Information Assurance

Jason Park


front | classes | research | personal | contact

Information Assurance

Bugtraq Analysis

Windows ANI Stack Overflow Exploit

back to bugtraq analyses page

Overview

The code that handles animated cursors in Microsoft Windows contains a stack buffer overflow vulnerability. This allows remote attackers to execute malicious code or cause a denial of service condition. The entire family of Windows operating systems, including the recently released Vista are affected and Microsoft has yet to release a patch for this problem.

 

The Problem

- The function LoadCursorIconFromFileMap() checks the size of an ANIChunk before calling function ReadChunk().

- Function LoadAniIcon() depends this integrity check to catch any malformed chunks. However, LoadCursorIconFromFileMap() only examines the first chunk

- An attacker may create a file with two chunks, the first valid and the second malformed. When the malformed chunk is read, the return address of LoadAniIcon() is overwritten and a buffer overflow occurs. This allows the attacker to gain control of code execution.

 

Prevention

An integrity check should be implemented prior to ReadChunk() in LoadAniIcon().

 

Work-Around

- Multiple attack vectors exist for this exploit. Users are advised to refrain from the following:

- Visiting malicious websites

- Reading or forwarding malicious HTML email

- Opening malicious .ANI files or the folders containing them in Windows explorer