Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)

From: Jan Wrobel <wrobel@xxxxxxxxxxxx>
Date: Sat, 31 Mar 2007 01:11:15 +0200

On Thu, 29 Mar 2007, Alexander Sotirov wrote:

Today Microsoft released a security advisory about a vulnerability in the
Animated Cursor processing code in Windows:
http://www.microsoft.com/technet/security/advisory/935423.mspx

It seems like the vulnerability is already exploited in the wild:
http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/

Bleeding Edge Threats made available Snort rule that detects some (all?)
exploits using this vulnerability:
http://www.bleedingthreats.net/index.php/2007/03/30/ms-ani-exploit-rule-details-emerging/

I don't know if this rule detects all possible exploits or just one
particular type. Here is a Firekeeper version of the rule, which can
be used to detect sites hosting malicious files:

alert (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; body_content:"|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|"; reference:url,http://isc.sans.org/diary.html?storyid=2534; reference:url,http://www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; fid:2003519; rev:1;)

Rule is triggered for example by the following images:
http://www.i5460.net/admin12/2.jpg
http://www.i5460.net/admin12/1.jpg

Cheers,
Jan Wrobel
http://firekeeper.mozdev.org

Follow-Ups:
- Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)
  - From: Alexander Sotirov

References:
- 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)
  - From: Alexander Sotirov

Prev by Date: TSRT-07-03: America Online SuperBuddy ActiveX Control Code Execution Vulnerability
Next by Date: Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)
Previous by thread: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)
Next by thread: Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)
Index(es):
- Date
- Thread

Relevant Pages

Re: [Full-disclosure] 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)
... Animated Cursor processing code in Windows: ... It seems like the vulnerability is already exploited in the wild: ...
(Full-Disclosure)
SecurityFocus Microsoft Newsletter #163
... MICROSOFT VULNERABILITY SUMMARY ... Bugzilla Javascript Buglists Remote Information Disclosure V... ... Microsoft Internet Explorer DHTML Drag and Drop Local File S... ... Microsoft Windows Workstation Service Remote Buffer Overflow... ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #176
... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #158
... Gamespy 3d IRC Client Remote Buffer Overflow Vulnerability ... Microsoft Windows PostThreadMessage() Arbitrary Process Kill... ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #123
... Spooked about Windows security? ... Rediff Bol URL Handling Denial Of Service Vulnerability ... Finjan SurfinGate File Extension File Filter Circumvention... ... MIT Kerberos Key Distribution Center Remote Format String... ...
(Focus-Microsoft)