Thread-topic: Microsoft DirectX RLE Compressed Targa Image File Heap Overflow
> -----Original Message-----
>
> Microsoft DirectX RLE Compressed Targa Image File Heap Overflow
>
> iDefense Security Advisory 07.18.07
> http://labs.idefense.com/intelligence/vulnerabilities/
> Jul 18, 2007
>
> I. BACKGROUND
>
> Microsoft DirectX is a collection of APIs for easily handling tasks
> related to game programming on the Microsoft Windows operating system.
> More information on DirectX is available by following the link shown
> below.
>
> http://msdn.microsoft.com/directx/
>
> II. DESCRIPTION
>
> Exploitation of an input validation vulnerability in Microsoft Corp.'s
> DirectX library could allow an attacker to execute arbitrary code in
> the context of the current user.
>
> The vulnerability specifically exists in the way RLE compressed Targa
> format image files are opened. The Targa format allows multiple color
> depths and image storage options, depths and image storage
> options, and
> includes the ability to use run-length encoding (RLE), compression on
> the image data. This is a compression method which finds a
> 'run' of the
> pixels the same color and instead of storing the value multiple times,
> encodes the number of times to repeat one value. For example, instead
> of storing 'AAAAAAAA', it may encode that into 'store "A" 8
> times'. The
> buffer allocated for the image data is based on the width, height and
> color depth stored in the image, but when decoding this type of file,
> no checks against writing past the end of the buffer are performed. If
> the encoding specifies more data than has been allocated, a controlled
> heap overflow can occur.
>
> III. ANALYSIS
>
> Exploitation could allow a remote attacker to execute
> arbitrary code in
> the context of the affected application.
>
> If the DirectX SDK is installed on a system, this function is used to
> display a preview in Windows Explorer's 'Details' pane, causing
> Explorer to become vulnerable.
>
> The DirectX End User Runtimes are often bundled with games or
> applications. Vectors potentially affecting users with either the SDK
> or the End User Runtime include online games and applications where
> graphics files are be downloaded from a remote server and used as a
> texture.
>
> IV. DETECTION
>
> iDefense has confirmed that libraries in Microsoft's DirectX SDK
> (February 2006) are vulnerable, as are the DirectX End User Runtimes
> (February 2006). It is suspected that previous versions are also
> affected, including the DirectX 9.0c End User Runtimes.
>
> V. WORKAROUND
>
> iDefense is currently unaware of any effective workarounds for this
> vulnerability.
>
> VI. VENDOR RESPONSE
>
> Microsoft reports that they addressed this vulnerability in
> the October
> 2006 SDK and End-User Runtime releases. iDefense has confirmed that
> this vulnerability no longer exists in the June 2007 release.
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CVE-2006-4183 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org/), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 08/16/2006 Initial vendor notification
> 10/05/2006 Initial vendor response
> 10/05/2006 Second vendor notification
> 07/18/2007 Public disclosure
>
> IX. CREDIT
>
> This vulnerability was reported to iDefense by Rub?n Santamarta of
> www.reversemode.com.
>
> Get paid for vulnerability research
> http://labs.idefense.com/methodology/vulnerability/vcp.php
>
> Free tools, research and upcoming events
> http://labs.idefense.com/
>
> X. LEGAL NOTICES
>
> Copyright ¿ 2007 iDefense, Inc.
>