31250 : Microsoft IE Vector Markup Language (VML) Overflow
Printer | http://osvdb.org/31250 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
4	1178	over 5 years ago	about 1 year ago	7 times	100%

Timeline

Discovery Date	Vendor Informed Date	Vendor Ack Date	Disclosure Date
2006-10-03	2006-10-03	2006-10-03	2007-01-09

Description

A heap buffer overflow exists in Microsoft Internet Explorer. The browser's vml rendering engine fails to check the length of a unspecified buffer. With a specially crafted request that contains vml graphics, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Private, Exploit Commercial
Disclosure: OSVDB Verified, Vendor Verified

Technical

Microsoft Internet Explorer is only vulnerable under Microsoft Windows 2000 or XP. The browser is not vulnerable under Vista.

This vulnerability exists due to insufficient input validation within
vgx.dll. Two integer properties are multiplied together and no overflow
check is performed. This could allow an attacker to force a memory
allocation of a smaller amount of memory than is required. When copying
user supplied data into the newly allocated memory, it is possible to
overwrite a function pointer stored on the heap, which leads to the
execution of arbitrary code.

Solution

Microsoft has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround(s):
Unregister the vgx.dll.

Products

Microsoft Corporation	Internet Explorer	5
		6
		7

References

Security Tracker: 1017489
CERT VU: 122084
CVE ID: 2007-0024 (see also: NVD)
Bugtraq ID: 21930
Secunia Advisory ID: 23677
SCIP VulDB ID: 2811
Related OSVDB ID: 31250
ISS X-Force ID: 31287
Microsoft Knowledge Base Article: 929969
VUPEN Advisory: ADV-2007-0105 ADV-2007-0129
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0254.html
http://archives.neohapsis.com/archives/bugtraq/2007-01/0386.html
http://archives.neohapsis.com/archives/bugtraq/2007-01/0416.html
http://www.securityfocus.com/archive/1/archive/1/457053/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/457164/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/457274/100/0/threaded
Generic Exploit URL: http://immunitysec.com
http://www.saintcorporation.com/cgi-bin/exploit_info/ie_vml_int_overflow
Other Advisory URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=462
Generic Informational URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=462
http://support.microsoft.com/?kbid=929969
http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx
http://www.us-cert.gov/cas/techalerts/TA07-009A.html
http://www.w3.org/TR/NOTE-VML
Vendor Specific News/Changelog Entry: http://support.avaya.com/elmodocs2/security/ASA-2007-009.htm
News Article: http://www.eweek.com/article2/0,1759,2082416,00.asp
Microsoft Security Bulletin: MS07-004
US-CERT Cyber Security Alert: TA07-009A

Tools & Filters

	24000
Snort	9848 9849

Credit

Joseph Moti - iDefense Labs VCP

CVSSv2 Score

CVSSv2 Base Score = 9.3
Source: nvd.nist.gov | Generated: 2007-01-09 | Disagree?

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.