cbcvebase.
CVE-2010-3970
published 2010-12-22

CVE-2010-3970: Stack-based buffer overflow in the CreateSizedDIBSECTION function in shimgvw.dll in the Windows Shell graphics processor (aka graphics rendering engine) in…

PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
67.69%
99.2th percentile
Stack-based buffer overflow in the CreateSizedDIBSECTION function in shimgvw.dll in the Windows Shell graphics processor (aka graphics rendering engine) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP1 and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted .MIC or unspecified Office document containing a thumbnail bitmap with a negative biClrUsed value, as reported by Moti and Xu Hao, aka "Windows Shell Graphics Processing Overrun Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

pathshimgvw.dll
other0x72d11676
othermsacm32.drv v5.1.2600.0
other0x75022ac4
other\x05SummaryInformation
  • The vulnerability is triggered only when a folder containing the malicious .MIC or Office document is viewed in 'Thumbnails' view, causing shimgvw.dll to process the crafted thumbnail bitmap.
  • The crafted document contains a thumbnail bitmap with a negative biClrUsed value; hunt for Office documents or .MIC files with anomalous negative biClrUsed fields in embedded DIB headers.
  • Exploit uses SEH-based exploitation with EXITFUNC set to 'seh'; look for structured exception handler overwrites in processes hosting shimgvw.dll (e.g., explorer.exe).
  • The Metasploit module writes a malicious OLE Compound Document with a crafted SummaryInformation stream; inspect OLE files for anomalous SummaryInformation streams containing oversized thumbnail data.
  • ROP chain targets msacm32.drv (v5.1.2600.0) on Windows XP SP3 English at RVA 0x72d11676; presence of this return address on the stack during exception handling is a strong exploit indicator.
  • Post-exploitation migration is performed automatically via 'migrate -f'; monitor for unexpected process migration activity immediately after explorer.exe or thumbnail-rendering processes handle Office/MIC files.
  • SEH frame offset for XP SP3 is 1560 bytes and pivot offset is 1652; a stack buffer of this size being overwritten in shimgvw.dll!CreateSizedDIBSECTION is a reliable crash/exploit signature.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.