lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 20 Feb 2004 18:45:39 -0000
From: <sunglasses@...-watch.com>
To: bugtraq@...urityfocus.com
Subject: Windows XP explorer.exe heap overflow.




Vulnerability in XP explorer.exe image loading
----------------------------------------------

Systems affected: 
  Current XP - others not tested.

Degree: 
  Arbitrary code execution.

Summary
-------
A malformed .emf (Enhanced Metafile, a graphics format) file can cause an exploitable heap overflow in (or near) shimgvw.dll.

Details
-------
The image preview code that explorer uses has an exploitable buffer overflow.

An .emf file with a "total size" field set to less than the header size will causes explorer.exe to crash in the heap routines - in classic heap overflow style that should be exploitable a la the RPC exploits.

There are two overflows here:

1. A buffer is allocated with the size indicated in the header (no validity checks), then the header is copied into it - if the size is less than the header size, that's one overflow.

2. They then proceed to read the rest of the file to a length of (size-headersize), which allows for an integer overflow causing the rest of the file to be appended to the already blown buffer.

Exploit
-------
To exploit this flaw (in explorer), simply place a malformed (invalid "size" field) .emf file 
in any directory, open explorer to that path, and view as Thumbnails. Bang. In it's simplest 
form it's a DOS - it affects all explorer windows, including File Open dialogs for many programs.

Alternatively, without viewing as a Thumbnail, open the picture preview window for the .emf file. (It's the default double-click action). Using this trigger causes a different crash point, which may not be exploitable, but I wouldn't rule it out.

Additional notes
----------------
It may be worth checking out similar issues in .wmf files, as they are similar.


- Jellytop, 2004 

"If a man will begin with certainties, he shall end in doubts; but if he will be content to 
begin with doubts he shall end in certainties."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