There is a memory corruption vulnerability in TIFF file processing in Microsoft GDI+ that can be used to crash a vulnerable application and also to execute arbitrary code.
The vulnerability
The vulnerability is caused due to errors in decompression of CCITT G4 compressed TIFF images.
CCITT compression is basically a RLE (Run Length Encoding) compression of 2-color (black/white) images where run lengths of black and white pixels are encoded using variable number of bits. In the first step of decoding process run-lengths are determined and are stored in a buffer of the same length as image width located on heap. After this process the values inside the buffer are interpreted as
[white-run-length][black-run-length][white-run-length][black-run-length]...
The process of filling the above buffer continues until the sum of all run-lengths already written in the buffer is smaller than the image width.The vulnerability stems from the fact that, by the encoding mechanism, a 0-run length is completely valid. Thus, if we specify multiple run-lengths of zero pixels at the beginning of the image row, we can escape the buffer boundaries and write arbitrary value after the end of the buffer.
Impact
This vulnerability can be used to run arbitrary code when an application using GDI+ is used to open a malformed TIF file. The code will be run with the privilages of the vulnerable application.
PoC
Due to the spread and the impact of the vulnerability, exploiting details will not be released at this time.
References
http://www.zerodayinitiative.com/advisories/ZDI-09-072/
http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2503
Wednesday, October 14, 2009
Windows Media Audio Voice remote code execution
There is a vulnerability in Windows Media Audio Voice decoder distributed with Windows Media Player that allows remote code execution by opening a specially crafted web page.
The vulnerability
The cause of the vulnerability is a bound checking error in the code used to decompress Windows Media Audio Voice compressed audio files (located in wmspdmod.dll). Namely, the vulnerability is caused by not properly sanitizing the audio sample rate information contained in the .wma voice file.The maximum allowed sample rate for .wma voie files is 22050 Hz. However, it can be set as high as 96000 Hz (the maximum for any .wma file) without being rejected.By setting the sample rate in .wma voice file between 22050 Hz and 96000 Hz, the attacker can corrupt memory on stack or (indirectly) on heap of the vulnerable process.
Impact
This vulnerability can be used to achieve remote code execution by tricking the victim into opening an attacker-controlled web page. This can be done by specifying a malformed .wma file as a webpage background sound (bgsound tags) or by embedding windows media player in a web page (embed tags). This attack works with multiple browsers (tested on Internet Explorer 6, Internet Explorer 7 and Mozilla Firefox 2 under Windows XP, other browsers and Windows version are affected as well).
PoC
Due to the spread and the impact of the vulnerability, exploiting details will not be released at this time.
References
http://www.zerodayinitiative.com/advisories/ZDI-09-069/
http://www.microsoft.com/technet/security/bulletin/ms09-051.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0555
The vulnerability
The cause of the vulnerability is a bound checking error in the code used to decompress Windows Media Audio Voice compressed audio files (located in wmspdmod.dll). Namely, the vulnerability is caused by not properly sanitizing the audio sample rate information contained in the .wma voice file.The maximum allowed sample rate for .wma voie files is 22050 Hz. However, it can be set as high as 96000 Hz (the maximum for any .wma file) without being rejected.By setting the sample rate in .wma voice file between 22050 Hz and 96000 Hz, the attacker can corrupt memory on stack or (indirectly) on heap of the vulnerable process.
Impact
This vulnerability can be used to achieve remote code execution by tricking the victim into opening an attacker-controlled web page. This can be done by specifying a malformed .wma file as a webpage background sound (bgsound tags) or by embedding windows media player in a web page (embed tags). This attack works with multiple browsers (tested on Internet Explorer 6, Internet Explorer 7 and Mozilla Firefox 2 under Windows XP, other browsers and Windows version are affected as well).
PoC
Due to the spread and the impact of the vulnerability, exploiting details will not be released at this time.
References
http://www.zerodayinitiative.com/advisories/ZDI-09-069/
http://www.microsoft.com/technet/security/bulletin/ms09-051.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0555
Wednesday, April 15, 2009
Internet Explorer 6 history.go() Remote Code Execution
There is a vulnerability in the implementation of history.go() function in Internet Explorer 6 exposed via JavaScript. The vulnerability enables the execution of arbitrary code if the user visits a web page controlled by the attacker.
The vulnerability
The vulnerability is in the erroneous implementation of history.go() function when called with a certain argument.
Impact
This vulnerability can be used to achieve remote code execution when a victim visits a specially crafted web page.
PoC
Due to the spread and the impact of the vulnerability, exploiting details will not be released at this time.
References
http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0552
The vulnerability
The vulnerability is in the erroneous implementation of history.go() function when called with a certain argument.
Impact
This vulnerability can be used to achieve remote code execution when a victim visits a specially crafted web page.
PoC
Due to the spread and the impact of the vulnerability, exploiting details will not be released at this time.
References
http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0552
Subscribe to:
Posts (Atom)