Microsoft Windows User32.DLL ANI File Header Handling Stack-Based Buffer Overflow Vulnerability
BID:12233
Info
Microsoft Windows User32.DLL ANI File Header Handling Stack-Based Buffer Overflow Vulnerability
| Bugtraq ID: | 12233 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2004-1049 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 11 2005 12:00AM |
| Updated: | Jul 12 2009 09:27AM |
| Credit: | This vulnerability was discovered by Yuji Ukai of eEye Digital Security. |
| Vulnerable: |
Nortel Networks Symposium Web Client Nortel Networks Symposium Web Center Portal (SWCP) Nortel Networks Symposium TAPI Service Provider Nortel Networks Symposium Network Control Center (NCC) Nortel Networks Symposium Express Call Center (SECC) Nortel Networks Symposium Call Center Server (SCCS) Nortel Networks Symposium Agent Nortel Networks Periphonics Nortel Networks Media Processing Server Nortel Networks MCS 5200 3.0 Nortel Networks MCS 5100 3.0 Nortel Networks IP softphone 2050 Microsoft Windows XP Tablet PC Edition SP1 Microsoft Windows XP Tablet PC Edition Microsoft Windows XP Professional SP1 Microsoft Windows XP Professional Microsoft Windows XP Media Center Edition SP1 Microsoft Windows XP Media Center Edition Microsoft Windows XP Home SP1 Microsoft Windows XP Home Microsoft Windows XP Embedded SP1 Microsoft Windows XP Embedded Microsoft Windows XP 64-bit Edition Version 2003 SP1 Microsoft Windows XP 64-bit Edition Version 2003 Microsoft Windows XP 64-bit Edition SP1 Microsoft Windows XP 64-bit Edition Microsoft Windows Server 2003 Web Edition Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Enterprise Edition Itanium 0 Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Datacenter Edition Itanium 0 Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows NT Workstation 4.0 SP6a Microsoft Windows NT Workstation 4.0 SP6 Microsoft Windows NT Workstation 4.0 SP5 Microsoft Windows NT Workstation 4.0 SP4 Microsoft Windows NT Workstation 4.0 SP3 Microsoft Windows NT Workstation 4.0 SP2 Microsoft Windows NT Workstation 4.0 SP1 Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Terminal Server 4.0 SP6 Microsoft Windows NT Terminal Server 4.0 SP5 Microsoft Windows NT Terminal Server 4.0 SP4 Microsoft Windows NT Terminal Server 4.0 SP3 Microsoft Windows NT Terminal Server 4.0 SP2 Microsoft Windows NT Terminal Server 4.0 SP1 Microsoft Windows NT Terminal Server 4.0 Microsoft Windows NT Server 4.0 SP6a Microsoft Windows NT Server 4.0 SP6 Microsoft Windows NT Server 4.0 SP5 Microsoft Windows NT Server 4.0 SP4 Microsoft Windows NT Server 4.0 SP3 Microsoft Windows NT Server 4.0 SP2 Microsoft Windows NT Server 4.0 SP1 Microsoft Windows NT Server 4.0 Microsoft Windows NT Enterprise Server 4.0 SP6a Microsoft Windows NT Enterprise Server 4.0 SP6 Microsoft Windows NT Enterprise Server 4.0 SP5 Microsoft Windows NT Enterprise Server 4.0 SP4 Microsoft Windows NT Enterprise Server 4.0 SP3 Microsoft Windows NT Enterprise Server 4.0 SP2 Microsoft Windows NT Enterprise Server 4.0 SP1 Microsoft Windows NT Enterprise Server 4.0 Microsoft Windows ME Microsoft Windows 98SE Microsoft Windows 98 Microsoft Windows 95 Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Server SP3 Microsoft Windows 2000 Server SP2 Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server Microsoft Windows 2000 Professional SP4 Microsoft Windows 2000 Professional SP3 Microsoft Windows 2000 Professional SP2 Microsoft Windows 2000 Professional SP1 Microsoft Windows 2000 Professional Microsoft Windows 2000 Advanced Server SP4 Microsoft Windows 2000 Advanced Server SP3 Microsoft Windows 2000 Advanced Server SP2 Microsoft Windows 2000 Advanced Server SP1 Microsoft Windows 2000 Advanced Server |
| Not Vulnerable: |
Microsoft Windows XP Tablet PC Edition SP2 Microsoft Windows XP Professional SP2 Microsoft Windows XP Media Center Edition SP2 Microsoft Windows XP Home SP2 |
Discussion
Microsoft Windows User32.DLL ANI File Header Handling Stack-Based Buffer Overflow Vulnerability
A stack-based buffer overflow vulnerability is reported to affect the ANI (animated cursor files) handler on Microsoft Windows operating systems.
The vulnerability exists in the ANI file header handling routines contained in the 'user32.dll' library.
Ultimately the issue may be leveraged to force the execution of attacker-supplied instructions. It has been reported that this vulnerability affects any application that employs the vulnerable Internet Explorer component, for example:
Microsoft Internet Explorer, Word, Excel, PowerPoint, Outlook, Outlook Express and the Windows Shell.
