|
Brought to you by:
Suppliers of:
|
|
|
| |
| eEye Digital Security has discovered a vulnerability in USER32.DLL's handling of Windows animated cursor (.ani) files that will allow a remote attacker to reliably overwrite the stack with arbitrary data and execute arbitrary code. |
| |
Credit:
The information has been provided by Derek Soeder.
The original article can be found at: http://www.eeye.com/html/research/advisories/AD20050111.html
|
| |
Because Windows animated cursors can be supplied for use by Internet Explorer, this vulnerability affects any applications that use the Internet Explorer component internally, such as Internet Explorer itself, Word, Excel, PowerPoint, Outlook, Outlook Express, and so on, as well as the Windows shell.
In the case of Internet Explorer, the user's system will be compromised when the user views a website that shows a malformed ANI file referenced via a style sheet in the HTML file. Likewise, a system may be compromised through Outlook and Outlook Express when the user tries to read an HTML e-mail containing a MIME-encoded malformed ANI file and a style sheet referencing the encoded ANI file, invoked using HTML such as < BODY style="CURSOR: url('cid:xxxx')" >. In the case of the Windows shell (explorer.exe), exploitation occurs when the user opens a folder containing a malformed ANI file.
This vulnerability also exists in all obsolete versions of the Windows operating system (Windows 95/98/NT4).
Technical Details:
The buffer overflow bug exists in a part of USER32.DLL involved in handling ANI animated cursor files. A partial ANI file format is given below:
"RIFF" {(DWORD)Length_of_file}
"ACON"
"LIST" {(DWORD)Length_of_list}
"INFO"
"INAM" {(DWORD)Length_of_title} {szTitle}
"IART" {(DWORD)Length_of_author} {szAuthor}
"anih" {(DWORD)Length_of_AnimationHeader} {AnimationHeaderBlock}
Generally, the length of AnimationHeaderBlock shoule be 36 bytes (0x00000024). The vulnerability is in the handling of the Length_of_AnimationHeader field. This value will be passed as the length argument of memcpy(), in order to copy the contents of AnimationHeaderBlock, but the value is not checked appropriately. The buffer intended to hold the AnimationHeaderBlock is located on the stack, so we can overwrite the return address and exception handler on the stack and jump into the buffer containing our code.
This vulnerability is a separate vulnerability from the ones discovered by X-focus.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx
|
| Subject:
|
I have all the patch that everyone says to get but I am still getting win31mso5-002!exploit |
Date: |
19 Jul. 2006 |
| From: |
Misty |
| Can any one help me I have all the patches and it still there, |
|
|
|
|
|
|
