ID CVE-2004-1049
Summary Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."
References
Vulnerable Configurations
  • cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2000:*:sp1:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2000:*:sp1:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2000:*:sp3:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2000:*:sp3:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2000:*:sp4:*:fr:*:*:*:*
    cpe:2.3:o:microsoft:windows_2000:*:sp4:*:fr:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2003_server:r2:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2003_server:r2:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:*:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_xp:*:gold:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_xp:*:gold:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*
CVSS
Base: 5.1 (as of 12-10-2018 - 21:35)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:H/Au:N/C:P/I:P/A:P
oval via4
  • accepted 2011-05-16T04:02:40.130-04:00
    class vulnerability
    contributors
    • name Christine Walzer
      organization The MITRE Corporation
    • name Jeff Cheng
      organization Opsware, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."
    family windows
    id oval:org.mitre.oval:def:2956
    status accepted
    submitted 2005-01-14T12:00:00.000-04:00
    title LoadImage Cursor and Icon Format Handling Vulnerability (XP)
    version 69
  • accepted 2008-03-24T04:00:26.990-04:00
    class vulnerability
    contributors
    • name Christine Walzer
      organization The MITRE Corporation
    • name Jeff Cheng
      organization Opsware, Inc.
    • name Jonathan Baker
      organization The MITRE Corporation
    definition_extensions
    comment Microsoft Windows NT is installed
    oval oval:org.mitre.oval:def:36
    description Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."
    family windows
    id oval:org.mitre.oval:def:3097
    status accepted
    submitted 2005-01-14T12:00:00.000-04:00
    title LoadImage Cursor and Icon Format Handling Vulnerability (Terminal Server)
    version 70
  • accepted 2007-11-13T12:01:12.066-05:00
    class vulnerability
    contributors
    • name Christine Walzer
      organization The MITRE Corporation
    • name Jeff Cheng
      organization Opsware, Inc.
    description Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."
    family windows
    id oval:org.mitre.oval:def:3220
    status accepted
    submitted 2005-01-14T12:00:00.000-04:00
    title LoadImage Cursor and Icon Format Handling Vulnerability (Server 2003)
    version 66
  • accepted 2008-03-24T04:00:28.971-04:00
    class vulnerability
    contributors
    • name Christine Walzer
      organization The MITRE Corporation
    • name John Hoyland
      organization Centennial Software
    • name Jeff Cheng
      organization Opsware, Inc.
    • name Jonathan Baker
      organization The MITRE Corporation
    definition_extensions
    comment Microsoft Windows NT is installed
    oval oval:org.mitre.oval:def:36
    description Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."
    family windows
    id oval:org.mitre.oval:def:3355
    status accepted
    submitted 2005-01-14T12:00:00.000-04:00
    title LoadImage Cursor and Icon Format Handling Vulnerability (NT 4.0)
    version 71
  • accepted 2011-05-16T04:03:02.877-04:00
    class vulnerability
    contributors
    • name Christine Walzer
      organization The MITRE Corporation
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Jeff Cheng
      organization Opsware, Inc.
    • name Shane Shaffer
      organization G2, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."
    family windows
    id oval:org.mitre.oval:def:4671
    status accepted
    submitted 2005-01-14T12:00:00.000-04:00
    title LoadImage Cursor and Icon Format Handling Vulnerability (Windows 2000)
    version 71
refmap via4
bid 12095
bugtraq 20041223 Microsoft Windows LoadImage API Integer Buffer overflow
cert TA05-012A
cert-vn VU#625856
ciac P-094
misc http://www.xfocus.net/flashsky/icoExp/index.html
ms MS05-002
osvdb 12623
sectrack 1012684
secunia 13645
xf win-loadimage-bo(18668)
saint via4
bid 12233
description Windows Cursor and Icon handling vulnerability
id win_patch_cursor
osvdb 12842
title windows_cursor_icon
type client
Last major update 12-10-2018 - 21:35
Published 31-12-2004 - 05:00
Back to Top