The UIF (Universal Image Format) is a proprietary file format used by the old shareware utility MagicISO. Microsoft have a dedicated unpacker for UIF that runs as SYSTEM on all filesystem activity (!?!).

The UIF format has an index structure at a fixed offset from the end of the file, with a pointer to contiguous block descriptions that describe how to reconstruct the output from data scattered throughout the file. I noticed that UIF has a "sparse" block type that just outputs chunks of nuls. Microsoft write them out like this:

  while (write(TempFile, Buffer, SectorSize) == SectorSize)
      BytesWritten += SectorSize;

All of these parameters are read from the file, so you can make it spin creating this sparse data for as long as you want. This means you can make a file that takes as long as you want to scan, wasting as many cores as you want and you have to reboot to fix it.

A testcase and the C code I used to generate it is attached. I called it .gif, but I don't think file extension is relevant to this attack.

I'm filing this with low priority, but I suppose you could DoS an ForeFront, IIS, or Exchange server with it quite effectively, I don't know.

// Compile:
// $ gcc -o uifspin uifspin.c -lz
//
// Usage:
// $ ./uifspin > testcase.txt
//
// (Or, you can provide a template file, and it will append a testcase to it)
//
// $ ./uifspin template.gif > testcase.gif
// $ file testcase.gif
// testcase.gif: GIF image data, version 89a, 400 x 300
//

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 

uifspin.c 4.6 KB View Download

	exploit.gif 132 KB View Download