Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Microsoft Windows WMF Triggerable Kernel Design Error DoS Vulnerabi

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Microsoft Windows WMF Triggerable Kernel Design Error DoS Vulnerability
Date: 4 Apr 2007 16:32:20 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Microsoft Windows WMF Triggerable Kernel Design Error DoS Vulnerability
------------------------------------------------------------------------


SUMMARY

The Microsoft Windows kernel controls "which processes are allowed to run 
and is responsible for accessing hardware such as storage devices and 
video adapters, scheduling time for each process to execute, managing 
memory, and other system control tasks".

Remote exploitation of a design error in certain kernel GDI functions in 
multiple versions of Microsoft Corp.'s Windows operating system may allow 
an attacker to cause a denial of service condition.

DETAILS

Vulnerable Systems:
 * Windows XP with Service Pack 2
 * Windows 2003 Server
 * (Other Windows operating systems may also be affected).

During testing of the MS06-001 WMF (Windows Metafile) vulnerability, a 
flaw was found in the handling of WMF files. This flaw can cause the 
kernel to perform a bug check, also known as a "blue screen" or system 
crash, when it tries to parse the file. The cause of this bug check is an 
attempt by a function in a kernel system call to read a value obtained by 
dereferencing an offset into a kernel structure. This value had been 
previously created and then reset by previous system calls, and at the 
point it is accessed it does not contain a valid memory reference. This 
results in an access violation error, which in turn triggers the bug 
check.

This vulnerability is different from both the Microsoft MS06-001 WMF 
vulnerability and the MS05-053 WMF vulnerability and is not fixed by 
either of these patches.

Exploitation of this vulnerability would allow a remote attacker to 
perform a denial of service against an affected system.

Depending on where the file was saved and configuration details of the 
target, this could result in a persistent denial of service condition, 
causing an immediate reboot upon logging on after an attack. The results 
of testing this vulnerability suggest that in some cases it may cause 
corruption of the system in a manner that prevents the system from 
rebooting.

It is likely that Enhanced Windows Metafiles (EMF) are also affected, but 
this has not yet been confirmed.

Currently, due to the type of location being referenced by the kernel, it 
appears that the vulnerability may only be exploitable by a remote 
attacker to cause a DoS condition. The vectors that could be used to 
remotely exploit this vulnerability would most likely be similar to those 
that the MS06-001 vulnerability used.

Workaround:
Blocking .wmf files at all e-mail and Web gateways is strongly 
recommended. However, this is not effective if blocking is done based on 
file extensions (e.g., .wmf), as an attacker can simply rename the file to 
a new extension.

Reading e-mail in plain-text can prevent automatic exploitation via 
electronic mail.

Vendor Status:
Microsoft has addressed this vulnerability within  
<http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx > 
MS07-017.

Disclosure Timeline:
 * 01/10/2006 - Initial vendor notification
 * 01/10/2006 - Initial vendor response
 * 04/03/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:
 
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=499> 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=499



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Microsoft Windows WMF Triggerable Kernel Design Error DoS Vulnerability, SecuriTeam <=
Previous by Date:  [NT] HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow Vulnerability, SecuriTeam
Next by Date:  [NEWS] Multiple Cisco Unified CallManager and Presence Server DoS Vulnerabilities, SecuriTeam
Previous by Thread:  [NT] HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow Vulnerability, SecuriTeam
Next by Thread:  [NEWS] Multiple Cisco Unified CallManager and Presence Server DoS Vulnerabilities, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]