SecuriTeam - Microsoft Windows LoadImage API Integer Buffer Overflow

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

An exploitable integer buffer overflow exists in the LoadImage API of the USER32 Lib. This function loads an icon, a cursor or a bitmap and then try to proceed the image. If an attacker sends a specially crafter bmp, cur, ico or ani file within an HTML page or in an Email, it is then possible to run arbitrary code on the affected system.

Credit:
The information has been provided by Flashsky.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

When the LoadImage API try to procees an image, it directly uses the size field in the image file and then add 4. So if we set the size of image between 0xfffffffc-0xffffffff, an integer buffer overflow occurs.

The function defines:
HANDLE LoadImage(
  HINSTANCE hinst, // handle of the instance containing the image
  LPCTSTR lpszName, // name or identifier of the image
  UINT uType, // type of image
  int cxDesired, // desired width
  int cyDesired, // desired height
  UINT fuLoad // load flags
);

lpszName is the handle to the image to load, uType specifies the type of image to be loaded. This parameter can be one of the following values:
IMAGE_BITMAP Loads a bitmap.
IMAGE_CURSOR Loads a cursor.
IMAGE_ICON Loads an icon.

When LoadImage API try to parse the bmp, cur, ico, ani file format, it doesn't implement any check on the size field and add 4. Look at the code below:

When ANI or CUR is in question:
.text:77D56178 mov eax, [ebx+8] //Direct read our size here:P
.text:77D5617B mov [ebp+dwResSize], eax
.text:77D5617E jnz short loc_77D56184
.text:77D56180 add [ebp+dwResSize], 4 //add 4 int overflow...
.text:77D56184
.text:77D56184 loc_77D56184: ; CODE XREF: sub_77D5608F+EF#j
.text:77D56184 push [ebp+dwResSize] //allocate a wrong size
.text:77D56187 push 0
.text:77D56189 push dword_77D5F1A0
.text:77D5618F call ds:RtlAllocateHeap

Then use the fake size for memmov leads to the heap overflow:
.text:77D561A9 mov ecx, [ebx+8]
.text:77D561AC mov esi, [ebx+0Ch]
.text:77D561AF add esi, [ebp+arg_0]
.text:77D561B2 mov edx, ecx
.text:77D561B4 shr ecx, 2
.text:77D561B7 mov edi, eax
.text:77D561B9 rep movsd
.text:77D561BB mov ecx, edx
.text:77D561BD and ecx, 3
.text:77D561C0 rep movsb

More details and POC at http://www.xfocus.net/flashsky/icoExp/index.html

	SAP MaxDB Malformed Handshake Request Remote Code Execution Vulnerability
	Dojo Toolkit SDK Multiple DOM-Based XSS Vulnerabilities
	Microsoft Indeo Codec Memory Corruption Vulnerability
	HP DDMI Execution of Arbitrary Code
	Microsoft Windows License Logging Service Heap Corruption Vulnerability
	Microsoft Office Excel Code Execution Vulnerabilities
	Microsoft SharePoint 2007 ASP.NET Source Code Disclosure
	Microsoft Windows Local Security Authority Integer Overflow Vulnerability
	Windows Kernel Multiple Vulnerabilities
	Microsoft Windows ActiveX Indexing Service Memory Corruption Vulnerability
	Microsoft IIS FTP Service Code Execution and DoS Vulnerability
	Microsoft GDI+ Multiple Vulnerabilities
	Microsoft .NET Common Language Runtime Multiple Vulnereabilities
	Microsoft Active Template Library ActiveX Controls Multiple Vulnerabilities
	ActiveX Active Template Library Initialization Vulnerability