Other applications are also affected.
A stack-based buffer overflow vulnerability is reported to affect the ANI (animated cursor files) handler on Microsoft Windows operating systems.
The vulnerability exists in the ANI file header handling routines contained in the 'user32.dll' library.
Ultimately the issue may be leveraged to force the execution of attacker-supplied instructions. It has been reported that this vulnerability affects any application that employs the vulnerable Internet Explorer component, for example:
Microsoft Internet Explorer, Word, Excel, PowerPoint, Outlook, Outlook Express and the Windows Shell.
Other applications are also affected.
Exploit / POC
Microsoft Windows User32.DLL ANI File Header Handling Stack-Based Buffer Overflow Vulnerability
A public proof-of-concept that is designed to trigger this vulnerability was created by Assaf Reshef <assaf404 at yahoo dot com> and is available at the following location:
http://underwar.livedns.co.il/projects/ani/
An additional proof of concept (anieeye.zip) has been made available by Berend-Jan Wever.
An additional proof of concept (HOD-ms05002-ani-expl.c) has been made available by houseofdabus HOD <[email protected]>.
An exploit has been made available by WhiskyCoders.
A public proof-of-concept that is designed to trigger this vulnerability was created by Assaf Reshef <assaf404 at yahoo dot com> and is available at the following location:
http://underwar.livedns.co.il/projects/ani/
An additional proof of concept (anieeye.zip) has been made available by Berend-Jan Wever.
An additional proof of concept (HOD-ms05002-ani-expl.c) has been made available by houseofdabus HOD <[email protected]>.
An exploit has been made available by WhiskyCoders.
Solution / Fix
Microsoft Windows User32.DLL ANI File Header Handling Stack-Based Buffer Overflow Vulnerability
Solution:
Microsoft has released updates to address this vulnerability on Windows 98, Windows 98 Second Edition, and Windows Millennium Edition. These updates are available from the Windows Update Web site. Updates for localized versions of Microsoft Windows 98 and Microsoft Windows 98 Second Edition, which are not supported by Windows Update are available for download separately.
Microsoft has released updates to address this vulnerability on supported platforms.
The Microsoft patch for this vulnerability may cause problems on Windows 98, 98SE, and ME operating systems. Reports suggest that after applying the patch on these operating systems there may be issues with Internet Explorer. See the References section for further information.
Microsoft has released updated fixes for Windows 98, 98SE and ME to address the above issue.
Microsoft Windows 98SE
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows 98
Microsoft Windows Server 2003 Web Edition
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows XP Embedded SP1
Microsoft Windows XP Home SP1
Microsoft Windows XP 64-bit Edition Version 2003 SP1
Microsoft Windows 2000 Server SP3
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Professional SP4
Microsoft Windows XP Professional SP1
Solution:
Microsoft has released updates to address this vulnerability on Windows 98, Windows 98 Second Edition, and Windows Millennium Edition. These updates are available from the Windows Update Web site. Updates for localized versions of Microsoft Windows 98 and Microsoft Windows 98 Second Edition, which are not supported by Windows Update are available for download separately.
Microsoft has released updates to address this vulnerability on supported platforms.
The Microsoft patch for this vulnerability may cause problems on Windows 98, 98SE, and ME operating systems. Reports suggest that after applying the patch on these operating systems there may be issues with Internet Explorer. See the References section for further information.
Microsoft has released updated fixes for Windows 98, 98SE and ME to address the above issue.
