A vulnerability in Animated Cursor (.ANI) files has been discovered in Microsoft Windows Vista, NT, 2000, 2003, and XP operating systems. This vulnerability can be exploited by a malicious Webpage or HTML e-mail message and results in remote code execution with the privileges of the logged-in user.1
This exploit is interesting in that it is essentially identical to exploits targeting a vulnerability patched more than two years ago in MS05-002 (January 2005). Microsoft released a fix at that time, but their patch was incomplete. In that patch, Microsoft checked for the length of the first cursor in a file, and refused to process it if the length was wrong. This current exploit simply adds a second (malformed) cursor after the first (well-formed) cursor in the same file. Since current operating systems such as Microsoft Vista inherited this susceptible code, Vista is also vulnerable to this 2-year-old vulnerability.
This vulnerability has already been exploited in several attacks. Cisco® has obtained exploit files, and has confirmed that the Cisco Security Agent is effective in stopping these exploits, using the default security policy configuration. Current supported versions of Cisco Security Agent 4.5.x, 5.0.x, 5.1.x and 5.2.x are all effective in stopping the exploits seen to date.
Details of the Vulnerability
Details of the vulnerability are documented by Microsoft and by the Computer Incident Response Team (CERT)2:
Animated cursors are a feature that allows a series of frames, one after another, to appear at the mouse pointer location instead of a single image, thus producing a short loop of animation. The Animated Cursors feature is designated by the .ani suffix, although Windows Explorer will process ANI files with several different file extensions, such as .ani, .cur, or .ico. A stack buffer overflow vulnerability exists in the way that Microsoft Windows processes malformed animated cursor files; as Windows fails to properly validate the size specified in the ANI header.
An attacker could try to exploit the vulnerability by creating a specially crafted Webpage. An attacker could also create a specially crafted e-mail message and send it to an affected system. Upon viewing a Webpage, previewing or reading a specially crafted message, or opening a specially crafted e-mail attachment, the attacker could cause the affected system to execute code. While animated cursors typically are associated with the .ani file extension, a successful attack is not constrained by this file type.
How Cisco Security Agent Stops the Exploit
Cisco Security Agent default policies contain multiple rules that stop the exploit from doing any damage. No changes to the Cisco Security Agent binaries or default configuration are required to get this protection.
The following actions have been observed being blocked by Cisco Security Agent running the default security policies:
• Execution of a system function from a buffer, through a buffer overflow
• Modification of system files by a recently downloaded application
• Modification of system files
• Execution a command shell by a network process
• Capture of keystrokes by a windows process
• Code injections
This testing is shown in Figure 1.
Figure 1. Cisco Security Agent Default Configuration Stops the ANI. 0-Day Exploit (Tested on Cisco Security Agent 5.2)
Note: The exploit was tested at Cisco, with the agent in Test mode, which will cause the agent to alert (but not block) malicious behavior. This was done to observe all possible ways that the Cisco Security Agent default policies would stop the exploit. When the agent is in Protect mode (the typical operational configuration), the first rule would kill the exploit: no subsequent events would be seen, since the exploit would be terminated before it could perform any malicious actions.
Testing was performed against the Cisco Security Agent default policies. No binary or policy update was needed for Cisco Security Agents to be effective. In short, this was a true test of "day-zero" protection. This is similar to what Cisco has seen with earlier exploits and worms-the default Cisco Security Agent configuration stopped the exploit, with no binary or policy updates required. The following is a partial list of prior worms and exploits that Cisco Security Agent has stopped via the default security policy settings:
Excel hlink dll
MS RDS ActiveX
MS XML Core Svs
HTTP Dir Traversal
Web server vulnerability
IE Text Range
IE VML BO
This exploit is only the latest example of new and mutating attacks that can seriously affect an organization's computing and network environments. The key to stopping these new attacks is two-fold: the ability to stop the attack without requiring any changes to the default configuration, and multiple rules in the default policies that provide defense in depth.