lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040223213107.55252.qmail@web41503.mail.yahoo.com>
Date: Mon, 23 Feb 2004 13:31:07 -0800 (PST)
From: Chris Calabrese <chris_calabrese@...oo.com>
To: sunglasses@...-watch.com, bugtraq@...urityfocus.com
Subject: Re: Windows XP explorer.exe heap overflow.


This could actually be much worse since it looks like Internet Explorer
and Outlook will happily display WMF files with no questions asked.

Has anyone crafted a test WMF file we can use to check whether this
could be exploited via an email worm through Outlook?

On 2/20/2004 1:45 PM, sunglasses@...-watch.com wrote:
>
>Vulnerability in XP explorer.exe image loading
>
>----------------------------------------------
>
>
>
>Systems affected: 
>
>  Current XP - others not tested.
>
>
>
>Degree: 
>
>  Arbitrary code execution.
>
>
>
>Summary
>
>-------
>
>A malformed .emf (Enhanced Metafile, a graphics format) file can cause
an exploitable heap overflow in (or near) shimgvw.dll.
>
>
>
>Details
>
>-------
>
>The image preview code that explorer uses has an exploitable buffer
overflow.
>
>
>
>An .emf file with a "total size" field set to less than the header
size will causes explorer.exe to crash in the heap routines - in
classic heap overflow style that should be exploitable a la the RPC
exploits.
>
>
>
>There are two overflows here:
>
>
>
>1. A buffer is allocated with the size indicated in the header (no
validity checks), then the header is copied into it - if the size is
less than the header size, that's one overflow.
>
>
>
>2. They then proceed to read the rest of the file to a length of
(size-headersize), which allows for an integer overflow causing the
rest of the file to be appended to the already blown buffer.
>
>
>
>Exploit
>
>-------
>
>To exploit this flaw (in explorer), simply place a malformed (invalid
"size" field) .emf file 
>
>in any directory, open explorer to that path, and view as Thumbnails.
Bang. In it's simplest 
>
>form it's a DOS - it affects all explorer windows, including File Open
dialogs for many programs.
>
>
>
>Alternatively, without viewing as a Thumbnail, open the picture
preview window for the .emf file. (It's the default double-click
action). Using this trigger causes a different crash point, which may
not be exploitable, but I wouldn't rule it out.
>
>
>
>Additional notes
>
>----------------
>
>It may be worth checking out similar issues in .wmf files, as they are
similar.
>
>
>
>
>
>- Jellytop, 2004 
>
>
>
>"If a man will begin with certainties, he shall end in doubts; but if
he will be content to 
>
>begin with doubts he shall end in certainties."
>


__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