Microsoft Windows 98SE
-
Microsoft Security Update for Windows 98 and Windows 98 Second Edition (KB891711)
Slovakian
http://www.microsoft.com/downloads/details.aspx?FamilyId=6400BF99-378A -4936-88A2-125CB788EA0C&displaylang=sk -
Microsoft Security Update for Windows 98 and Windows 98 Second Edition (KB891711)
Slovenian
http://www.microsoft.com/downloads/details.aspx?FamilyId=6400BF99-378A -4936-88A2-125CB788EA0C&displaylang=sl -
Microsoft Security Update for Windows 98 and Windows 98 Second Edition (KB891711)
Thai
http://www.microsoft.com/downloads/details.aspx?FamilyId=6400BF99-378A -4936-88A2-125CB788EA0C&displaylang=th
Microsoft Windows NT Server 4.0 SP6a
-
Microsoft Security Update for Windows NT Server 4.0 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=4604400A-287E -48CC-91B1-BEE44EEA588C&displaylang=en
Microsoft Windows XP Media Center Edition SP1
-
Microsoft Security Update for Windows XP (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=8850954D-57D9 -4D23-9AA1-1CCF6085A057&displaylang=en
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
-
Microsoft Security Update for Windows Server 2003 64-bit Edition and Windows XP 64-bit Edition, Version 2003
http://www.microsoft.com/downloads/details.aspx?familyid=16A52196-0BD0 -4355-9F29-2B26CB0961AF&displaylang=en
Microsoft Windows NT Terminal Server 4.0 SP6
-
Microsoft Security Update for Windows NT 4.0, Terminal Server Edition (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=94A0B521-4C39 -4D15-AA80-068C30476E6F&displaylang=en
Microsoft Windows Server 2003 Standard Edition
-
Microsoft Security Update for Windows Server 2003 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=CBCCADF6-449A -4D74-937D-4087A6E6C1C2&displaylang=en
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
-
Microsoft Security Update for Windows Server 2003 64-bit Edition and Windows XP 64-bit Edition, Version 2003
http://www.microsoft.com/downloads/details.aspx?familyid=16A52196-0BD0 -4355-9F29-2B26CB0961AF&displaylang=en
Microsoft Windows XP 64-bit Edition SP1
-
Microsoft Security Update for Windows XP 64-bit Edition (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=2325700F-7931 -4B0C-A978-BCFF469B8061&displaylang=en
Microsoft Windows Server 2003 Datacenter Edition
-
Microsoft Security Update for Windows Server 2003 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=CBCCADF6-449A -4D74-937D-4087A6E6C1C2&displaylang=en
Microsoft Windows 2000 Advanced Server SP4
-
Microsoft Security Update for Windows 2000 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=722C6C65-3F6C -4029-8EB7-D4612A785E78&displaylang=en
Microsoft Windows 2000 Professional SP3
-
Microsoft Security Update for Windows 2000 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=722C6C65-3F6C -4029-8EB7-D4612A785E78&displaylang=en
Microsoft Windows Server 2003 Enterprise Edition
-
Microsoft Security Update for Windows Server 2003 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=CBCCADF6-449A -4D74-937D-4087A6E6C1C2&displaylang=en
Microsoft Windows 98
-
Microsoft Security Update for Windows 98 and Windows 98 Second Edition (KB891711)
Slovakian
http://www.microsoft.com/downloads/details.aspx?FamilyId=6400BF99-378A -4936-88A2-125CB788EA0C&displaylang=sk -
Microsoft Security Update for Windows 98 and Windows 98 Second Edition (KB891711)
Slovenian
http://www.microsoft.com/downloads/details.aspx?FamilyId=6400BF99-378A -4936-88A2-125CB788EA0C&displaylang=sl -
Microsoft Security Update for Windows 98 and Windows 98 Second Edition (KB891711)
Thai
http://www.microsoft.com/downloads/details.aspx?FamilyId=6400BF99-378A -4936-88A2-125CB788EA0C&displaylang=th
Microsoft Windows Server 2003 Web Edition
-
Microsoft Security Update for Windows Server 2003 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=CBCCADF6-449A -4D74-937D-4087A6E6C1C2&displaylang=en
Microsoft Windows 2000 Advanced Server SP3
-
Microsoft Security Update for Windows 2000 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=722C6C65-3F6C -4029-8EB7-D4612A785E78&displaylang=en
Microsoft Windows XP Embedded SP1
-
Microsoft Security Update for Windows XP (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=8850954D-57D9 -4D23-9AA1-1CCF6085A057&displaylang=en
Microsoft Windows XP Home SP1
-
Microsoft Security Update for Windows XP (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=8850954D-57D9 -4D23-9AA1-1CCF6085A057&displaylang=en
Microsoft Windows XP 64-bit Edition Version 2003 SP1
-
Microsoft Security Update for Windows Server 2003 64-bit Edition and Windows XP 64-bit Edition, Version 2003
http://www.microsoft.com/downloads/details.aspx?familyid=16A52196-0BD0 -4355-9F29-2B26CB0961AF&displaylang=en
Microsoft Windows 2000 Server SP3
-
Microsoft Security Update for Windows 2000 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=722C6C65-3F6C -4029-8EB7-D4612A785E78&displaylang=en
Microsoft Windows NT Enterprise Server 4.0 SP6a
-
Microsoft Security Update for Windows NT Server 4.0 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=4604400A-287E -48CC-91B1-BEE44EEA588C&displaylang=en
Microsoft Windows 2000 Server SP4
-
Microsoft Security Update for Windows 2000 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=722C6C65-3F6C -4029-8EB7-D4612A785E78&displaylang=en
Microsoft Windows 2000 Professional SP4
-
Microsoft Security Update for Windows 2000 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=722C6C65-3F6C -4029-8EB7-D4612A785E78&displaylang=en
Microsoft Windows XP Professional SP1
-
Microsoft Security Update for Windows XP (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=8850954D-57D9 -4D23-9AA1-1CCF6085A057&displaylang=en
References
Microsoft Windows User32.DLL ANI File Header Handling Stack-Based Buffer Overflow Vulnerability
References:
References:
- Microsoft Security Bulletin MS05-002 (Microsoft)
- EEYE: Windows ANI File Parsing Buffer Overflow ("Derek Soeder"
) - Windows ANI File Parsing Proof Of Concept (MS05-002) (Assaf Reshef
)