Exploit based on leaked code released.

[Christopher Carboni <ccarboni () azerty com>]

> From securitytracker  http://www.securitytracker.com/alerts/2004/Feb/1009067.html

Microsoft Internet Explorer Integer Overflow in Processing Bitmap Files Lets Remote Users Execute Arbitrary Code 
 
SecurityTracker Alert ID:  1009067  
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)  
Date:  Feb 15 2004 
 
Impact:  Execution of arbitrary code via network, User access via network
 
Exploit Included:  Yes   
 
Version(s): 5 (6 is reportedly not vulnerable) 
 
Description:  A vulnerability was reported in Microsoft Internet Explorer (IE) version 5. A remote user can execute 
arbitrary code on the target system. 

It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an 
integer overflow and execute arbitrary code.

The author states that this flaw was found by reviewing the recently leaked Microsoft Windows source code. The flaw 
reportedly resides in 'win2k/private/inet/mshtml/src/site/download/imgbmp.cxx'.

The report indicates that IE 5 is affected but that IE 6 is not affected.

A demonstration exploit is provided in the Source Message [it is Base64 encoded]. 
 
Impact:  A remote user can cause arbitrary code to be executed on the target user's computer when the target user's 
browser loads a specially crafted bitmap file. The code will run with the privileges of the target user.
 
Solution:  No solution was available at the time of this entry.
 
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site) 
 
Cause:  Boundary error 
 
Underlying OS:  Windows (Any)
 
Reported By:  <gta () hush com>
 
Message History:   None.