what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

iDEFENSE Security Advisory 2007-07-18.1

iDEFENSE Security Advisory 2007-07-18.1
Posted Jul 19, 2007
Authored by iDefense Labs, Ruben Santamarta | Site idefense.com

iDefense Security Advisory 07.18.07 - Exploitation of an input validation vulnerability in Microsoft Corp.'s DirectX library could allow an attacker to execute arbitrary code in the context of the current user. The vulnerability specifically exists in the way RLE compressed Targa format image files are opened. The Targa format allows multiple color depths and image storage options, depths and image storage options, and includes the ability to use run-length encoding (RLE), compression on the image data. This is a compression method which finds a 'run' of the pixels the same color and instead of storing the value multiple times, encodes the number of times to repeat one value. For example, instead of storing 'AAAAAAAA', it may encode that into 'store "A" 8 times'. The buffer allocated for the image data is based on the width, height and color depth stored in the image, but when decoding this type of file, no checks against writing past the end of the buffer are performed. If the encoding specifies more data than has been allocated, a controlled heap overflow can occur. iDefense has confirmed that libraries in Microsoft's DirectX SDK (February 2006) are vulnerable, as are the DirectX End User Runtimes (February 2006). It is suspected that previous versions are also affected, including the DirectX 9.0c End User Runtimes.

tags | advisory, overflow, arbitrary
advisories | CVE-2006-4183
SHA-256 | 65a8ef11d3c0825d101a4d5aa33da3d8ed332c01adf3fd8cffe1d192e5863ced

iDEFENSE Security Advisory 2007-07-18.1

Change Mirror Download
Microsoft DirectX RLE Compressed Targa Image File Heap Overflow

iDefense Security Advisory 07.18.07
http://labs.idefense.com/intelligence/vulnerabilities/
Jul 18, 2007

I. BACKGROUND

Microsoft DirectX is a collection of APIs for easily handling tasks
related to game programming on the Microsoft Windows operating system.
More information on DirectX is available by following the link shown
below.

http://msdn.microsoft.com/directx/

II. DESCRIPTION

Exploitation of an input validation vulnerability in Microsoft Corp.'s
DirectX library could allow an attacker to execute arbitrary code in
the context of the current user.

The vulnerability specifically exists in the way RLE compressed Targa
format image files are opened. The Targa format allows multiple color
depths and image storage options, depths and image storage options, and
includes the ability to use run-length encoding (RLE), compression on
the image data. This is a compression method which finds a 'run' of the
pixels the same color and instead of storing the value multiple times,
encodes the number of times to repeat one value. For example, instead
of storing 'AAAAAAAA', it may encode that into 'store "A" 8 times'. The
buffer allocated for the image data is based on the width, height and
color depth stored in the image, but when decoding this type of file,
no checks against writing past the end of the buffer are performed. If
the encoding specifies more data than has been allocated, a controlled
heap overflow can occur.

III. ANALYSIS

Exploitation could allow a remote attacker to execute arbitrary code in
the context of the affected application.

If the DirectX SDK is installed on a system, this function is used to
display a preview in Windows Explorer's 'Details' pane, causing
Explorer to become vulnerable.

The DirectX End User Runtimes are often bundled with games or
applications. Vectors potentially affecting users with either the SDK
or the End User Runtime include online games and applications where
graphics files are be downloaded from a remote server and used as a
texture.

IV. DETECTION

iDefense has confirmed that libraries in Microsoft's DirectX SDK
(February 2006) are vulnerable, as are the DirectX End User Runtimes
(February 2006). It is suspected that previous versions are also
affected, including the DirectX 9.0c End User Runtimes.

V. WORKAROUND

iDefense is currently unaware of any effective workarounds for this
vulnerability.

VI. VENDOR RESPONSE

Microsoft reports that they addressed this vulnerability in the October
2006 SDK and End-User Runtime releases. iDefense has confirmed that
this vulnerability no longer exists in the June 2007 release.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-4183 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/16/2006 Initial vendor notification
10/05/2006 Initial vendor response
10/05/2006 Second vendor notification
07/18/2007 Public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Rubén Santamarta of
www.reversemode.com.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close