5 Replies Latest reply on Jan 7, 2010 4:49 AM by Attila Polinger

    Buffer Overflow - explorer.exe KERNEL32.CreateFileA

    finkemch

      does anyone have know about the following Buffer Overflows :

       

      C:\WINNT\explorer.exeADVAPI32.RegCreateKeyExABO:Writable BO:Heap
      C:\WINNT\explorer.exeADVAPI32.RegOpenKeyExABO:Writable BO:Heap
      C:\WINNT\explorer.exeKERNEL32.CreateFileABO:Writable BO:Heap

       

      they occur - with these 3 positions - every day on different system - the first was a pc with a mail with a link to an internal local server share,

      if you click on this link the buffer overflows occurs

       

      could anyone help me ?

        • 1. Re: Buffer Overflow - explorer.exe KERNEL32.CreateFileA

          Generally you will find that Buffer Overflows occur because of either poor programming in an application, or a security vulnerability that exists on your machine that a rogue computer (or application) is attempting to exploit.

           

          In your case, I believe the cause of your errors is another computer attempting to exploit vulnerabilities in the Microsoft Windows Operating system.

           

          First off, use WindowsUpdate to security patch your system. After applying all recommended updates and rebooting, do the errors still occur?

          • 2. Re: Buffer Overflow - explorer.exe KERNEL32.CreateFileA
            finkemch

            Hello ,

             

            Thank you for the fast reply - we use WSUS - to patch the systems - but we dont know if it is a new vulnerability or something else ???

            In India and Brazil we have seen many W32\rimecud and W32\rimecud!mem on a explorer.exe - it could also be a new

            variant of it ??? Patches should be OK - this works fine ( we rollout them rapidly) .

            We need to catch it - but how ?

             

            Michael

             

             

            Additional Details: ePO 3.61 Virusscan 8.7 Patch 1 Windows XP SP3 on 07.01.10 11:44:42 MEZ
            • 3. Re: Buffer Overflow - explorer.exe KERNEL32.CreateFileA

              If the Windows patches are up to date, then I would be hesitant to think that it is a cause - although those two DLL's are vulnerable to quite a few Microsoft Security Vulnerabilities.

               

              Perhaps involve McAfee support to analyse a crashdump and get their opinion on what is causing it?

               

              Mo Aziz  has some good advice here: http://community.mcafee.com/message/101424#101424

               

               

              Message was edited by: Mal09 on 07/01/10 10:47:45 GMT
              1 of 1 people found this helpful
              • 4. Re: Buffer Overflow - explorer.exe KERNEL32.CreateFileA
                Attila Polinger

                Hello,

                 

                I would say, most likely, some malware have tried to plant itself on the system and VirusScan might have blocked this attempt. Explorer.exe, as a process, has a launch key in the registry, where everything that is registered there will be loaded under this process. You can check what other programs have been registered to load with Explorer: look at HKLM\SoftwareMicrosoftWindows\CurrentVersion\Explorer\ShellExecuteHooks. Here are registrations referring to another registry branch, where the actual file (.DLL for example) path/name can be found.

                 

                On a system where this buffer overflows are detected by VirusScan, there might be the offending code activated as described above. It is advised to enable some Access Protection rules also, that would prevent code to plant themselves under Explorer.exe on all computers, lke the "Prevent programs registering to autorun."

                 

                To kill the code which is activated, kill Exporer.exe then restart it using Task Manager (Ctrl-Alt-Del), it won't load the code again (until the next reboot if the above regkeys are still present.)

                 

                HTH

                 

                Attila

                1 of 1 people found this helpful
                • 5. Re: Buffer Overflow - explorer.exe KERNEL32.CreateFileA
                  finkemch

                  Hello Mal09,

                   

                  McAfee is already anlalysing this case and dump file - I would only look at the community additional - to get more input.

                   

                  Michael