Microsoft Windows Kernel ANI File Parsing Crash and DOS Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Microsoft Windows Kernel ANI File Parsing Crash and DOS Vulnerability
From: flashsky fangxing <flashsky@xxxxxxxxxx>
Date: 23 Dec 2004 14:59:14 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


 [Security Advisory]
    
    
Advisory: [AD_LAB-04005]Microsoft Windows Kernel ANI File Parsing Crash and Dos 
Vulnerability
Class: Design Error
DATE:12/20/2004
Remote: Yes
 
Vulnerable:
 Windows NT 
 Windows 2000 SP0
 Windows 2000 SP1
 Windows 2000 SP2
 Windows 2000 SP3
 Windows 2000 SP4
 Windows XP SP0
 Windows XP SP1
 Windows 2003
Not vulnerable:
 Windows XP SP2
Vendor:
 www.microsoft.com
 

I.DESCRIPTION: 
-------------
 
  Parsing a specially crafted ANI file causes the windows kernel to crash or 
stop to work
properly. An attacker can crash or freeze a target system if he sends a 
specially crafted 
ANI file within an HTML page or within an Email.
 
II.DETAILS:
----------
 
  ANI stands for Windows Animated Cursor and manages many images frames. Two 
vulnerabilities
exist in the Windows kernel when it parses ANI files.
 
  A first vulnerability exists because there is no proper check of the frame 
number set in the
ANI file header. If the Windows kernel try to parse the ANI file (offset 0x78 
in the ANI
file header) and the frame number is set to 0, the kernel will calculate a 
wrong address to
access and then crash.
 
  A second vulnerability exists because there is (again) no proper check of the 
rate number
set in the ANI file header. Setting this number to 0 causes the windows kernel 
to use up to
all of the system resources and then freeze.
 
    More details and POC at http://www.xfocus.net/flashsky/icoExp/index.html

III.CREDIT: 
----------
 
Flashsky(fangxing@xxxxxxxxxxxxxxxx;flashsky@xxxxxxxxxx) discovery this vuln:)
Vulnerability analysis and advisory by Flashsky and icbm.
Special thanks to "Fengshou" project members and all Venustech AD-Lab guys:P
 
V.DISCLAIMS:
-----------
 
The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including 
direct,
indirect, incidental, consequential, loss of business profits or special 
damages. 
 
Copyright 1996-2004 VENUSTECH. All Rights Reserved. Terms of use.
 
VENUSTECH Security Lab 
VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)
 
          Security
Trusted  {Solution} Provider
          Service

Prev by Date: [SECURITY] [DSA 616-1] New telnetd-ssl packages fix arbitrary code execution
Next by Date: Microsoft Windows LoadImage API Integer Buffer overflow
Previous by thread: [SECURITY] [DSA 616-1] New telnetd-ssl packages fix arbitrary code execution
Next by thread: Microsoft Windows LoadImage API Integer Buffer overflow
Index(es):
- Date
- Thread