OSVDB ID: 33629

Title: Microsoft IE Animated Cursor (.ani) Handling Arbitrary Command Execution

Info

Disclosure

Mar 29, 2007

Discovery

Unknown

Dates

Exploit

Mar 29, 2007

Solution

Apr 03, 2007

Description

A remote overflow exists in Microsoft Internet Explorer. The browser fails to check the buffer on animated cursors and icons resulting in a stack buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public, Exploit Commercial
Disclosure: OSVDB Verified, Vendor Verified

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

Products

Microsoft Corporation	Internet Explorer	6
		7

References

Security Tracker: 1017827
CERT VU: 191609
CVE ID: 2007-0038 (see also: NVD) 2007-1765 (see also: NVD)
Bugtraq ID: 23194
Secunia Advisory ID: 24659
SCIP VulDB ID: 2990
Metasploit ID: 33629
Milw0rm: 3617 3634 3635 3636 3652
Exploit Database: 3617 3634 3635 3636 3652
Microsoft Knowledge Base Article: 925902
VUPEN Advisory: ADV-2007-1151
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-04/0013.html
http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0470.html
Generic Exploit URL: http://asert.arbornetworks.com/2007/04/never-slow-down-ms07-017-ani-exploit
http://immunitysec.com
http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/ani_loadimage_chunksize.rb
http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/email/ani_loadimage_chunksize.rb
http://whitestar.linuxbox.org/pipermail/exploits/2007-March/000167.html
http://www.saintcorporation.com/cgi-bin/exploit_info/windows_animated_cursor
Vendor Specific Advisory URL: http://blogs.technet.com/msrc/archive/2007/03/29/microsoft-security-advisory-935423-posted.aspx
http://www.microsoft.com/technet/security/advisory/935423.mspx
Vendor Specific News/Changelog Entry: http://blogs.technet.com/msrc/archive/2007/04/01/latest-on-security-update-for-microsoft-security-advisory-935423.aspx
http://www.microsoft.com/technet/security/advisory/935423.mspx
News Article: http://news.bbc.co.uk/2/hi/technology/6526851.stm
http://news.softpedia.com/news/Windows-Vista-Suicide-Courtesy-of-McAfee-50761.shtml
http://www.informationweek.com/news/showArticle.jhtml?articleID=198800828
http://www.informationweek.com/news/showArticle.jhtml?articleID=198900231
http://www.securityfocus.com/brief/472?ref=rss
http://www.securityfocus.com/brief/474?ref=rss
Other Solution URL: http://research.eeye.com/html/alerts/zeroday/20070328.html
http://zert.isotf.org/advisories/zert-2007-01.htm
Other Advisory URL: http://vil.nai.com/vil/content/v_141860.htm
http://www.avertlabs.com/research/blog/?p=230
http://www.avertlabs.com/research/blog/?p=233
http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp
Vendor Specific Solution URL: http://www.microsoft.com/technet/security/bulletin/ms07-apr.mspx
Microsoft Security Bulletin: MS07-017

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/33629

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Microsoft Corporation

Internet Explorer

References

Credit