ID CVE-2013-3906
Summary GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2; Office 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Office Compatibility Pack SP3; and Lync 2010, 2010 Attendee, 2013, and Basic 2013 allows remote attackers to execute arbitrary code via a crafted TIFF image, as demonstrated by an image in a Word document, and exploited in the wild in October and November 2013.
References
Vulnerable Configurations
  • Microsoft Office 2003 Service Pack 3
    cpe:2.3:a:microsoft:office:2003:sp3
  • Microsoft Office 2007 Service Pack 3
    cpe:2.3:a:microsoft:office:2007:sp3
  • Microsoft Office 2010 Service Pack 1 for 64 bit systems (x64)
    cpe:2.3:a:microsoft:office:2010:sp1:x64
  • Microsoft Office 2010 for x86 (32-bit Systems) Service Pack 1
    cpe:2.3:a:microsoft:office:2010:sp1:x86
  • Microsoft Office 2010 Service Pack 2 for 64 bit systems (x64)
    cpe:2.3:a:microsoft:office:2010:sp2:x64
  • Microsoft Office 2010 Service Pack 2 for 32 bit systems (x86)
    cpe:2.3:a:microsoft:office:2010:sp2:x86
  • Microsoft Windows Vista Service Pack 2
    cpe:2.3:o:microsoft:windows_vista:-:sp2
  • Microsoft Windows Vista Service Pack 2 x64 (64-bit)
    cpe:2.3:o:microsoft:windows_vista:-:sp2:x64
  • Microsoft Windows Server 2008 Service Pack 2 for Itanium-Based Systems
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2:itanium
  • Microsoft Windows Server 2008 Service Pack 2 x64 (64-bit)
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x64
  • Windows Server 2008 Service Pack 2 x86
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x86
  • Microsoft Lync 2010 Attendee client
    cpe:2.3:a:microsoft:lync:2010:-:attendee
  • Microsoft Lync 2010 for 64-bit systems (x64)
    cpe:2.3:a:microsoft:lync:2010:-:x64
  • Microsoft Lync 2010 for 32-bit systems (x86)
    cpe:2.3:a:microsoft:lync:2010:-:x86
  • Microsoft Lync 2013 for 64-bit systems (x64)
    cpe:2.3:a:microsoft:lync:2013:-:x64
  • Microsoft Lync 2013 for 32-bit systems (x86)
    cpe:2.3:a:microsoft:lync:2013:-:x86
  • Microsoft Lync Basic 2013 for 64-bit systems (x64)
    cpe:2.3:a:microsoft:lync_basic:2013:-:x64
  • Microsoft Lync Basic 2013 for 32-bit systems (x86)
    cpe:2.3:a:microsoft:lync_basic:2013:-:x86
CVSS
Base: 9.3 (as of 01-11-2016 - 12:25)
Impact:
Exploitability:
CWE CWE-94
CAPEC
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description Microsoft Tagged Image File Format (TIFF) Integer Overflow. CVE-2013-3906. Remote exploit for windows platform
file exploits/windows/remote/30011.rb
id EDB-ID:30011
last seen 2016-02-03
modified 2013-12-03
platform windows
port
published 2013-12-03
reporter metasploit
source https://www.exploit-db.com/download/30011/
title Microsoft Tagged Image File Format TIFF Integer Overflow
type remote
metasploit via4
description This module exploits a vulnerability found in Microsoft's Tagged Image File Format. It was originally discovered in the wild, targeting Windows XP and Windows Server 2003 users running Microsoft Office, specifically in the Middle East and South Asia region. The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a drawing in Microsoft Office, and how it gets calculated with user-controlled inputs, and stored in the EAX register. The 32-bit register will run out of storage space to represent the large value, which ends up being 0, but it still gets pushed as a dwBytes argument (size) for a HeapAlloc call. The HeapAlloc function will allocate a chunk anyway with size 0, and the address of this chunk is used as the destination buffer of a memcpy function, where the source buffer is the EXIF data (an extended image format supported by TIFF), and is also user-controlled. A function pointer in the chunk returned by HeapAlloc will end up being overwritten by the memcpy function, and then later used in OGL!GdipCreatePath. By successfully controlling this function pointer, and the memory layout using ActiveX, it is possible to gain arbitrary code execution under the context of the user.
id MSF:EXPLOIT/WINDOWS/FILEFORMAT/MSWIN_TIFF_OVERFLOW
last seen 2019-03-27
modified 2017-09-14
published 2013-11-22
reliability Average
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb
title MS13-096 Microsoft Tagged Image File Format (TIFF) Integer Overflow
msbulletin via4
bulletin_id MS13-096
bulletin_url
date 2013-12-10T00:00:00
impact Remote Code Execution
knowledgebase_id 2908005
knowledgebase_url
severity Critical
title Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution
nessus via4
  • NASL family Windows
    NASL id SMB_KB2896666.NASL
    description The remote host is missing one of the workarounds referenced in KB 2896666. The remote host has a version of the Microsoft Graphics Component installed that is potentially affected by a code execution vulnerability due to the way the application handles specially crafted TIFF images.
    last seen 2017-10-29
    modified 2017-08-30
    plugin id 70773
    published 2013-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70773
    title MS KB2896666: Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (deprecated)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS13-096.NASL
    description The version of Microsoft's Graphics Component installed on the remote host is affected by a heap overflow vulnerability. Specially crafted TrueType font files are not processed properly. A remote, unauthenticated attacker could exploit this vulnerability by getting a user to view content that contains malicious TrueType font files, resulting in arbitrary code execution. Note that this issue is currently being exploited by malware in the wild.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 71311
    published 2013-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71311
    title MS13-096: Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (2908005)
packetstorm via4
data source https://packetstormsecurity.com/files/download/124203/mswin_tiff_overflow.rb.txt
id PACKETSTORM:124203
last seen 2016-12-05
published 2013-11-27
reporter sinn3r
source https://packetstormsecurity.com/files/124203/Microsoft-Tagged-Image-File-Format-TIFF-Integer-Overflow.html
title Microsoft Tagged Image File Format (TIFF) Integer Overflow
refmap via4
confirm
exploit-db 30011
misc http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2
ms MS13-096
the hacker news via4
Last major update 01-11-2016 - 13:45
Published 06-11-2013 - 10:55
Last modified 12-10-2018 - 18:05
Back to Top