Windows parsing... at its best

Apr 30, 2007 21:16 GMT  ·  By

A single insignificant Windows flaw managed to survive from code dating back to Windows 2000, to Windows Vista, pass unnoticed by the Microsoft static analysis tools and through the company's fuzz tests, and grow to the size of a critical vulnerability. And the Windows Animated Cursor handling vulnerability, even after being killed by Microsoft is still evolving.

The Redmond Company made available a security patch for the .ANI file format handling vulnerability on April 3, 2007, just five days after it went public and almost four months since it was reported to Microsoft. Security company Symantec reveled at the end of the past week that the ANI exploit is evolving.

"An ANI file follows the RIFF standard, with a few exceptions. It is a collection of data chunks, all having the same format of "header | size | data". Despite the supposedly easy structure of the Animated Cursor file, Microsoft's implementation of its parser is quite loose," revealed Nicolas Falliere, Symantec Security Response Engineer.

Falliere also pointed out what he meant when he used the term loose. Windows Vista will in fact parse invalid chunks. But where the ANI parser fails, heuristic detection doesn't, and will block even malicious ANI file generators with hundred of invalid chunks. The ANI parser also displays poor management of invalid ANI files containing chunks that are not aligned on 2-byte boundaries.

Still, the attackers took the Windows Animated File Format vulnerability one step further, by introducing a chunk as a payload in another chunk with the size field drastically modified. And Windows Vista, Windows for that matter, will still parse the file.

"Additionally, the ANI file itself did not exhibit a classic malicious structure: it did not contain any shellcode. It simply exploited the vulnerability and overwrote a ~460-byte area in memory. The exploitation was done by a malicious JavaScript code located in the HTML page that referenced the ANI file. Heap-spraying the memory in IE, triggering the vulnerability in ANI?an efficient combination. Though the heap-spraying part is not new, combined with this particular ANI file, it again demonstrates the ability attackers have to invent or find alternate ways to bypass usual detections," Falliere added.