HTTP ICC Profile TagData Overflow: Attack Signature

Description

This signature detects an attempt to exploit a vulnerability in Windows Color Management Module.

Additional Information

Microsoft Windows provides an implementation for the ICC (International Color Management) standard through the Color Management Module. The ICC standard is a cross-platform, cross-format color consistency specification. The purpose of ICC is to allow for colors to be rendered uniformly across different devices and platforms. Many image and document formats support inclusion of ICC data in the form of color profiles that are embedded in the files themselves.

Microsoft Windows is prone to a buffer overflow vulnerability in the Color Management Module. The issue is due to a boundary condition error related to the parsing of ICC (International Color Consortium) Profile tags in various supported image and document formats.

The specific vulnerability is due to a memory copy operation in the 'mscms.dll' (Microsoft Color Management System) library. ICC XYZType (rXYZ, gXYZ, bXYZ) tag data from within the file is copied into a static stack-based buffer of 224 bytes, which is declared in the 'icm32.dll' (Integrated Color Managament) library. The Microsoft GDI library calls both of these libraries when a supported file type with embedded ICC data is rendered.

Memory corruption resulting from this vulnerability may allow an attacker to overwrite sensitive variables in memory such as a return address or Structured Exception Handler (SEH), allowing the attacker to influence program execution flow. This is sufficient for an attacker to execute arbitrary code.

ICC Profile data may possibly be embedded in various file formats, including JPEG, GIF, EXIF, TIFF, PNG, PICT, PDF, PostScript, SVG, JDF, and CSS3. Some of these formats may not provide an attack vector, especially if Microsoft does not provide native support or does not call the vulnerable functionality when handling certain formats. Formats that may not be affected due to lack of native support are PDF, PICT, and PostScript, though this has not been confirmed.

Successful exploitation may result in execution of arbitrary code in the context of the currently logged in user. This vulnerability could be exploited through a Web site that hosts a malicious document, by previewing or opening malicious content in email, or through other means that will allow an attacker to send the victim a malicious document.

There is also a risk that other Microsoft or third-party applications that rely on the affected functionality may be vulnerable. A number of third-party applications may ship with vulnerable libraries, so may remain vulnerable despite having applied the Microsoft patch. Symantec is not aware of any such vendors at the time of writing.

Affected

Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP4
Microsoft Windows 98
Microsoft Windows 98SE
Microsoft Windows ME
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition 64-bit
Microsoft Windows Server 2003 Datacenter Edition 64-bit SP1
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition 64-bit
Microsoft Windows Server 2003 Enterprise Edition 64-bit SP1
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP 64-bit Edition Version 2003 SP1
Microsoft Windows XP Home
Microsoft Windows XP Home SP1
Microsoft Windows XP Home SP2
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Professional
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition SP2
Nortel Networks Centrex IP Client Manager

Response

HTTP ICC Profile TagData Overflow

Severity: High

Description

Additional Information

Affected

Response

Additional References