CVE-2007-0038

Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)

Severity Score

9.3

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.

Un desbordamiento de búfer en la región stack de la memoria en el código de cursor animado en Microsoft Windows 2000 SP4 hasta Vista, permite a atacantes remotos ejecutar código arbitrario o causar una denegación de servicio (reinicio persistente) por medio de un valor de gran longitud en el segundo bloque anih (o posterior) de un archivo RIFF .ANI, cur o .ico, lo que resulta en una corrupción de memoria cuando se procesan cursores, cursores animados e iconos, una variante de CVE-2005-0416, como es demostrado originalmente usando Internet Explorer versiones 6 y 7. NOTA: esto podría ser un duplicado de CVE-2007-1765; si es así, entonces CVE-2007-0038 debe ser preferido.

*Credits: N/A

CVSS Scores

NISTv2 9.3

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2007-01-03 CVE Reserved
2007-03-28 First Exploit
2007-03-30 CVE Published
2024-04-17 EPSS Updated
2024-08-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (38)

URL	Tag	Source
http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0470.html	Mailing List
http://securityreason.com/securityalert/2542	Third Party Advisory
http://www.kb.cert.org/vuls/id/191609	Third Party Advisory
http://www.osvdb.org/33629	Vdb Entry
http://www.securityfocus.com/archive/1/464269/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/464339/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/464340/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/464342/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/464459/100/100/threaded	Mailing List
http://www.securityfocus.com/archive/1/464460/100/100/threaded	Mailing List
http://www.us-cert.gov/cas/techalerts/TA07-089A.html	Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA07-093A.html	Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA07-100A.html	Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/33301	Vdb Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1854	Signature

URL	Date	SRC
https://www.exploit-db.com/exploits/3684	2007-04-08
https://www.exploit-db.com/exploits/3647	2007-04-02
https://www.exploit-db.com/exploits/3695	2007-04-09
https://www.exploit-db.com/exploits/3652	2007-04-03
https://www.exploit-db.com/exploits/3617	2007-03-31
https://www.exploit-db.com/exploits/3688	2007-04-08
https://www.exploit-db.com/exploits/3755	2007-04-17
https://www.exploit-db.com/exploits/3804	2007-04-26
https://www.exploit-db.com/exploits/3636	2007-04-01
https://www.exploit-db.com/exploits/3651	2007-04-03
https://www.exploit-db.com/exploits/4045	2007-06-07
https://www.exploit-db.com/exploits/16698	2010-09-20
https://www.exploit-db.com/exploits/3635	2007-04-01
https://www.exploit-db.com/exploits/3634	2007-04-01
https://www.exploit-db.com/exploits/16526	2010-08-12
https://github.com/Axua/CVE-2007-0038	2019-11-29
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/browser/ms07_017_ani_loadimage_chunksize.rb	2007-03-28
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/email/ms07_017_ani_loadimage_chunksize.rb	2007-03-28

URL	Date	SRC

URL	Date	SRC
http://secunia.com/advisories/24659	2018-10-16
http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp	2018-10-16
http://www.securityfocus.com/archive/1/466186/100/200/threaded	2018-10-16
http://www.vupen.com/english/advisories/2007/1215	2018-10-16
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-017	2018-10-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microsoft Search vendor "Microsoft"		Windows 2000 Search vendor "Microsoft" for product "Windows 2000"				*		sp4		Affected
Microsoft Search vendor "Microsoft"		Windows 2003 Server Search vendor "Microsoft" for product "Windows 2003 Server"				gold Search vendor "Microsoft" for product "Windows 2003 Server" and version "gold"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 2003 Server Search vendor "Microsoft" for product "Windows 2003 Server"				gold Search vendor "Microsoft" for product "Windows 2003 Server" and version "gold"		itanium		Affected
Microsoft Search vendor "Microsoft"		Windows 2003 Server Search vendor "Microsoft" for product "Windows 2003 Server"				gold Search vendor "Microsoft" for product "Windows 2003 Server" and version "gold"		x64		Affected
Microsoft Search vendor "Microsoft"		Windows 2003 Server Search vendor "Microsoft" for product "Windows 2003 Server"				sp1 Search vendor "Microsoft" for product "Windows 2003 Server" and version "sp1"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 2003 Server Search vendor "Microsoft" for product "Windows 2003 Server"				sp1 Search vendor "Microsoft" for product "Windows 2003 Server" and version "sp1"		itanium		Affected
Microsoft Search vendor "Microsoft"		Windows 2003 Server Search vendor "Microsoft" for product "Windows 2003 Server"				sp2 Search vendor "Microsoft" for product "Windows 2003 Server" and version "sp2"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 2003 Server Search vendor "Microsoft" for product "Windows 2003 Server"				sp2 Search vendor "Microsoft" for product "Windows 2003 Server" and version "sp2"		itanium		Affected
Microsoft Search vendor "Microsoft"		Windows 2003 Server Search vendor "Microsoft" for product "Windows 2003 Server"				sp2 Search vendor "Microsoft" for product "Windows 2003 Server" and version "sp2"		x64		Affected
Microsoft Search vendor "Microsoft"		Windows Vista Search vendor "Microsoft" for product "Windows Vista"				*		gold		Affected
Microsoft Search vendor "Microsoft"		Windows Vista Search vendor "Microsoft" for product "Windows Vista"				*		gold, x64		Affected
Microsoft Search vendor "Microsoft"		Windows Xp Search vendor "Microsoft" for product "Windows Xp"				*		gold, professional_x64		Affected
Microsoft Search vendor "Microsoft"		Windows Xp Search vendor "Microsoft" for product "Windows Xp"				*		sp2		Affected
Microsoft Search vendor "Microsoft"		Windows Xp Search vendor "Microsoft" for product "Windows Xp"				*		sp2, professional_x64		Affected