CVE-2005-0416
published 2005-04-27CVE-2005-0416: The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allows remote attackers to…
PriorityP258high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
45.49%
98.6th percentile
The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allows remote attackers to execute arbitrary code via the AnimationHeaderBlock length field, which leads to a stack-based buffer overflow.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | ie | — | — |
| microsoft | internet_explorer | <= 6 | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Malicious ANI files exploiting CVE-2005-0416/MS05-002 begin with the RIFF/ACON magic bytes (52 49 46 46 ... 41 43 4F 4E) followed by an 'anih' chunk, but contain a crafted oversized header (0x189c total size field) and embedded shellcode/NOP sleds within the first 912 bytes of the file. ↗
- →The exploit generates paired .ani and .html files with the same base filename; look for .ani files of exactly 912 bytes containing NOP sleds (0x90 padding) immediately following the RIFF/ACON/anih header. ↗
- →The downloader variant (exploit 771) appends a URL string directly after the shellcode blob and terminates with '\x01'; network-level inspection of .ani files should look for embedded HTTP/HTTPS URL strings within the binary payload. ↗
- ·The portbind port is configurable at exploit build time via the SET_PORTBIND_PORT macro; 7777 is only the example port and real-world attacks may use any port. ↗
- ·The downloader variant (exploit 771) takes an arbitrary URL as argv[2] and embeds it directly in the shellcode; the download URL is fully attacker-controlled and cannot be predicted from the exploit code alone. ↗
- ·CVE-2005-0416 may overlap with or be a duplicate of CVE-2007-0038 and CVE-2007-1765 for the later Vista-era variant; detections should cover both the 2005 (MS05-002/CAN-2004-1049) and 2007 ANI handling vulnerabilities. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m474-8gfh-hw6q: The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allows remote attackers
ghsa_unreviewed·2022-05-01
CVE-2005-0416 [HIGH] GHSA-m474-8gfh-hw6q: The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allows remote attackers
The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allows remote attackers to execute arbitrary code via the AnimationHeaderBlock length field, which leads to a stack-based buffer overflow.
GHSA
GHSA-p2h6-rq92-jmvq: Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-0038 [HIGH] CWE-119 GHSA-p2h6-rq92-jmvq: Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code
Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.
GHSA
GHSA-f56g-48jx-gg6q: Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-1765 [HIGH] GHSA-f56g-48jx-gg6q: Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (
Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a malformed ANI file, which results in memory corruption when processing cursors, animated cursors, and icons, a similar issue to CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this issue might be a duplicate of CVE-2007-0038; if so, then use CVE-2007-0038 instead of this identifier.
VulnCheck
Microsoft Windows Cursor, Animated Cursor, and Icon Processing Vulnerability
vulncheck·2007·CVSS 7.5
CVE-2007-1765 [HIGH] Microsoft Windows Cursor, Animated Cursor, and Icon Processing Vulnerability
Microsoft Windows Cursor, Animated Cursor, and Icon Processing Vulnerability
Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a malformed ANI file, which results in memory corruption when processing cursors, animated cursors, and icons, a similar issue to CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this issue might be a duplicate of CVE-2007-0038; if so, then use CVE-2007-0038 instead of this identifier.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://archive.f-
VulnCheck
Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2007·CVSS 7.5
CVE-2007-0038 [HIGH] Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product i
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - '.ANI' Downloader (MS05-002)
exploitdb·2005-01-24
CVE-2005-0416 Microsoft Internet Explorer - '.ANI' Downloader (MS05-002)
Microsoft Internet Explorer - '.ANI' Downloader (MS05-002)
---
/* Modified by Vertygo aka Ivanm ([email protected]) all credits goes to
houseofdabus Berend-Jan Wever and to milw0rm*/
/* Added string.h /str0ke */
/* HOD-ms05002-ani-expl.c: 2005-01-10: PUBLIC v.0.2
*
* Copyright (c) 2004-2005 houseofdabus.
*
* (MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit
* (CAN-2004-1049)
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* (universal -- for all affected systems)
* ---------------------------------------------------------------------
* Description:
* A remote code execution vulnerability exists in the way that
* cursor, animated cursor, and icon formats are handled. An attacker
* could try to exploit the vulnerability by constructing a malicious
* cursor or icon file that could potent
Exploit-DB
Microsoft Internet Explorer - '.ANI' Universal (MS05-002)
exploitdb·2005-01-22
CVE-2005-0416 Microsoft Internet Explorer - '.ANI' Universal (MS05-002)
Microsoft Internet Explorer - '.ANI' Universal (MS05-002)
---
/* Added string.h /str0ke */
/* HOD-ms05002-ani-expl.c: 2005-01-10: PUBLIC v.0.2
*
* Copyright (c) 2004-2005 houseofdabus.
*
* (MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit
* (CAN-2004-1049)
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* (universal -- for all affected systems)
* ---------------------------------------------------------------------
* Description:
* A remote code execution vulnerability exists in the way that
* cursor, animated cursor, and icon formats are handled. An attacker
* could try to exploit the vulnerability by constructing a malicious
* cursor or icon file that could potentially allow remote code
* execution if a user visited a malicious Web site or viewed a
* malicious e-mail message. An
No writeups or analysis indexed.
http://eeye.com/html/research/advisories/AD20050111.htmlhttp://marc.info/?l=bugtraq&m=110547079218397&w=2http://marc.info/?l=bugtraq&m=110556975827760&w=2http://www.securityfocus.com/bid/12233https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-002https://exchange.xforce.ibmcloud.com/vulnerabilities/18879http://eeye.com/html/research/advisories/AD20050111.htmlhttp://marc.info/?l=bugtraq&m=110547079218397&w=2http://marc.info/?l=bugtraq&m=110556975827760&w=2http://www.securityfocus.com/bid/12233https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-002https://exchange.xforce.ibmcloud.com/vulnerabilities/18879
2005-04-27
Published