I can verify that the attached Proof of Concept bitmap produced a DoS on several IE versions, including IE5.01 SP1 5.00.2614.3500 on Windows 2000 Pro SP2 IE5.01 SP1 5.00.2920.0000 on Windows 2000 Pro SP2 IE5.01 SP2 5.00.3315.1000 on Windows 2000 Pro SP2 The latter configuration is still supported by Microsoft and gave a blue screen. http://support.microsoft.com/default.aspx?scid=fh;%5Bln%5D;LifeWin The Product Life Cycle Dates lists IE5.01SP2 on Windows 2000 SP2 as being supported until June 30, 2004. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor@pivx.com Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net> -----Original Message----- From: Christopher Carboni [mailto:ccarboni@azerty.com] Sent: Monday, February 16, 2004 6:39 AM To: bugtraq@securityfocus.com Subject: Exploit based on leaked code released. >From securitytracker >http://www.securitytracker.com/alerts/2004/Feb/1009067.html Microsoft Internet Explorer Integer Overflow in Processing Bitmap Files Lets Remote Users Execute Arbitrary Code SecurityTracker Alert ID: 1009067 CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site) Date: Feb 15 2004 Impact: Execution of arbitrary code via network, User access via network Exploit Included: Yes Version(s): 5 (6 is reportedly not vulnerable) Description: A vulnerability was reported in Microsoft Internet Explorer (IE) version 5. A remote user can execute arbitrary code on the target system. It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code. The author states that this flaw was found by reviewing the recently leaked Microsoft Windows source code. The flaw reportedly resides in 'win2k/private/inet/mshtml/src/site/download/imgbmp.cxx'. The report indicates that IE 5 is affected but that IE 6 is not affected. A demonstration exploit is provided in the Source Message [it is Base64 encoded]. Impact: A remote user can cause arbitrary code to be executed on the target user's computer when the target user's browser loads a specially crafted bitmap file. The code will run with the privileges of the target user. Solution: No solution was available at the time of this entry. Vendor URL: www.microsoft.com/technet/security/ (Links to External Site) Cause: Boundary error Underlying OS: Windows (Any) Reported By: <gta@hush.com> Message History: None.
