Exploit:Win32/Anogre.A

Exploit:Win32/Anogre is a specially-crafted TrueType font file which exploits vulnerability in the Win32k.sys.

The Win32k.sys file is the Windows kernel mode driver, which, among other functions, is responsible for TrueType Fonts rendering in ring 0.

If you visit a website containing the malicious code while using a vulnerable version of Windows, an attempt to load Exploit:Win32/Anogre will be made.

The following versions of Windows are vulnerable to this exploit:

• Windows XP Service Pack 3
• Windows XP Service Pack 3
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2  for Itanium-based Systems
• Windows Vista Service Pack 2
• Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for Itanium-based Systems Service Pack 2
• Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
• Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

If you have automatic updating enabled, you will not need to take any action because this security update will be downloaded and installed automatically. If you have not enabled automatic updating, you will need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

Make sure that you install all available updates from the vendor in order to avoid this exploit. You can read more about this vulnerability and download software updates from these links:

• CVE-2011-3402
• Microsoft Security Advisory (2639658)

What is an exploit?

Exploits are written to take advantage of weaknesses (or vulnerabilities) in legitimate software. A project called Common Vulnerabilities and Exposures (CVE) gives each vulnerability a unique number, in this case "CVE-2011-3402". 

You can find more information on the CVE website or on our page about exploits.

Payload

Grants an attacker full administrative privileges

If the exploit is successful, an attacker may be able to perform the following actions on your computer:

• Install programs
• View, change, or delete data
• Create new accounts

Additional technical details

Exploit:Win32/Anogre takes advantage of the glyph bitmap information embedded in to the TrueType font file.

The glyph bitmap information is encoded by the means of three tables: embedded bitmap locators (EBLC), embedded bitmap data (EBDT), and embedded bitmap scaling information (EBSC). For the vulnerability to work, all three tables are manipulated.

The vulnerability is caused when a Windows kernel mode driver does not perform proper validation when writing into a buffer. Such a font file could be embedded to a malicious webpage or any other file formats.

Once such a file is opened on the targeted computer, it is parsed by the Win32k.sys kernel mode driver; if the driver is vulnerable to the attack, it could allow an attacker (who successfully exploited this vulnerability) to run arbitrary code in kernel mode.

An attacker could then do the following on your computer:

• Install programs
• View, change, or delete data
• Create new accounts

This particular version of the exploit is distributed inside a TrueType font file format 4198 bytes long version 1.102. The most prevalent file names containing the vulnerable TrueType font, which could be found in the browser’s cache folder are:

• affection.htm
• BISCUIT.DISABILITY.htm
• INTOXICATE_INCREASING.htm
• MILITANT.htm
• mix.htm
• PRINTING.htm
• Syllable.htm
• terrify.provider.htm
• Trader.htm
• winning-content.htm

Analysis by Oleg Petrovsky