iDefense Security Advisory 08.12.08: Microsoft Windows Color Management Module Heap Buffer Overflow Vulnerability

To: vulnwatch@xxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: iDefense Security Advisory 08.12.08: Microsoft Windows Color Management Module Heap Buffer Overflow Vulnerability
From: iDefense Labs <labs-no-reply@xxxxxxxxxxxx>
Date: Tue, 12 Aug 2008 21:34:35 -0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 2.0.0.16 (Windows/20080708)

iDefense Security Advisory 08.12.08
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 12, 2008

I. BACKGROUND

Microsoft Windows Color Management Module provides consistent color
mappings between different devices and applications. It is also used to
transform colors between color spaces. For more information about
Windows Color Management, visit the following URL.

http://www.microsoft.com/whdc/archive/icmwp.mspx

II. DESCRIPTION

Remote exploitation of a heap-based buffer overflow vulnerability in
multiple versions of Microsoft Corp.'s Windows operating system allows
an attacker to execute arbitrary code with the privileges of the
current user.

This vulnerability specifically exists in the InternalOpenColorProfile
function in mscms.dll. When a malformed parameter is supplied, a
heap-based buffer overflow can occur, resulting in an exploitable
condition.

III. ANALYSIS

Exploitation allows an attacker to execute arbitrary code with the
privileges of the current user. Exploitation would require convincing a
targeted user to view a malicious image file either hosted on a Web
server, on local file system or embedded in an-email or Office
documents, or through some form of social engineering.

This vulnerability also can be triggered through e-mail. If the e-mail
client can automatically display images embedded in the e-mail, the
user only needs to open the e-mail to trigger the vulnerability.
Currently an EMF file is used as test attack vector. Outlook and
Outlook Express will automatically display EMF image and trigger the
vulnerability. Lotus Notes and Thunderbird do not display EMF images in
e-mail directly, but the vulnerability still can be triggered when
opening or viewing the EMF attachment.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in the
following Microsoft products:

 Windows 2000 Service Pack 4
 Windows XP Service Pack 2
 Windows Server 2003 Service Pack 1
 Windows Server 2003 Service Pack 2

The following products are not affected:

 Windows Vista
 Windows Vista Service Pack 1
 Windows Server 2008

V. WORKAROUND

In order to prevent exploitation of this vulnerability, turn off
metafile processing by modifying the registry. Under the registry key,
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\GRE_Initialize" create a DWORD entry
"DisableMetaFiles" and set it to 1.

Keep in mind that this only blocks the attack vector through Windows
metafiles. It may be possible to exploit this vulnerability through
other attack vectors.

Note: Modifying the registry does not affect processes that are already
running, so you may need to log off and log on again or restart the
computer after making the change.

Implementing this workaround may cause components relying on metafile
processing, such as printing, to misbehave.

Viewing e-mail in plain text format mitigates e-mail-based attack.

VI. VENDOR RESPONSE

Microsoft has officially addressed this vulnerability with Security
Bulletin MS08-046. For more information, consult their bulletin at the
following URL.

http://www.microsoft.com/technet/security/bulletin/ms08-046.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-2245 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

04/10/2008  Initial vendor notification
04/16/2008  Initial vendor response
08/12/2008  Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by Jun Mao of iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@xxxxxxxxxxxx for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

Prev by Date: iDefense Security Advisory 08.12.08: Microsoft Excel FORMAT Record Invalid Array Index Vulnerability
Next by Date: rPSA-2008-0243-1 idle python
Previous by thread: iDefense Security Advisory 08.12.08: Microsoft Excel FORMAT Record Invalid Array Index Vulnerability
Next by thread: rPSA-2008-0243-1 idle python
Index(es):
- Date
- Thread