ISS X-Force Database: win-loadimage-bo(18668): Microsoft Windows LoadImage API buffer overflow

Microsoft Windows LoadImage API buffer overflow

win-loadimage-bo (18668)

High Risk

Description:

Microsoft Windows are vulnerable to an integer overflow in the LoadImage API of the USER32.lib library. By creating a specially-crafted BMP, CUR, ICO or ANI file, a remote attacker could overflow a buffer and execute arbitrary code on the system, once the file is opened. An attacker could exploit this vulnerability by sending the malicious file to a victim as an email attachment or hosting it on a Web page.

Consequences:

Gain Access

Remedy:

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-002. See References.

For Windows Server 2003:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-018. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS05-002, but it was superseded by the patch released with MS05-018. Microsoft is also reporting that MS05-002 has been superseded by the patch released with MS07-017. See References.

For Windows 2000:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-018. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS05-002, but it was superseded by the patch released with MS05-018.

For Windows XP SP1:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-053. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS03-045, but it was superseded by the patch released with MS05-002 and MS05-018, which were then superseded by the patch released with MS05-053.

For Windows NT:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-002. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS03-045, but it has been superseded by the patch released with MS04-011. Microsoft is also reporting that the patch released with MS03-045 has been superseded by the patch released with MS04-032. The patch released with MS03-045 has been superseded by the patch released with MS05-002. See References.

References:

Avaya Security Advisory ASA-2005-004: Windows Security Updates for December 2004 - (MS05-001 - MS05-003).
BugTraq Mailing List, Thu Dec 23 2004 - 08:58:01 CST : Microsoft Windows LoadImage API Integer Buffer overflow.
CIAC Information Bulletin P-094: Microsoft Vulnerability in Cursor and Icon Format Handling.
Microsoft Security Bulletin MS04-011: Security Update for Microsoft Windows (835732).
Microsoft Security Bulletin MS04-032: Security Update for Microsoft Windows (840987).
Microsoft Security Bulletin MS05-002: Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711).
Microsoft Security Bulletin MS05-018: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859).
Microsoft Security Bulletin MS05-053: Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424).
Microsoft Security Bulletin MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution (925902).
Technical Cyber Security Alert TA05-012A: Multiple Vulnerabilities in Microsoft Windows Icon and Cursor Processing.
BID-12095: Microsoft Windows LoadImage API Function Integer Overflow Vulnerability
CVE-2004-1049: Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the Cursor and Icon Format Handling Vulnerability.
OSVDB ID: 12623: Microsoft Windows LoadImage API Overflow
SA13645: Microsoft Windows Multiple Vulnerabilities
SECTRACK ID: 1012684: Microsoft Windows LoadImage API Buffer Overflow Lets Remote Users Execute Arbitrary Code
US-CERT VU#625856: Microsoft Windows LoadImage API vulnerable to integer overflow

Platforms Affected:

Microsoft Windows 2000 SP3
Microsoft Windows 2000 SP4
Microsoft Windows 2003 Server
Microsoft Windows 2003 Server x64
Microsoft Windows NT 4.0 SP6 Terminal Server
Microsoft Windows NT 4.0 SP6a Server
Microsoft Windows XP 2003 x64
Microsoft Windows XP SP1
Microsoft Windows XP SP1 x64

Reported:

Dec 23, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page