CVE-2010-3970
published 2010-12-22CVE-2010-3970: Stack-based buffer overflow in the CreateSizedDIBSECTION function in shimgvw.dll in the Windows Shell graphics processor (aka graphics rendering engine) in…
PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
67.69%
99.2th percentile
Stack-based buffer overflow in the CreateSizedDIBSECTION function in shimgvw.dll in the Windows Shell graphics processor (aka graphics rendering engine) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP1 and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted .MIC or unspecified Office document containing a thumbnail bitmap with a negative biClrUsed value, as reported by Moti and Xu Hao, aka "Windows Shell Graphics Processing Overrun Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered only when a folder containing the malicious .MIC or Office document is viewed in 'Thumbnails' view, causing shimgvw.dll to process the crafted thumbnail bitmap. ↗
- →The crafted document contains a thumbnail bitmap with a negative biClrUsed value; hunt for Office documents or .MIC files with anomalous negative biClrUsed fields in embedded DIB headers. ↗
- →Exploit uses SEH-based exploitation with EXITFUNC set to 'seh'; look for structured exception handler overwrites in processes hosting shimgvw.dll (e.g., explorer.exe). ↗
- →The Metasploit module writes a malicious OLE Compound Document with a crafted SummaryInformation stream; inspect OLE files for anomalous SummaryInformation streams containing oversized thumbnail data. ↗
- →ROP chain targets msacm32.drv (v5.1.2600.0) on Windows XP SP3 English at RVA 0x72d11676; presence of this return address on the stack during exception handling is a strong exploit indicator. ↗
- →Post-exploitation migration is performed automatically via 'migrate -f'; monitor for unexpected process migration activity immediately after explorer.exe or thumbnail-rendering processes handle Office/MIC files. ↗
- →SEH frame offset for XP SP3 is 1560 bytes and pivot offset is 1652; a stack buffer of this size being overwritten in shimgvw.dll!CreateSizedDIBSECTION is a reliable crash/exploit signature. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-2854 [HIGH] ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UNION SELECT
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UNION SELECT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"style="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; classtype:web-application-attack; sid:2004024; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_nam
Suricata
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-2854 [HIGH] ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style ASCII
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style ASCII"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"style="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; classtype:web-application-attack; sid:2004027; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Acc
Suricata
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-2854 [HIGH] ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"style="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; classtype:web-application-attack; sid:2004028; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Acce
Suricata
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-2854 [HIGH] ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue DELETE
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue DELETE"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; classtype:web-application-attack; sid:2004032; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_
Suricata
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-2854 [HIGH] ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue SELECT
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue SELECT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; classtype:web-application-attack; sid:2004029; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_
Suricata
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-2854 [HIGH] ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue ASCII
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue ASCII"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; classtype:web-application-attack; sid:2004033; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_
Suricata
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-2854 [HIGH] ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; classtype:web-application-attack; sid:2004034; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_A
Suricata
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-2854 [HIGH] ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style DELETE
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style DELETE"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"style="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; classtype:web-application-attack; sid:2004026; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Acc
Suricata
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-2854 [HIGH] ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UNION SELECT
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UNION SELECT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; classtype:web-application-attack; sid:2004030; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_
Suricata
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-2854 [HIGH] ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue INSERT
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue INSERT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; classtype:web-application-attack; sid:2004031; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_
Suricata
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-2854 [HIGH] ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style INSERT
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style INSERT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"style="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; classtype:web-application-attack; sid:2004025; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Acc
Suricata
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-2854 [HIGH] ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style SELECT
ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style SELECT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; fast_pattern; content:"style="; nocase; distance:0; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; classtype:web-application-attack; sid:2004023; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02, mitre_tactic_i
Exploit-DB
Microsoft Windows - CreateSizedDIBSECTION Stack Buffer Overflow (MS11-006) (Metasploit)
exploitdb·2011-02-08
CVE-2010-3970 Microsoft Windows - CreateSizedDIBSECTION Stack Buffer Overflow (MS11-006) (Metasploit)
Microsoft Windows - CreateSizedDIBSECTION Stack Buffer Overflow (MS11-006) (Metasploit)
---
##
# $Id: ms11_006_createsizeddibsection.rb 11730 2011-02-08 23:31:44Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in the handling of thumbnails
within .MIC files and various Office documents. When processing a thumbnail bitmap
containing a negative 'biClrUsed' value, a stack-based buffer overflow occurs.
Metasploit
MS11-006 Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
metasploit
MS11-006 Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
MS11-006 Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative 'biClrUsed' value, a stack-based buffer overflow occurs. This leads to arbitrary code execution. In order to trigger the vulnerable code, the folder containing the document must be viewed using the "Thumbnails" view.
http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspxhttp://secunia.com/advisories/42779http://www.kb.cert.org/vuls/id/106516http://www.metasploit.com/redmine/projects/framework/repository/revisions/11466/entry/modules/exploits/windows/fileformat/ms11_xxx_createsizeddibsection.rbhttp://www.microsoft.com/technet/security/advisory/2490606.mspxhttp://www.powerofcommunity.net/speaker.htmlhttp://www.securityfocus.com/bid/45662http://www.securitytracker.com/id?1024932http://www.vupen.com/english/advisories/2011/0018https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-006https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11671http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspxhttp://secunia.com/advisories/42779http://www.kb.cert.org/vuls/id/106516http://www.metasploit.com/redmine/projects/framework/repository/revisions/11466/entry/modules/exploits/windows/fileformat/ms11_xxx_createsizeddibsection.rbhttp://www.microsoft.com/technet/security/advisory/2490606.mspxhttp://www.powerofcommunity.net/speaker.htmlhttp://www.securityfocus.com/bid/45662http://www.securitytracker.com/id?1024932http://www.vupen.com/english/advisories/2011/0018https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-006https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11671
2010-12-22
Published