Signature Detail

HTTP: Microsoft DirectX RLE Compressed Targa Image File Heap Overflow

This signature detects attempts to exploit a known buffer overflow vulnerability in Microsoft DirectX application framework. It is due to the way certain DirectX libraries handle specially crafted Targa (TGA) image files that are compressed using the Run-Length Encoding (RLE) method. A remote attacker can exploit this by persuading a user to open a specially crafted TGA file, potentially causing arbitrary code to be injected and executed in the security context of the logged in user. In a successful code injection attack, the behavior of the target is entirely dependent on the intended function of the injected code. It executes within the security context of the current user. In an unsuccessful code injection attack, the application using the affected application terminates immediately.

Extended Description

A heap-based buffer-overflow vulnerability occurs in the Microsoft Windows DirectX component. This issue is related to the processing of compressed Targa image files. The specific vulnerability occurs because of the way these files are opened. A successful exploit will permit attackers to execute arbitrary code in the context of the user who opens a malicious RLE Targa image file. An attacker can exploit this issue through any means that will allow the attacker to deliver a malicious Targa file to a victim user. In web-based attack scenarios, exploits could occur automatically if the malicious page can cause the file to be loaded automatically by Windows Media Player. Other attack vectors such as email or instant messaging may require the victim user to manually open the malicious Targa file.

Affected Products

• Microsoft DirectX End User Runtimes February 2006
• Microsoft DirectX SDK February 2006

References

• BugTraq: 24963
• CVE: CVE-2006-4183