Thursday, June 07, 2007

[NT] Microsoft GDI+ Integer Division by Zero Flaw Handling .ICO Files

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Microsoft GDI+ Integer Division by Zero Flaw Handling .ICO Files
------------------------------------------------------------------------


SUMMARY

CSIS Security Group has discovered an Integer division by zero flaw in the
GDI+ component in Windows XP. This condition are activated when a
malformed ICO file are viewed through either Windows Explorer or other
components like Windows Picture and Fax Viewer .

The consequence of this flaw is a Denial of Service condition and doing a
restart of the explorer process

DETAILS

Vulnerable Systems:
* Windows XP Service Pack 2

CSIS Security Group has discovered an Integer division by zero flaw in the
GDI+ component in Windows XP. This condition are activated when a
malformed ICO file are viewed through either Windows Explorer or other
components like Windows Picture and Fax Viewer .

The consequence of this flaw is a Denial of Service condition, to
applications using the vulnerable GDI+ component, and doing a restart of
the explorer process. The flaw is in the InfoHeader -> Height value within
the malformed .ICO file, when inserting 0x00000000 at byte location 31 to
34.

Disassembly of the code:
The flaw goes into the following memory area and throws the exception
Integer division by zero at 4ED9E28F, Causing a restart of the explorer
process.

Below is the vulnerable function:
text:4ED9E209 ; private: int __thiscall GpIcoCodec::IsValidDIB(unsigned
int)
text:4ED9E209 ?IsValidDIB@GpIcoCodec@@AAEHI@Z proc near
text:4ED9E209 ; CODE XREF: GpIcoCodec::ReadHeaders(void)+188p

Integer division by Zero
4ED9E28A mov eax,7FFFF000h ; 7FFFF000h = 2147479552
4ED9E28F div eax,edi ; 2147479552 / 0

Analysis:
Exploitation of the flaw will at least result in a Denial of Service
condition against the program using the GDI+ component, and doing a
restart of the explorer process. Further code execution has not been
verified.

Timeline of public disclosure
02-04-2007 Vulnerability discovered.
17-04-2007 Research ended.
18-04-2007 CERT/CC informed
18-04-2007 Received VU#290961 from CERT/CC
25-04-2007 Received CVE-2007-2237 from CERT/CC
03-05-2007 Reported to Microsoft MSRC (secure@microsoft.com)
03-05-2007 Received response from MSRC (Case: 7402)
31-05-2007 Received response from MSRC Flaw will be fixed in next Service
Pack
31-05-2007 Information released on CSIS Platinum mailing list
06-06-2007 Public release

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2237>
CVE-2007-2237


ADDITIONAL INFORMATION

The information has been provided by <mailto:rand@csis.dk> Dennis Rand.
The original article can be found at:
<http://www.csis.dk/dk/forside/GdiPlus.pdf>

http://www.csis.dk/dk/forside/GdiPlus.pdf

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

1 comment:

  1. Anonymous5:51 PM

    great site xanax side effects overdose - xanax pills prices

    ReplyDelete