TUCoPS :: Windows :: hack7648.htm

Microsoft Windows Kernel ANI File Parsing Crash and DOS vuln
Microsoft Windows Kernel ANI File Parsing Crash and DOS Vulnerability 



 [Security Advisory]

    

    

Advisory: [AD_LAB-04005]Microsoft Windows Kernel ANI File Parsing Crash and Dos Vulnerability

Class: Design Error

DATE:12/20/2004

Remote: Yes

 

Vulnerable:

 Windows NT 

 Windows 2000 SP0

 Windows 2000 SP1

 Windows 2000 SP2

 Windows 2000 SP3

 Windows 2000 SP4

 Windows XP SP0

 Windows XP SP1

 Windows 2003

Not vulnerable:

 Windows XP SP2

Vendor:

www.microsoft.com 

 



I.DESCRIPTION: 

-------------

 

  Parsing a specially crafted ANI file causes the windows kernel to crash or stop to work

properly. An attacker can crash or freeze a target system if he sends a specially crafted 

ANI file within an HTML page or within an Email.

 

II.DETAILS:

----------

 

  ANI stands for Windows Animated Cursor and manages many images frames. Two vulnerabilities

exist in the Windows kernel when it parses ANI files.

 

  A first vulnerability exists because there is no proper check of the frame number set in the

ANI file header. If the Windows kernel try to parse the ANI file (offset 0x78 in the ANI

file header) and the frame number is set to 0, the kernel will calculate a wrong address to

access and then crash.

 

  A second vulnerability exists because there is (again) no proper check of the rate number

set in the ANI file header. Setting this number to 0 causes the windows kernel to use up to

all of the system resources and then freeze.

 

    More details and POC at http://www.xfocus.net/flashsky/icoExp/index.html 



III.CREDIT: 

----------

 

Flashsky(fangxing@venustech.com.cn;flashsky@xfocus.org) discovery this vuln:)

Vulnerability analysis and advisory by Flashsky and icbm.

Special thanks to "Fengshou" project members and all Venustech AD-Lab guys:P

 

V.DISCLAIMS:

-----------

 

The information in this bulletin is provided "AS IS" without warranty of any

kind. In no event shall we be liable for any damages whatsoever including direct,

indirect, incidental, consequential, loss of business profits or special damages. 

 

Copyright 1996-2004 VENUSTECH. All Rights Reserved. Terms of use.

 

VENUSTECH Security Lab 

VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn) 

 

          Security

Trusted  {Solution} Provider

          Service

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH