[NT] Microsoft Windows Color Management Module Heap Buffer Overflow Vulnerability (MS08-046)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft Windows Color Management Module Heap Buffer Overflow
Vulnerability (MS08-046)
------------------------------------------------------------------------


SUMMARY

Microsoft Windows <http://www.microsoft.com/whdc/archive/icmwp.mspx>
Color Management Module provides "consistent color mappings between
different devices and applications. It is also used to transform colors
between color spaces". Remote exploitation of a heap-based buffer overflow
vulnerability in multiple versions of Microsoft Corp.'s Windows operating
system allows an attacker to execute arbitrary code with the privileges of
the current user.

DETAILS

Vulnerable Systems:
* Windows 2000 Service Pack 4
* Windows XP Service Pack 2
* Windows Server 2003 Service Pack 1
* Windows Server 2003 Service Pack 2

Immune Systems:
* Windows Vista
* Windows Vista Service Pack 1
* Windows Server 2008

This vulnerability specifically exists in the InternalOpenColorProfile
function in mscms.dll. When a malformed parameter is supplied, a
heap-based buffer overflow can occur, resulting in an exploitable
condition.

Analysis:
Exploitation allows an attacker to execute arbitrary code with the
privileges of the current user. Exploitation would require convincing a
targeted user to view a malicious image file either hosted on a Web
server, on local file system or embedded in an-email or Office documents,
or through some form of social engineering.

This vulnerability also can be triggered through e-mail. If the e-mail
client can automatically display images embedded in the e-mail, the user
only needs to open the e-mail to trigger the vulnerability. Currently an
EMF file is used as test attack vector. Outlook and Outlook Express will
automatically display EMF image and trigger the vulnerability. Lotus Notes
and Thunderbird do not display EMF images in e-mail directly, but the
vulnerability still can be triggered when opening or viewing the EMF
attachment.

Workaround:
In order to prevent exploitation of this vulnerability, turn off metafile
processing by modifying the registry. Under the registry key,
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\GRE_Initialize" create a DWORD entry "DisableMetaFiles"
and set it to 1.

Keep in mind that this only blocks the attack vector through Windows
metafiles. It may be possible to exploit this vulnerability through other
attack vectors.

Note: Modifying the registry does not affect processes that are already
running, so you may need to log off and log on again or restart the
computer after making the change.

Implementing this workaround may cause components relying on metafile
processing, such as printing, to misbehave.

Viewing e-mail in plain text format mitigates e-mail-based attack.

Vendor response:
Microsoft has officially addressed this vulnerability with Security
Bulletin MS08-046. For more information, consult their bulletin at the
following URL:
<http://www.microsoft.com/technet/security/bulletin/ms08-046.mspx>
http://www.microsoft.com/technet/security/bulletin/ms08-046.mspx

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2245>
CVE-2008-2245

Disclosure timeline:
04/10/2008 - Initial vendor notification
04/16/2008 - Initial vendor response
08/12/2008 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=742>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=742



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Microsoft Windows WMF Triggerable Kernel Design Error DoS Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Windows WMF Triggerable Kernel Design Error DoS Vulnerability ...
    (Securiteam)
  • [NT] Vulnerability in Windows Shell Allows Remote Code Execution (MS05-016)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A remote code execution vulnerability exists in the Windows Shell because ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
    (Securiteam)
  • [EXPL] InterVations NaviCopa HTTP Server Buffer Overflow (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... the latest release of InterVations NaviCopa HTTP server 2.01. ... exploitation of this vulnerability allows an attacker to execute arbitrary ... By default (Windows English version), ...
    (Securiteam)
  • [NT] Microsoft SRV.SYS Mailslot Ring0 Memory Corruption (MS06-035)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... vulnerable installations of the Microsoft Windows operating system. ... Mailslot communications are divided into two classes. ... It is important to note that this vulnerability affects more than just the ...
    (Securiteam)
  • Pipe Filename Local Privilege Escalation FAQ
    ... Pipe Filename Local Privilege Escalation" that was published by ... The actual vulnerability is at the Windows NT/XP/2000 platform level, ... it is an attack vector. ...
    (Bugtraq)