TROJAN: MS04-028-Vector r_admin Server Remote Start

This signature detects responses from a host infected with a Trojan installed as part of the Microsoft GDI+ Library JPEG overflow exploit. A response from an infected host indicates that the r_admin server has started. A successful attack can exploit the vulnerability and create a denial-of -service (DoS) condition or execute arbitrary code with user privileges.

Extended Description

Microsoft (Graphics Device Interface) GDI+ JPEG handler is reported prone to an integer underflow vulnerability when handling JPEG format images. This issue presents itself due to a lack of sufficient sanity checks performed on certain JPEG data before this data employed as a bounds value for a memory copy operation. A specially crafted JPEG image may trigger this vulnerability and result in the execution of arbitrary attacker-supplied code. Code execution would occur in the context of the user who is running the vulnerable software. **Update: This issue is similar in nature to BID 1503, discovered by Solar Designer. ** An exploit that opens a command shell on the local vulnerable system as soon as the image is viewed has been released. Symantec has confirmed that this exploit code is functional. It is important to note that this exploit could potentially be modified to execute other code on the system. Administrators should remain vigilant and patch all vulnerable systems.

Affected Products

Avaya s3400_message_application_server,Microsoft outlook_2002

References

BugTraq: 11173

CVE: CVE-2004-0200

URL: http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx http://online.securityfocus.com/advisories/7211

Short Name

TROJAN:MS-04-028:R-ADMIN-START

Severity

Critical

Recommended

False

Recommended Action

Drop

TROJAN: MS04-028-Vector r_admin Server Remote Start

Extended Description

Affected Products

References

Found a potential security threat?