One of the chunks in an ANI file is the anih chunk, which contains a 36-byte animation header structure. The buffer overflow fixed in. MS05-002 was in the LoadCursorIconFromFileMap function. The vulnerable code did not validate the length of the anih chunk before reading the. Microsoft fixed a closely related vulnerability with the MS05-002 security update, but their fix was incomplete. Determina Security Research was able to bypass the MS05-002 patch and develop a proof-of-concept exploit that works on fully-patched Windows systems. Determina Security Research. The original article can be found at: m/ml Free Website Security Scan Free Fuzzer Report Vulnerability Assessment. Detect web app vulnerabilities University study comparing the top Accurate and automated scanning. Get guidance from professionals. Reading the second anih chunk with the ReadChunk function will result in a classic buffer overflow, overwriting the return address of LoadAniChunk and allowing the attacker to take control of the code execution. Exploitation: The exploitation of this vulnerability is interesting in light of the. In addition to the missing /GS check, the vulnerable code in USER 32.DLL is wrapped in an exception handler that can recover from access violations. If the exploit is unsuccessful, for example due to the Vista ASLR, the process will not terminate and the attacker. This gives the attacker an easy way to bypass the ASLR protection and increase the reliability of the exploit. Solution: The call to ReadChunk in the LoadAniIcon function should be preceeded by a check similar to the one introduced in MS05-002: if (ze! The vulnerable code is present in all versions of Windows up to and including Windows Vista. All applications that use the standard Windows API for loading cursors and icons are affected. This includes Windows Explorer, Internet Explorer, Mozilla Firefox, Outlook and others.