Stack buffer overflow in ANI Handling under Microsoft Windows 0Day
(Credit to Joe Stewart, SecureWorks)
The newly discovered zero-day vulnerability in the parsing of animated cursors is very similar to the one previously discovered by eEye that was patched by Microsoft in MS05-002. Basically an "anih" chunk in an animated cursor RIFF file is read into a stack buffer of a fixed size (36 bytes) but the actual memory copy operation uses the length field provided inside the "anih" chunk—giving an attacker an easy route to overflow the stack and gain control of the execution of the process.
With the MS05-002 patch, Microsoft added a check for the length of the chunk before copying it to the buffer. However, they neglected to audit the rest of the code for any other instances of the vulnerable copy routine. As it turns out, if there are two "anih" chunks in the file, the second chunk will be handled by a separate piece of code which Microsoft did not fix. This is what the authors of the zero-day discovered.
Although eEye has released a third-party patch that will prevent the latest exploit from working, it doesn't fix the flawed copy routine. It simply requires that any cursors loaded must reside within the Windows directory (typically C:⁄WINDOWS⁄ or C:⁄WINNT⁄). This approach should successfully mitigate most "drive-by's," code execution scenarios, but it might also break third-party applications that use animated cursors within their own program directories.
For this reason, ZERT is releasing a patch which addresses the core of the vulnerability, by ensuring that no more than 36 bytes of an "anih" chunk will be copied to the stack buffer, thus eliminating all potential exploit paths while maintaining compatibility with well-formatted animated cursor files.
Please read our release notes and testing methodology prior to downloading the patch.
Here we specify under what configurations the patch was tested, as well as our testing methodology and versions of software which are not vulnerable to this exploit: Test Notes
By downloading this patch you agree that the patch is a non-vendor supplied patch and you are using this patch of your own accord. You also agree ISOTF/ZERT supplies this patch on an AS-IS basis and that you are using this patch at your own risk.
This ZERT patch is released under the GPL license and was developed using the diStorm64 disassembler. Unicode support is copyrighted by Microsoft.
A ZERT patch is available for Microsoft Windows 98, 2000, XP, Server 2003 and Vista.
To download the patch , follow the link:
File: anipatch_v3.01.zip (Size: 475KB, MD5 sum: da7a206e78f9bd6ec1f15804ae1896e1 )
This archive contains GUI and command-line versions of the patch, a read me file, license files and source code.
Close all other programs before running the ZERT patch.
NOTE: If you attempt to install ANIPatch on a computer which is already patched, a "Cannot copy the File "zert_ani.dll" to system32 quitting (err: 32)" message will be displayed..
After installing this patch you can test your computer by visiting a special test page in your web browser. If the web browser does not crash when visiting the web page than the patch has been successfully applied or the computer is not vulnerable to the 0day threat.
To test your web browser visit this page.
Warning! If you visit the above test page from an unpatched computer, the web browser or email client will crash. This means your computer is vulnerable to the 0day threat.
It is important to uninstall the ZERT patch before applying the vendor patch, once one becomes available from Microsoft.
Before installing the patch you must close all other programs.
To install the patch first extract the files from the ANI Patch archive to a location you will remember, such as C:\TEMP or a folder on your Desktop.
The ANIPATCHER.EXE file is the command-line version of the patch. It can be run from batch files or login scripts to install the patch on multiple computers. Valid command line arguments are:
/? - displays help
/install - installs the patch
/uninstall - uninstalls the patch
The ANIPATCHER.EXE file is the GUI version of the patch. It is designed to be run interactively. To install the patch click on the INSTALL button. To uninstall the patch click on the UNINSTALL button.
The archive includes a Microsoft Visual Studio project with the source code for the patch in the \SOURCE directory.
Last revised 2007-Apr-02 2:06AM PDT.