Rule: -- Sid: 3130 -- Summary: This alert is generated when a malicious PNG file is sent to an MSN Messenger client. Vulnerable clients which receive such a file are vulnerable to remote code execution attacks. -- Impact: Arbitrary code may be executed in the context of the user running MSN Messenger. Their messenger client may or may not crash, depending upon the way the PNG file is written. -- Detailed Information: This vulnerability is due to a buffer overflow in the processing of tRNS chunks of PNG files. In order to trigger the overflow, the color type field of the IHDR chunk must be set to 0x03, and the length of the tRNS chunk must be greater than 256. -- Affected Systems: MSN Messenger 6.1 MSN Messenger 6.2 -- Attack Scenarios: An attacker may send a malicious PNG through a direct file transfer, as a thumbnail for a file transfer, as a custom emoticon, or by setting their buddy icon to be the malicious PNG. In all cases, the PNG is sent via an MSN file transfer. -- Ease of Attack: Very simple. Example PNGs with shellcode are available on the web, and attacking via all but the file transfer thumbnail vector is accomplished with simple, everyday MSN Messenger tasks. -- False Positives: None Known. -- False Negatives: Thumbnails of image transfers are sent in an encoded format. As a result, they cannot be detected. However, making the thumbnail contain malicious data is exponentially more difficult than any of the other attack vectors, as an attacker cannot manually specify the thumbnail to be sent. -- Corrective Action: Apply the appropriate vendor supplied patch. -- Contributors: Sourcefire Research Team Alex Kirk <alex.kirk@sourcefire.com> -- Additional References: --