ISS X-Force Database: win-ani-ratenumber-dos(18667): Microsoft Windows ANI file zero rate number overflow denial of service

Microsoft Windows ANI file zero rate number overflow denial of service

win-ani-ratenumber-dos (18667)

Low Risk

Description:

Microsoft Windows are vulnerable to a denial of service. A remote attacker could create a specially-crafted ANI (Windows Animated Cursor) file containing the rate number or frame number set to '0' in the ANI file header, which could cause the Windows Kernel to hang, using considerable resources, once the file is opened. An attacker could exploit this vulnerability by sending the malicious file to a victim as an email attachment or hosting it on a Web page.

Platforms Affected:

Microsoft, Windows 2000 SP4
Microsoft, Windows 2000 SP3
Microsoft, Windows 2003 Server
Microsoft, Windows 2003 Server x64
Microsoft, Windows NT 4.0 SP6a Server
Microsoft, Windows NT 4.0 SP6 Terminal Server
Microsoft, Windows XP 2003 64-bit
Microsoft, Windows XP SP1 64-bit
Microsoft, Windows XP SP1

Remedy:

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-002. See References.

For Windows Server 2003:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-018. See References.

Note: Note: Microsoft originally provided a patch for this vulnerability in MS05-002, but it was superseded by the patch released with MS05-018. Microsoft is also reporting that MS05-002 has been superseded by the patch released with MS07-017. See References.

For Windows 2000:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-018. See References.

Microsoft originally provided a patch for this vulnerability in MS05-002, but it was superseded by the patch released with MS05-018.

For Windows XP SP1:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-053. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS03-045, but it was superseded by the patch released with MS05-002 and MS05-018, which were then superseded by the patch released with MS05-053.

For Windows NT:
Microsoft originally provided a patch for this vulnerability in MS03-045, but it has been superseded by the patch released with MS04-011. Microsoft is also reporting that the patch released with MS03-045 has been superseded by the patch released with MS04-032. MS03-045 has been superseded by the patch released with MS05-002. See References.

Consequences:

Denial of Service

References:

Avaya Security Advisory ASA-2005-004, Windows Security Updates for December 2004 - (MS05-001 - MS05-003) at http://support.avaya.com/japple/css/japple?PAGE=avaya.css.OpenPage&temp.template.name=SecurityAdvisory.
BugTraq Mailing List, Thu Dec 23 2004 - 08:59:14 CST , Microsoft Windows Kernel ANI File Parsing Crash and DOS Vulnerability at http://archives.neohapsis.com/archives/bugtraq/2004-12/0363.html.
Microsoft Security Bulletin MS04-011, Security Update for Microsoft Windows (835732) at http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx.
Microsoft Security Bulletin MS04-032, Security Update for Microsoft Windows (840987) at http://www.microsoft.com/technet/security/bulletin/ms04-032.mspx.
Microsoft Security Bulletin MS05-002, Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution at http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx.
Microsoft Security Bulletin MS05-018, Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859) at http://www.microsoft.com/technet/security/bulletin/MS05-018.mspx.
Microsoft Security Bulletin MS05-053, Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) at http://www.microsoft.com/technet/Security/bulletin/ms05-053.mspx.
Microsoft Security Bulletin MS07-017, Vulnerabilities in GDI Could Allow Remote Code Execution (925902) at http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx.
Technical Cyber Security Alert TA05-012A, Multiple Vulnerabilities in Microsoft Windows Icon and Cursor Processing at http://www.us-cert.gov/cas/techalerts/TA05-012A.html.
BID-12094: Microsoft Windows ANI File Denial of Service Vulnerability
CVE-2004-1305: The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang.
US-CERT VU#177584: Microsoft Windows kernel vulnerable to a denial-of-service condition via animated cursor (.ani) frame number
US-CERT VU#697136: Microsoft Windows kernel vulnerable to denial-of-service condition via animated cursor (.ani) rate number

Reported:

Dec 23, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page