Vulnerability Name:

CVE-2007-0038 (CCN-33301)

Assigned:2007-03-28
Published:2007-03-28
Updated:2018-10-16
Summary:Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7.
Note: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.
CVSS v3 Severity:9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
7.7 High (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
7.6 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)
6.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-119
Vulnerability Consequences:Gain Access
References:Source: FULLDISC
Type: UNKNOWN
20070330 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)

Source: MITRE
Type: CNA
CVE-2007-0038

Source: CCN
Type: SA24659
Microsoft Windows Animated Cursor Buffer Overflow Vulnerability

Source: SECUNIA
Type: Vendor Advisory
24659

Source: SREASON
Type: UNKNOWN
2542

Source: CCN
Type: SECTRACK ID: 1017827
Microsoft Windows Animated Cursor Bug Lets Remote Users Execute Arbitrary Code

Source: CCN
Type: ASA-2007-140
MS07-17 Vulnerabilities in GDI Could Allow Remote Code Execution (925902)

Source: CCN
Type: McAfee Avert Labs Blog, Wednesday March 28, 2007 at 4:44 pm CST
Unpatched Drive-By Exploit Found On The Web

Source: CCN
Type: Determina Security Advisory, March 29, 2007
Vulnerability In Windows Animated Cursor Handling

Source: MISC
Type: Vendor Advisory
http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp

Source: CCN
Type: US-CERT VU#191609
Microsoft Windows animated cursor stack buffer overflow

Source: CERT-VN
Type: US Government Resource
VU#191609

Source: CCN
Type: Microsoft Security Advisory (935423)
Vulnerability in Windows Animated Cursor Handling

Source: CCN
Type: Microsoft Security Bulletin MS07-017
Vulnerabilities in GDI Could Allow Remote Code Execution (925902)

Source: OSVDB
Type: UNKNOWN
33629

Source: CCN
Type: OSVDB ID: 33629
Microsoft IE Animated Cursor (.ani) Handling Arbitrary Command Execution

Source: BUGTRAQ
Type: UNKNOWN
20070330 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)

Source: BUGTRAQ
Type: UNKNOWN
20070330 Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)

Source: BUGTRAQ
Type: UNKNOWN
20070331 Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)

Source: BUGTRAQ
Type: UNKNOWN
20070331 RE: [Full-disclosure] 0-day ANI vulnerability in Microsoft Windows(CVE-2007-0038)

Source: BUGTRAQ
Type: UNKNOWN
20070402 More information on ZERT patch for ANI 0day

Source: BUGTRAQ
Type: UNKNOWN
20070402 MS announces out-of-band patch for ANI 0day

Source: HP
Type: UNKNOWN
HPSBST02206

Source: CCN
Type: BID-23194
Microsoft Windows Cursor And Icon ANI Format Handling Remote Buffer Overflow Vulnerability

Source: CERT
Type: US Government Resource
TA07-089A

Source: CERT
Type: US Government Resource
TA07-093A

Source: CERT
Type: US Government Resource
TA07-100A

Source: VUPEN
Type: Vendor Advisory
ADV-2007-1215

Source: MS
Type: UNKNOWN
MS07-017

Source: XF
Type: UNKNOWN
win-ani-code-execution(33301)

Source: XF
Type: UNKNOWN
win-ani-code-execution(33301)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1854

Source: CCN
Type: Rapid7 Vulnerability and Exploit Database [03-28-2007]
Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)

Source: CCN
Type: Rapid7 Vulnerability and Exploit Database [03-28-2007]
Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)

Vulnerable Configuration:Configuration 1:
  • cpe:/o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:gold:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:gold:*:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:gold:*:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:sp1:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:sp1:*:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:sp2:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:sp2:*:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:sp2:*:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:*:gold:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:*:gold:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:gold:professional_x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:sp2:professional_x64:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:microsoft:windows_2000:-:sp4:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server::x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:xp:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:::itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:::x64:*:professional:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server:sp1_itanium:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:*:sp2:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:*:sp2:*:*:*:itanium:*
  • OR cpe:/o:microsoft:windows:server_2003:*:sp2:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_vista:::~~~~x64~:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp::sp2:x64:*:professional:*:*:*
  • OR cpe:/o:microsoft:windows_server_2003:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:1854
    V
    		Windows Animated Cursor Remote Code Execution Vulnerability
    2011-05-09
    BACK
    microsoft windows 2000 * sp4
    microsoft windows 2003 server gold
    microsoft windows 2003 server gold
    microsoft windows 2003 server gold
    microsoft windows 2003 server sp1
    microsoft windows 2003 server sp1
    microsoft windows 2003 server sp2
    microsoft windows 2003 server sp2
    microsoft windows 2003 server sp2
    microsoft windows vista * gold
    microsoft windows vista * gold
    microsoft windows xp * gold
    microsoft windows xp * sp2
    microsoft windows xp * sp2
    microsoft windows 2000 sp4
    microsoft windows 2003_server
    microsoft windows xp sp2
    microsoft windows 2003 server
    microsoft windows 2003_server sp1
    microsoft windows xp
    microsoft windows 2003_server sp1_itanium
    microsoft windows vista
    microsoft windows server_2003
    microsoft windows server_2003
    microsoft windows server_2003
    microsoft windows vista
    microsoft windows xp sp2
    microsoft windows 2003 -