Microsoft MSN Messenger/Windows Messenger PNG Buffer Overflow Vulnerability
BID:12506
Info
Microsoft MSN Messenger/Windows Messenger PNG Buffer Overflow Vulnerability
| Bugtraq ID: | 12506 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2004-0597 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 08 2005 12:00AM |
| Updated: | Jul 12 2009 10:06AM |
| Credit: | Juliano Rizzo of Core Security Technologies identified these issues in MSN and Windows Messenger. |
| Vulnerable: |
Nortel Networks Symposium Call Center Server (SCCS) Nortel Networks Optivity Telephony Manager (OTM) Nortel Networks Mobile Voice Client 2050 Nortel Networks IP softphone 2050 Microsoft Windows XP Tablet PC Edition SP1 Microsoft Windows XP Professional SP1 Microsoft Windows XP Media Center Edition SP1 Microsoft Windows XP Home SP1 Microsoft Windows XP 64-bit Edition Version 2003 Microsoft Windows Messenger 4.7 .3000 Microsoft Windows Messenger 4.7 .2009 Microsoft Windows Messenger 5.0 Microsoft MSN Messenger Service 6.2 Microsoft MSN Messenger Service 6.1 |
| Not Vulnerable: | |
Discussion
Microsoft MSN Messenger/Windows Messenger PNG Buffer Overflow Vulnerability
A remotely exploitable buffer overflow exists in MSN Messenger and Windows Messenger. This vulnerability is related to parsing of Portable Network Graphics (PNG) image header data. Successful exploitation will result in execution of arbitrary code in the context of the vulnerable client user.
Attack vectors and mitigations may differ for MSN Messenger and Windows Messenger. For Windows Messenger, the attacker must spoof the .NET Messenger service and the client must be configured to receive .NET alerts.
However, MSN Messenger may be exploited through various methods in a client-to-client attack. Possible attack vectors for this vulnerability in MSN Messenger include:
User display pictures
Custom icons that are displayed inline in instant messages
Thumbnails of transferred images
Background images
Since this issue may be exploited in a client-to-client attack for MSN Messenger, it is a likely candidate for development of a worm.
This issue was originally described in BID 10857. Further analysis has determined that there are unique properties of the vulnerability that distinguish it from the general libpng issue on other platforms.
A remotely exploitable buffer overflow exists in MSN Messenger and Windows Messenger. This vulnerability is related to parsing of Portable Network Graphics (PNG) image header data. Successful exploitation will result in execution of arbitrary code in the context of the vulnerable client user.
Attack vectors and mitigations may differ for MSN Messenger and Windows Messenger. For Windows Messenger, the attacker must spoof the .NET Messenger service and the client must be configured to receive .NET alerts.
However, MSN Messenger may be exploited through various methods in a client-to-client attack. Possible attack vectors for this vulnerability in MSN Messenger include:
User display pictures
Custom icons that are displayed inline in instant messages
Thumbnails of transferred images
Background images
Since this issue may be exploited in a client-to-client attack for MSN Messenger, it is a likely candidate for development of a worm.
This issue was originally described in BID 10857. Further analysis has determined that there are unique properties of the vulnerability that distinguish it from the general libpng issue on other platforms.
Exploit / POC
Microsoft MSN Messenger/Windows Messenger PNG Buffer Overflow Vulnerability
An exploit designed to leverage this issue against Microsoft MSN Messenger (msnMessengerPNGexploit.c) has been made available:
An exploit designed to leverage this issue against Microsoft MSN Messenger (msnMessengerPNGexploit.c) has been made available:
Solution / Fix
Microsoft MSN Messenger/Windows Messenger PNG Buffer Overflow Vulnerability
Solution:
Microsoft has released fixes to address this vulnerability in affected Microsoft software.
The fix for Windows Messenger 4.7.0.2009 running on Windows XP Service Pack 1 has been revised.
Nortel Networks has released security advisory 2005005516-2 acknowledging
this issue. Please see the referenced advisory for further information.
Microsoft MSN Messenger Service 6.1
Microsoft MSN Messenger Service 6.2
Microsoft Windows Messenger 5.0
Microsoft Windows Messenger 4.7 .2009
Microsoft Windows Messenger 4.7 .3000
Solution:
Microsoft has released fixes to address this vulnerability in affected Microsoft software.
The fix for Windows Messenger 4.7.0.2009 running on Windows XP Service Pack 1 has been revised.
Nortel Networks has released security advisory 2005005516-2 acknowledging
this issue. Please see the referenced advisory for further information.
Microsoft MSN Messenger Service 6.1
-
Microsoft Security Update for MSN Messenger 6.1 or 6.2 (KB890261)
http://www.microsoft.com/downloads/details.aspx?familyid=EBE898D8-FE1C -4A5E-993C-5FAB3E62C925&displaylang=en
Microsoft MSN Messenger Service 6.2
-
Microsoft Security Update for MSN Messenger 6.1 or 6.2 (KB890261)
http://www.microsoft.com/downloads/details.aspx?familyid=EBE898D8-FE1C -4A5E-993C-5FAB3E62C925&displaylang=en
Microsoft Windows Messenger 5.0
-
Microsoft Windows Messenger 5.1
http://download.microsoft.com/download/e/b/3/eb3b95c6-b6e3-47f6-bcd1-4 66ad173f407/messenger.msi
Microsoft Windows Messenger 4.7 .2009
-
Microsoft Security Update for Windows Messenger (KB887472)
http://www.microsoft.com/downloads/details.aspx?familyid=E3DC209B-AD57 -49E1-BB90-6FA2CA8763A6&displaylang=en
Microsoft Windows Messenger 4.7 .3000
-
Microsoft Security Update for Windows Messenger (KB887472)
http://www.microsoft.com/downloads/details.aspx?familyid=1DCC9628-E2D0 -496F-B4F2-3AFEFA0A0156&displaylang=en
References
Microsoft MSN Messenger/Windows Messenger PNG Buffer Overflow Vulnerability
References:
References:
- Microsoft Security Bulletin MS05-009 (Microsoft)
- Protect Against Exploit Code Related to Security Bulletin MS05-009 (Microsoft)
- CORE-2004-0819: MSN Messenger PNG Image Parsing Vulnerability (CORE Security Technologies Advisories