Check Point Advisories

Microsoft Windows LoadImage API Function Integer Overflow (CVE-2004-1049)

Check Point Reference: CPAI-2004-210
Date Published: 28 Oct 2009
Severity: Medium
Last Updated: 28 Dec 2016
Industry Reference:CVE-2004-1049
Protection Provided by:

Security Gateway
R80, R77, R76, R75

Who is Vulnerable? Microsoft Windows 2000 All Versions
Microsoft Windows NT 4
Microsoft Windows NT 4 Terminal Server Edition
Microsoft Windows Server 2003
Microsoft Windows 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows Windows 98
Microsoft Windows Windows ME
Microsoft Windows XP
Microsoft Windows XP 64-bit Edition
Microsoft Windows XP SP1
Vulnerability Description In terms of Microsoft Windows technology, a resource is binary data that can be added to the executable file of a Windows-based application. Graphical images such as icons, cursors and bitmaps are example of standard resources. Windows-based applications support loading and rendering of graphical resources through a set of Application Programming Interface (API) functions.A vulnerability exists in the way Microsoft Windows handles certain image files. The LoadImage API fails to properly validate the image size leading to an integer overflow. This flaw may be exploited by a malicious user to overflow heap memory, potentially leading to arbitrary code execution on the target machine.In a simple exploit attempt, an attack can create a memory access violation in the application which invokes the vulnerable API function. This will terminate the application, creating a denial of service condition.In a more sophisticated attack case, involving code execution, the process flow will be diverted. In such a case, the behaviour of the target is dependent on the attacker's malicious intentions.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability

In order for the protection to be activated, update your Security Gateway product to the latest IPS update.For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R76 / R75

  1. In the IPS tab, click Protections and find the Microsoft Windows LoadImage API Function Integer Overflow protection using the Search tool and Edit the protection's settings.
  2. Install policy on all modules.

This protection's log will contain the following information:

Attack Name:  Content Protection Violation
Attack Information:  Microsoft Windows LoadImage API function integer overflow

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO