Vulnerable||2018-01-31|
This document was written by March Hare Software.
This vulnerability was discovered by hyp3rlinx / apparition security.
|Date First Published:||2018-02-05|
|Date Last Updated:||2018-02-05|
|CERT Advisory:|| |
|US-CERT Technical Alerts:|| |