MS13-096 Microsoft Tagged Image File Format (TIFF) Integer Overflow

Description

This module exploits a vulnerability found in Microsoft's Tagged Image File Format. It was originally discovered in the wild, targeting Windows XP and Windows Server 2003 users running Microsoft Office, specifically in the Middle East and South Asia region. The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a drawing in Microsoft Office, and how it gets calculated with user-controlled inputs, and stored in the EAX register. The 32-bit register will run out of storage space to represent the large value, which ends up being 0, but it still gets pushed as a dwBytes argument (size) for a HeapAlloc call. The HeapAlloc function will allocate a chunk anyway with size 0, and the address of this chunk is used as the destination buffer of a memcpy function, where the source buffer is the EXIF data (an extended image format supported by TIFF), and is also user-controlled. A function pointer in the chunk returned by HeapAlloc will end up being overwritten by the memcpy function, and then later used in OGL!GdipCreatePath. By successfully controlling this function pointer, and the memory layout using ActiveX, it is possible to gain arbitrary code execution under the context of the user.

Author(s)

• Unknown
• sinn3r <sinn3r@metasploit.com>

Platform

Windows