Vulnerabilities > CVE-2007-0038 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

microsoft

CWE-119

critical

nessus

exploit available

metasploit

NVD

Published: 2007-03-30

Updated: 2018-10-16

Summary

Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows 2000 * Microsoft Windows 2003 Server Gold Microsoft Windows 2003 Server Sp1 Microsoft Windows 2003 Server Sp2 Microsoft Windows Vista * Microsoft Windows XP *	14

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

description	MS Windows GDI Local Privilege Escalation Exploit (MS07-017). CVE-2006-5586,CVE-2006-5758,CVE-2007-0038,CVE-2007-1211,CVE-2007-1212,CVE-2007-1213,CVE-2007-12...
id	EDB-ID:3688
last seen	2016-01-31
modified	2007-04-08
published	2007-04-08
reporter	Ivanlef0u
source	https://www.exploit-db.com/download/3688/
title	Microsoft Windows GDI - Local Privilege Escalation Exploit MS07-017

description	Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP). CVE-2007-0038. Remote exploit for windows platform
id	EDB-ID:16526
last seen	2016-02-02
modified	2010-08-12
published	2010-08-12
reporter	metasploit
source	https://www.exploit-db.com/download/16526/
title	Windows ANI LoadAniIcon Chunk Size Stack Buffer Overflow HTTP

description	MS Windows Animated Cursor (.ANI) Remote Exploit (eeye patch bypass). CVE-2007-0038,CVE-2007-1765. Remote exploit for windows platform
id	EDB-ID:3636
last seen	2016-01-31
modified	2007-04-01
published	2007-04-01
reporter	jamikazu
source	https://www.exploit-db.com/download/3636/
title	Microsoft Windows - Animated Cursor .ANI Remote Exploit eeye patch bypass

description	MS Windows Animated Cursor (.ANI) Overflow Exploit (Hardware DEP). CVE-2007-0038,CVE-2007-1765. Local exploit for windows platform
id	EDB-ID:3652
last seen	2016-01-31
modified	2007-04-03
published	2007-04-03
reporter	devcode
source	https://www.exploit-db.com/download/3652/
title	Microsoft Windows - Animated Cursor .ANI Overflow Exploit Hardware DEP

description	MS Windows XP Animated Cursor (.ANI) Remote Overflow Exploit 2. CVE-2007-0038,CVE-2007-1765. Remote exploit for windows platform
id	EDB-ID:3635
last seen	2016-01-31
modified	2007-04-01
published	2007-04-01
reporter	Trirat Puttaraksa
source	https://www.exploit-db.com/download/3635/
title	Microsoft Windows XP - Animated Cursor .ANI Remote Overflow Exploit 2

description	MS Windows GDI Local Privilege Escalation Exploit (MS07-017) 2. CVE-2006-5586,CVE-2006-5758,CVE-2007-0038,CVE-2007-1211,CVE-2007-1212,CVE-2007-1213,CVE-2007-...
id	EDB-ID:3755
last seen	2016-01-31
modified	2007-04-17
published	2007-04-17
reporter	Lionel d'Hauenens
source	https://www.exploit-db.com/download/3755/
title	Microsoft Windows GDI - Local Privilege Escalation Exploit MS07-017 2

description	MS Windows XP/Vista Animated Cursor (.ANI) Remote Overflow Exploit. CVE-2007-0038,CVE-2007-1765. Remote exploit for windows platform
file	exploits/windows/remote/3634.txt
id	EDB-ID:3634
last seen	2016-01-31
modified	2007-04-01
platform	windows
port
published	2007-04-01
reporter	jamikazu
source	https://www.exploit-db.com/download/3634/
title	Microsoft Windows XP/Vista - Animated Cursor .ANI Remote Overflow Exploit
type	remote

description	MS Windows (.ANI) GDI Remote Elevation of Privilege Exploit (MS07-017). CVE-2006-5586,CVE-2006-5758,CVE-2007-0038,CVE-2007-1211,CVE-2007-1212,CVE-2007-1213,C...
id	EDB-ID:3804
last seen	2016-01-31
modified	2007-04-26
published	2007-04-26
reporter	Lionel d'Hauenens
source	https://www.exploit-db.com/download/3804/
title	Microsoft Windows - .ANI GDI Remote Elevation of Privilege Exploit MS07-017

