Microsoft Windows Fax Cover Page Editor Double Free Memory Corruption Vulnerability

Added: 02/14/2011
CVE: CVE-2010-4701
BID: 45942

Background

The Microsoft Windows Fax Service allows a Windows system to act as a fax server. One of the tools within the Windows Fax Service suite is the Fax Cover Page Editor (fxscover.exe), which allows users to create their own customized cover pages, instead of using the default templates (.cov files) provided.

Problem

The file format for custom cover pages includes the CDrawText object, which describes a series of text elements. A text element may contain a XREF field that is used as an index into an array. An invalid value in the XREF field can result in an attempt to free memory structures that have already been freed, which with careful heap spraying could lead to code execution.

Resolution

Apply a patch when Microsoft releases it.

References

http://secunia.com/advisories/42747/

Limitations

Exploit works on Microsoft Cover Page Editor 5.1.

The Fax Services component must be installed for the system to be vulnerable.

The user must open the exploit file in the affected application.

Platforms

Windows

Back to exploit index