Microsoft GDI+ .NET API Memory Corruption Vulnerability

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory


Date Discovered:	10/13/2009
Severity:	High
Operating Systems Affected:	Microsoft Windows 2000 SP4 Microsoft Windows XP SP2 Microsoft Windows XP SP3 Microsoft Windows XP Professional x64 SP2
Application Affected:	Microsoft Internet Explorer Microsoft .NET Framework 1.1 SP1 Microsoft .NET Framework 2.0 SP1 Microsoft .NET Framework 2.0 SP2
Type:	Remote
Identifiers:	CVE-2009-2504

Synopsis

Microsoft Windows GDI+ is prone to a memory corruption vulnerability. This vulnerability exists in GDI+ that can allow a malicious Microsoft .NET application to gain unmanaged code execution privileges.

Recommended Actions

Update the patches as guided by vendor at :
http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx

Threat Analysis

There is a vulnerability in GDI+ that is exposed through the .NET class System.Drawing.Image. It requires several specific method calls, so it is very unlikely that a legitimate .NET application could be coerced into hitting this vulnerability by an attacker.

This issue exists in the way a malicious .NET application could use this vulnerable to overwrite heap memory and gain arbitrary unmanaged code execution. This is a way to break out of CAS sandboxing.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, delete data, or create new accounts with full user rights.

References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2504

Write-up by: Aditya Chaturvedi