Microsoft DirectX RLE Compressed Targa Image File Heap Overflow iDefense Security Advisory 07.18.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jul 18, 2007 I. BACKGROUND Microsoft DirectX is a collection of APIs for easily handling tasks related to game programming on the Microsoft Windows operating system. More information on DirectX is available by following the link shown below. http://msdn.microsoft.com/directx/ II. DESCRIPTION Exploitation of an input validation vulnerability in Microsoft Corp.'s DirectX library could allow an attacker to execute arbitrary code in the context of the current user. The vulnerability specifically exists in the way RLE compressed Targa format image files are opened. The Targa format allows multiple color depths and image storage options, depths and image storage options, and includes the ability to use run-length encoding (RLE), compression on the image data. This is a compression method which finds a 'run' of the pixels the same color and instead of storing the value multiple times, encodes the number of times to repeat one value. For example, instead of storing 'AAAAAAAA', it may encode that into 'store "A" 8 times'. The buffer allocated for the image data is based on the width, height and color depth stored in the image, but when decoding this type of file, no checks against writing past the end of the buffer are performed. If the encoding specifies more data than has been allocated, a controlled heap overflow can occur. III. ANALYSIS Exploitation could allow a remote attacker to execute arbitrary code in the context of the affected application. If the DirectX SDK is installed on a system, this function is used to display a preview in Windows Explorer's 'Details' pane, causing Explorer to become vulnerable. The DirectX End User Runtimes are often bundled with games or applications. Vectors potentially affecting users with either the SDK or the End User Runtime include online games and applications where graphics files are be downloaded from a remote server and used as a texture. IV. DETECTION iDefense has confirmed that libraries in Microsoft's DirectX SDK (February 2006) are vulnerable, as are the DirectX End User Runtimes (February 2006). It is suspected that previous versions are also affected, including the DirectX 9.0c End User Runtimes. V. WORKAROUND iDefense is currently unaware of any effective workarounds for this vulnerability. VI. VENDOR RESPONSE Microsoft reports that they addressed this vulnerability in the October 2006 SDK and End-User Runtime releases. iDefense has confirmed that this vulnerability no longer exists in the June 2007 release. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-4183 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/16/2006 Initial vendor notification 10/05/2006 Initial vendor response 10/05/2006 Second vendor notification 07/18/2007 Public disclosure IX. CREDIT This vulnerability was reported to iDefense by Rubén Santamarta of www.reversemode.com. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.