description	MS Windows Animated Cursor (.ANI) Stack Overflow Exploit. CVE-2007-0038,CVE-2007-1765. Local exploit for windows platform
id	EDB-ID:3617
last seen	2016-01-31
modified	2007-03-31
published	2007-03-31
reporter	devcode
source	https://www.exploit-db.com/download/3617/
title	Microsoft Windows - Animated Cursor .ANI Stack Overflow Exploit

description	Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP). CVE-2007-0038,CVE-2007-1765. Remote exploit for windows platform
id	EDB-ID:16698
last seen	2016-02-02
modified	2010-09-20
published	2010-09-20
reporter	metasploit
source	https://www.exploit-db.com/download/16698/
title	Windows ANI LoadAniIcon Chunk Size Stack Buffer Overflow SMTP

Metasploit

description	This module exploits a buffer overflow vulnerability in the LoadAniIcon() function of USER32.dll. The flaw is triggered through Outlook Express by using the CURSOR style sheet directive to load a malicious .ANI file. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee.
id	MSF:EXPLOIT/WINDOWS/EMAIL/MS07_017_ANI_LOADIMAGE_CHUNKSIZE
last seen	2020-06-14
modified	2019-05-23
published	2010-07-25
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0038 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1765
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/email/ms07_017_ani_loadimage_chunksize.rb
title	Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)

description	This module exploits a buffer overflow vulnerability in the LoadAniIcon() function in USER32.dll. The flaw can be triggered through Internet Explorer 6 and 7 by using the CURSOR style sheet directive to load a malicious .ANI file. The module can also exploit Mozilla Firefox by using a UNC path in a moz-icon URL and serving the .ANI file over WebDAV. The vulnerable code in USER32.dll will catch any exceptions that occur while the invalid cursor is loaded, causing the exploit to silently fail when the wrong target has been chosen. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee.
id	MSF:EXPLOIT/WINDOWS/BROWSER/MS07_017_ANI_LOADIMAGE_CHUNKSIZE
last seen	2020-02-25
modified	2019-05-23
published	2010-04-15
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0038
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms07_017_ani_loadimage_chunksize.rb
title	Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS07-017.NASL
description	The remote host is running a version of Windows with a bug in the Animated Cursor (ANI) handling routine that could allow an attacker to execute arbitrary code on the remote host by sending a specially crafted email or by luring a user on the remote host into visiting a rogue web site. Additionally, the system is vulnerable to : - Local Privilege Elevation (GDI, EMF, Font Rasterizer) - Denial of Service (WMF)
last seen	2020-06-01
modified	2020-06-02
plugin id	24911
published	2007-04-03
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24911
title	MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution (925902)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(24911); script_version("1.37"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id( "CVE-2006-5586", "CVE-2006-5758", "CVE-2007-0038", "CVE-2007-1211", "CVE-2007-1212", "CVE-2007-1213", "CVE-2007-1215", "CVE-2007-1765" ); script_bugtraq_id(23194, 23273, 23275, 23276, 23277, 23278); script_xref(name:"MSFT", value:"MS07-017"); script_xref(name:"MSKB", value:"925902"); script_xref(name:"IAVA", value:"2007-A-0020"); script_xref(name:"CERT", value:"191609"); script_xref(name:"EDB-ID", value:"3617"); script_xref(name:"EDB-ID", value:"3634"); script_xref(name:"EDB-ID", value:"3635"); script_xref(name:"EDB-ID", value:"3636"); script_xref(name:"EDB-ID", value:"3652"); script_xref(name:"EDB-ID", value:"16526"); script_xref(name:"EDB-ID", value:"16698"); script_name(english:"MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution (925902)"); script_summary(english:"Determines the presence of update 925902"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the email client or the web browser."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Windows with a bug in the Animated Cursor (ANI) handling routine that could allow an attacker to execute arbitrary code on the remote host by sending a specially crafted email or by luring a user on the remote host into visiting a rogue web site. Additionally, the system is vulnerable to : - Local Privilege Elevation (GDI, EMF, Font Rasterizer) - Denial of Service (WMF)"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-017"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP, 2003 and Vista."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/06"); script_set_attribute(attribute:"patch_publication_date", value:"2007/04/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/03"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS07-017'; kb = "925902"; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'0,2', vista:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"6.0", sp:0, file:"User32.dll", version:"6.0.6000.16438", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:0, file:"User32.dll", version:"6.0.6000.20537", min_version:"6.0.6000.20000", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:2, file:"User32.dll", version:"5.2.3790.4033", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:1, file:"User32.dll", version:"5.2.3790.2892", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:0, file:"User32.dll", version:"5.2.3790.651", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", file:"User32.dll", version:"5.1.2600.3099", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.0", file:"User32.dll", version:"5.0.2195.7133", dir:"\System32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2011-05-09T04:01:22.355-04:00

