[VulnWatch] Microsoft Windows image rendering DoS vuln

From: Andrew (gluttony@private)
Date: Mon Apr 11 2005 - 13:59:37 PDT


                   Alpha-Pi-Omicron Pi-Alpha-Nu-Tau-Omicron-C?
      Kappa-Alpha-Kappa-Omicron-Delta-Alpha-Iota-Mu-Omicron-Nu-Omicron-C?
   __    ___  __ _____         _       _         
___                       _ _
  / /   /___\/ // _  /   /\  /(_) __ _| |__     / __\___  _   _ _ __   
___(_) |
 / /   //  // / \// /   / /_/ / |/ _` | '_ \   / /  / _ \| | | | '_ \ / 
__| | |
/ /___/ \_// /___/ //\ / __  /| | (_| | | | | / /__| (_) | |_| | | | | 
(__| | |
\____/\___/\____/____/ \/ /_/ |_|\__, |_| |_| \____/\___/ \__,_|_| 
|_|\___|_|_|
                                 
|___/                                         

Overview

There exists a vulnerabilility in the way Microsoft Windows handles the 
rendering
of images. By resizing an image with html properties to an extremely 
large size an
attacker may perform a very quick and effective denial of service attack 
upon a
victim.


I. Description and PoC

Only clients running Internet Explorer, Firefox, or Avant in Windows 2k 
or XP have
been confirmed to be vulnerable. Opera does it's own image rendering and 
is not
ulnerable to this method of attack. The status of Longhorn is not known. 
Other
operating systems, including Mac OS X and Linux are not vulnerable.

You may point your browser to this URL to see a live demonstration of 
this attack:

http://www.livejournal.com/users/deeplolz

This may cause an instant reboot or bluescreen detailing a problem with 
your video
drivers. Other possibilities include an extended period of poor 
performance until
next reboot, a short to medium period of nonfunctionality or a crash of the
browser.


II. Impact

Because this attack can be performed anywhere an img src is allowed, 
there are
many forums including blogs, messageboards, and others which are 
vulnerable. It
is hopeful that Microsoft will release a patch for this attack as soon as
possible.


III. Solution

Until a patch is released you are advised to use the Opera web browser. 
It might
also be possible to write a script for the Firefox "GreaseMonkey" 
extension which
performs a workaround for this attack. Such as setting height and width 
of images
to 5000 pixels if they are currently set to render at over 5000.


Very special shouts: Girlvinyl, Hepkitten, Confkids, and Frienditto 
(Come back!!!
We need you badly, FD!)

Shouts:
LJD, LJ-Zeera, Encyclopedia Dramatica, Lulz News Network, Project 
Mayhem, Amalea,
Wednesday Night Karate Explosion, The Gundanium Alloys Manufacturers 
Association,
Richmond Flash Mob Society, RVA_BS, RVA_FYAD, Brad Fitzpatrick, Mena 
Trott, SALJ,
The International Department of Internet Security, #telconinjas, 
undernet #drugs,
The Kadaitcha Dancers, psychotic vegans, Warren Ellis, and pro-ana 
preteen girls.



This archive was generated by hypermail 2.1.3 : Mon Apr 11 2005 - 15:39:25 PDT