Executive Summary

Summary
Title Microsoft Windows GDI+ ICO InfoHeader Height division by zero vulnerability
Informations
Name VU#290961 First vendor Publication 2007-06-06
Vendor VU-CERT Last vendor Modification 2007-06-06
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:C)
Cvss Base Score 7.1 Attack Range Network
Cvss Impact Score 6.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#290961

Microsoft Windows GDI+ ICO InfoHeader Height division by zero vulnerability

Overview

Microsoft Windows GDI+ fails to properly handle ICO files, which could allow a remote, unauthenticated attacker to cause a denial-of-service condition.

I. Description

Microsoft Windows Graphics Device Interface (GDI+) is an application programming interface (API) that provides programmers the ability to display information on screens and printers. GDI+ includes the ability to process ICO (icon) image files. There is an integer division by zero vulnerability in the way the ICO parsing component of GDI+ (Gdiplus.dll) handles ICO files with a Height value of zero in the InfoHeader section of the ICO file. By introducing a specially crafted ICO file to the vulnerable component, a remote attacker could trigger an integer division by zero denial-of-service condition.

Windows Explorer has been shown to be vulnerable, however any application that uses the GDI+ library may be vulnerable.

II. Impact

A remote, unauthenticated attacker may be able to cause a denial-of-service condition on a vulnerable system by introducing a specially crafted ICO file. The affected application would crash with a "division by zero" error. In the case of Windows Explorer, simply having the file on the desktop or any other location that is displayed by Explorer is enough to trigger the vulnerability.

III. Solution

We are currently unaware of a practical solution to this problem.


Do not open untrusted files

Do not open unfamiliar or unexpected files, particularly those hosted on web sites or delivered as email attachments. It may be possible for a malformed ICO file to be embedded in an executable or other file. Please see Cyber Security Tip ST04-010.

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Systems Affected

VendorStatusDate Updated
Microsoft CorporationVulnerable6-Jun-2007

References


http://www.csis.dk/dk/forside/GdiPlus.pdf
http://msdn2.microsoft.com/en-us/library/ms536380.aspx
http://msdn2.microsoft.com/en-us/library/ms997538.aspx

Credit

Thanks to Dennis Rand of CSIS Security Group for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

Date Public06/06/2007
Date First Published06/06/2007 09:37:15 AM
Date Last Updated06/06/2007
CERT Advisory 
CVE NameCVE-2007-2237
Metric5.54
Document Revision16

Original Source

Url : http://www.kb.cert.org/vuls/id/290961

CWE : Common Weakness Enumeration

% Id Name

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 6

ExploitDB Exploits

id Description
2007-06-07 MS Windows GDI+ ICO File Remote Denial of Service Exploit

Open Source Vulnerability Database (OSVDB)

Id Description
38494 Microsoft Windows Graphics Device Interface (GDI+, GdiPlus.dll) ICO Handling DoS