Buffer Overflow Exploit in Microsoft Windows Graphic Rendering Engine

Exploits published on 2011-01-04
Metasploit file (as POC) added on 2011-01-04
Microsoft Advisory on 2011-01-04
Microsoft Patch publish on 2011-02-08

OK, now coming to brief info about this vulnerability.

This vulnerability is accredited to Moti & Xu Hao

From what I read in SecurityFocus, it seem  the exploit is using "a .MIC file or an office file" to exploit "shimgvw.dll" when "Windows Explorer" trying to generate "a thumbnail" from the file.

The vulnerable machines are:
  • Windows XP SP3 and x64 SP2
  • Windows Server 2003 32bit, 64SP2, Itanium-based for SP2
  • Windows Vista 32bit, 64bit for both SP1, SP2
  • Windows Server 2008 32bit, 64bit, Itanium-based, both original & SP2
Testing with Metasploit

use exploit/windows/fileformat/ms11_006_createsizeddibsection

Default filename is "msf.doc"
Doc is one of ms office file formats, choosing this is a good choice for hacker to spread the file.

I'm testing this on XP SP3 with firewall on, AV on, without patch KB2483185.
Oh, and I'm using just MS Word Viewer.

After created the file, I navigated to the folder.

Then, without clicking anything further, msfconsole got a meterpreter session.
The viewing method must be "Thumbnails", otherwise it does not work.

 What it actually happens is, whenever user opens the folder that has this file in it, Windows Explorer program will trying to generate a thumbnail for the file.
And that's where the exploit comes in, this file attacks by having negative value in "biClrUsed". It causes stack-based buffer overflow that can trigger our embedded payload to run.

To Fix It:
suggestions from microsoft are
 - For XP, 2003 to disable ACL (Access Control List) of the file name shimgvw.dll
 - For Vista, 2008, to disable viewing of thumbnails in Windows Explorer
simply update windows on patch KB2483185 (, it will replace files that have the problem. (shimgvw.dll, shell32.dll, ...etc)

Restart is required after installing patch.

- Microsoft Windows Graphics Rendering Engine Buffer Overflow
- Metasploit's ms11_006_createsizeddibsection
- (original)Metasploit's ms11_xxx_createsizeddibsection
- Microsoft Advisory
- Microsoft's patch MS11_006
- Microsoft Patch KB2483185
- CVE2011-3970 

No comments:

Post a Comment