what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Aug 15, 2007
Authored by Derek Soeder, Ben Nagy | Site eeye.com

eEye Digital Security has discovered a heap overflow vulnerability in VGX.DLL's processing of compressed content referenced from VML. VGX.DLL is the Microsoft component responsible for rendering VML (Vector Markup Language) within Internet Explorer.

tags | advisory, overflow
SHA-256 | 9b1cfee5014a419ac428eac7004f0bbeb5caae72cf8de6073a0fb45a9a602d41


Change Mirror Download
VGX.DLL Compressed Content Heap Overflow Vulnerability

Release Date:
August 14, 2007

Date Reported:
October 24, 2006

High (Code Execution)

Systems Affected:
Internet Explorer 6 SP1 - Windows 2000 SP4
Internet Explorer 6 SP1 - Windows XP SP1
Internet Explorer 6 SP2 - Windows XP SP2
Internet Explorer 6 SP1 - Windows Server 2003 SP1
Internet Explorer 6 SP2 - Windows Server 2003 SP2

eEye Digital Security has discovered a heap overflow vulnerability in
VGX.DLL's processing of compressed content referenced from VML. VGX.DLL
is the Microsoft component responsible for rendering VML (Vector Markup
Language) within Internet Explorer.

If a user views a malicious web page or HTML e-mail containing VML that
points to compressed content on an attacker-controlled web server, the
attacker can cause a heap overflow within the viewing application,
leading to the execution of arbitrary code.

(Note that, in order to be exploited directly from HTML e-mail, the
victim must attempt to view the malicious e-mail in the Internet Zone,
or with otherwise equivalent security and privacy settings that allow
internet content to be downloaded and displayed.)

Technical Details:
VGX.DLL contains an implementation of the CDownloadSink class that
processes data downloaded from URLs embedded within VML. For instance,
the following VML will download additional content which will be handled
by VGX.DLL!CDownloadSink::OnDataAvailable:

<v:imagedata src="http://malice/compressed.emz">

An integer underflow vulnerability exists within
VGX.DLL!CDownloadSink::OnDataAvailable that can eventually cause
URLMON.DLL!CMimeFt::SmartRead to overflow a heap buffer, due to a
misreported buffer size when handling compressed content. The second
argument ([EBP+10h]; [EBP+8] is the 'this' pointer) passed into
CDownloadSink::OnDataAvailable is the total length of all raw
(compressed) data received so far, but the function will subtract the
total length of uncompressed data in its buffer from the total length of
raw data when calculating the read limit to be passed to
URLMON.DLL!CReadOnlyStreamDirect::Read. Assuming that the data is
larger uncompressed than compressed, an integer underflow can be made to
occur, causing a very large value (roughly 4GB) to be supplied as the
read limit. If the amount of data subsequently read exceeds the amount
of unused space in the buffer, a heap overflow with arbitrary binary
data will result.

Exploitation requires that CDownloadSink::OnDataAvailable be invoked at
least twice -- once to load the buffer with some non-zero length of
uncompressed data, and a second time to cause the overflow -- so the
compressed data must be received in distinct (e.g., time-separated)
pieces. Since such divisions may occur legitimately, positively
identifying attempts to exploit this vulnerability are difficult, and
conversely, even legitimate web sites may cause a non-malicious heap
overflow to occur.

Internet Explorer 7 silently fixed the vulnerability roughly ten months
ago, due to a change in URLMON.DLL's behavior when reading compressed

Retina Network Security Scanner has been updated to identify this
Blink Endpoint Vulnerability Prevention preemptively protects from this

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:

Discovery: Ben Nagy and Derek Soeder
Research: Derek Soeder

Related Links:
Retina - Network Security Scanner - Free Trial:
Blink - Unified Client Security Personal - Free For Home Use:
Blink - Unified Client Security Professional - Free Trial:

Tony B. for contributing the site. Jennifer, Barnz, Reverse, Karl,
Dave, Steve, Glenn, Eric, Ryan, Saeed, Daniel, and Yuji. Greg rocks!
(where were you in 2003?) The Cygnet.

Copyright (c) 1998-2007 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information. In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the
user's own risk.
Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By