| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Feb 2004 09:08:25 -0800 From: Tim <tim-security@...tinelchicken.org> To: sunglasses@...-watch.com Cc: bugtraq@...urityfocus.com Subject: Re: Windows XP explorer.exe heap overflow. This is very similar (though perhaps different) than the DoS found by Marc Ruef: http://seclists.org/lists/fulldisclosure/2003/Sep/0047.html and later analyzed: http://seclists.org/lists/fulldisclosure/2003/Sep/0078.html http://seclists.org/lists/fulldisclosure/2003/Sep/0080.html This older find boiled down to an overflow in parsing gif images that, AFAIK, M$ refused to patch, or decided to patch silently (Ask Marc, he would know for sure). It also would cause explorer.exe to crash intermittently when the gif was previewed. I am curious to know if these are related or not. Any comments on that Jellytop? (I have a sample of the gif if you want to test.) tim On Fri, Feb 20, 2004 at 06:45:39PM -0000, sunglasses@...-watch.com wrote: > > > Vulnerability in XP explorer.exe image loading > ---------------------------------------------- > > Systems affected: > Current XP - others not tested. > > Degree: > Arbitrary code execution. > > Summary > ------- > A malformed .emf (Enhanced Metafile, a graphics format) file can cause > an exploitable heap overflow in (or near) shimgvw.dll. > > Details > ------- > The image preview code that explorer uses has an exploitable buffer overflow. > > An .emf file with a "total size" field set to less than the header > size will causes explorer.exe to crash in the heap routines - in classic > heap overflow style that should be exploitable a la the RPC exploits. > > There are two overflows here: > > 1. A buffer is allocated with the size indicated in the header (no > validity checks), then the header is copied into it - if the size is > less than the header size, that's one overflow. > > 2. They then proceed to read the rest of the file to a length of > (size-headersize), which allows for an integer overflow causing the rest > of the file to be appended to the already blown buffer. > > Exploit > ------- > To exploit this flaw (in explorer), simply place a malformed (invalid > "size" field) .emf file > in any directory, open explorer to that path, and view as Thumbnails. > Bang. In it's simplest > form it's a DOS - it affects all explorer windows, including File Open > dialogs for many programs. > > Alternatively, without viewing as a Thumbnail, open the picture > preview window for the .emf file. (It's the default double-click > action). Using this trigger causes a different crash point, which may > not be exploitable, but I wouldn't rule it out. > > Additional notes > ---------------- > It may be worth checking out similar issues in .wmf files, as they are > similar. > > > - Jellytop, 2004 > > "If a man will begin with certainties, he shall end in doubts; but if > he will be content to > begin with doubts he shall end in certainties."
Powered by blists - more mailing lists