class

vulnerability

contributors

name Sudhir Gandhe
organization Secure Elements, Inc.
name Robert L. Hollis
organization ThreatGuard, Inc.
name Shane Shaffer
organization G2, Inc.

definition_extensions

comment Microsoft Windows 2000 SP4 or later is installed
oval oval:org.mitre.oval:def:229
comment Microsoft Windows XP SP2 or later is installed
oval oval:org.mitre.oval:def:521
comment Microsoft Windows Server 2003 (x86) Gold is installed
oval oval:org.mitre.oval:def:165
comment Microsoft Windows Server 2003 SP1 (x86) is installed
oval oval:org.mitre.oval:def:565
comment Microsoft Windows Server 2003 SP2 (x86) is installed
oval oval:org.mitre.oval:def:1935
comment Microsoft Windows Vista is installed
oval oval:org.mitre.oval:def:228

description

family

windows

oval:org.mitre.oval:def:1854

status

accepted

submitted

2007-04-09T09:49:32

title

Windows Animated Cursor Remote Code Execution Vulnerability

version

Packetstorm

data source	https://packetstormsecurity.com/files/download/88402/ms07_017_ani_loadimage_chunksize.rb.txt
id	PACKETSTORM:88402
last seen	2016-12-05
published	2010-04-15
reporter	H D Moore
source	https://packetstormsecurity.com/files/88402/Windows-ANI-LoadAniIcon-Chunk-Size-Stack-Overflow-HTTP.html
title	Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP)

data source	https://packetstormsecurity.com/files/download/55551/ani_loadimage_chunksize-browser.rb.txt
id	PACKETSTORM:55551
last seen	2016-12-05
published	2007-04-03
reporter	Matt Miller
source	https://packetstormsecurity.com/files/55551/ani_loadimage_chunksize-browser.rb.txt.html
title	ani_loadimage_chunksize-browser.rb.txt

data source	https://packetstormsecurity.com/files/download/83052/ani_loadimage_chunksize.rb.txt
id	PACKETSTORM:83052
last seen	2016-12-05
published	2009-11-26
reporter	H D Moore
source	https://packetstormsecurity.com/files/83052/Windows-ANI-LoadAniIcon-Chunk-Size-Stack-Overflow-SMTP.html
title	Windows ANI LoadAniIcon() Chunk Size Stack Overflow (SMTP)

data source	https://packetstormsecurity.com/files/download/55552/ani_loadimage_chunksize-email.rb.txt
id	PACKETSTORM:55552
last seen	2016-12-05
published	2007-04-03
reporter	Matt Miller
source	https://packetstormsecurity.com/files/55552/ani_loadimage_chunksize-email.rb.txt.html
title	ani_loadimage_chunksize-email.rb.txt

Saint

bid	23194
description	Windows Animated Cursor Header buffer overflow
id	win_patch_gdi07017
osvdb	33629
title	windows_animated_cursor
type	client

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Exploit-Db

Metasploit

Nessus

Oval

Packetstorm

Saint

References