HighRealSecure Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, RealSecure Desktop Protector 3.6, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Desktop, IBM Security Server Protection for Windows, Proventia Network MFS, RealSecure Server Sensor, RealSecure Network, BlackICE PC Protection, BlackICE Server Protection, BlackICE Agent for Server, Virtual Server Protection for Vmware:
This signature detects attempts to specify an invalid ANI header length which can create an overflow condition that permits remote code execution with SYSTEM privileges.
High
RealSecure Desktop: enz, Proventia Network IPS: XPU 1.42, Proventia Server IPS for Linux technology: 1.0, RealSecure Desktop Protector 3.6: enz, Proventia-G 1.1 and earlier: XPU 23.2, Proventia Network IDS: XPU 23.2, Proventia Desktop: 8.0.614.1, IBM Security Server Protection for Windows: 1.0.914.0, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network MFS: XPU 1.39, RealSecure Server Sensor: XPU 23.2, RealSecure Network: XPU 23.2, BlackICE PC Protection: 3.6cpa, BlackICE Server Protection: 3.6.cpa, BlackICE Agent for Server: 3.6eof, Virtual Server Protection for Vmware: 1.0
Microsoft Windows 95, Microsoft Windows NT: 4.0, Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Microsoft Windows XP: SP1, Microsoft Windows 2003 Server, Microsoft Windows XP: SP2
Unauthorized Access Attempt
Microsoft Windows is vulnerable to an overflow in the USER32.DLL library when processing animated cursor (.ani) files. By creating a specially-crafted Windows animated cursor file containing an invalid AnimationHeaderBlock size, a remote attacker could cause an overflow and execute arbitrary code on the system, once the file is opened. An attacker could exploit this vulnerability by sending the malicious file to a victim in an HTML email or by hosting it on a Web page.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-002. See References.
For Windows Server 2003:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-018. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS05-002, but it was superseded by the patch released with MS05-018. Microsoft is also reporting that MS05-002 has been superseded by the patch released with MS07-017. See References.
For Windows 2000:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-018. See References.
Microsoft originally provided a patch for this vulnerability in MS05-002, but it was superseded by the patch released with MS05-018.
For Windows XP SP1:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-053. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS03-045, but it was superseded by the patch released with MS05-002 and MS05-018, which were then superseded by the patch released with MS05-053.
For Windows NT:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-002. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS03-045, but it has been superseded by the patch released with MS04-011. Microsoft is also reporting that the patch released with MS03-045 has been superseded by the patch released with MS04-032. The patch released with MS03-045 has been superseded by the patch released with MS05-002. See References.
eEye Digital Security Advisory January 11, 2005
Windows ANI File Parsing Buffer Overflow
http://eeye.com/html/research/advisories/AD20050111.html
Microsoft Security Bulletin MS05-002
Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711)
http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx
Packet Storm Web Site
InternetExploiter3.2.zip
http://packetstormsecurity.nl/exploits100.html
Packet Storm Web Site
vanisher.tgz
http://packetstormsecurity.nl/exploits100.html
BugTraq Mailing List, Tue Jan 11 2005 - 12:20:37 CST
EEYE: Windows ANI File Parsing Buffer Overflow
http://archives.neohapsis.com/archives/bugtraq/2005-01/0087.html
Avaya Security Advisory ASA-2005-004
Windows Security Updates for December 2004 - (MS05-001 - MS05-003)
http://support.avaya.com/japple/css/japple?PAGE=avaya.css.OpenPage&temp.template.name=SecurityAdvisory
Microsoft Security Bulletin MS05-018
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859)
http://www.microsoft.com/technet/security/bulletin/MS05-018.mspx
Microsoft Security Bulletin MS05-053
Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424)
http://www.microsoft.com/technet/Security/bulletin/ms05-053.mspx
Microsoft Security Bulletin MS04-011
Security Update for Microsoft Windows (835732)
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Microsoft Security Bulletin MS04-032
Security Update for Microsoft Windows (840987)
http://www.microsoft.com/technet/security/bulletin/ms04-032.mspx
Microsoft Security Bulletin MS07-017
Vulnerabilities in GDI Could Allow Remote Code Execution (925902)
http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx
ISS X-Force
Microsoft Windows USER32.DLL ANI header overflow
http://www.iss.net/security_center/static/18879.php
CVE
CVE-2005-0416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0416