[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <45FCD7CD775DD411B4C100508B691BBB08F55CC8@WARE-MAIL>
Date: Tue, 24 Feb 2004 17:42:22 +0200
From: Evgeny Pinchuk <EvgenyP@...ware.com>
To: "'sunglasses@...-watch.com'" <sunglasses@...-watch.com>,
bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: RE: Windows XP explorer.exe heap overflow.
Hi,
I modified a WMF file at offset 24 (0x18h) which is the header size and
could not recreate the bug.
The header size of WMF file is always 9 and modifying it results only an
error message that the file couldn't be shown.
Some info on WMF files:
Format:
-Placeable Meta Header - (22 bytes)
-Standard Meta Header - (18 bytes)
-Standart Metafile Record1 -
...
-Standart Metafile RecordN -
Structures:
typedef struct _PlaceableMetaHeader
{
DWORD Key; /* Magic number (always 9AC6CDD7h) */
WORD Handle; /* Metafile HANDLE number (always 0) */
SHORT Left; /* Left coordinate in metafile units */
SHORT Top; /* Top coordinate in metafile units */
SHORT Right; /* Right coordinate in metafile units */
SHORT Bottom; /* Bottom coordinate in metafile units */
WORD Inch; /* Number of metafile units per inch */
DWORD Reserved; /* Reserved (always 0) */
WORD Checksum; /* Checksum value for previous 10 WORDs */
} PLACEABLEMETAHEADER;
typedef struct _WindowsMetaHeader
{
WORD FileType; /* Type of metafile (0=memory, 1=disk) */
WORD HeaderSize; /* Size of header in WORDS (always 9) */
WORD Version; /* Version of Microsoft Windows used */
DWORD FileSize; /* Total size of the metafile in WORDs */
WORD NumOfObjects; /* Number of objects in the file */
DWORD MaxRecordSize; /* The size of largest record in WORDs */
WORD NumOfParams; /* Not Used (always 0) */
} WMFHEAD;
More information about WMF files can be found at
http://www.whisqu.se/per/docs/wmf.htm
Evgeny.
> -----Original Message-----
> From: sunglasses@...-watch.com [mailto:sunglasses@...-watch.com]
> Sent: Friday, February 20, 2004 8:46 PM
> To: bugtraq@...urityfocus.com
> Subject: Windows XP explorer.exe heap overflow.
>
>
>
> Vulnerability in XP explorer.exe image loading
> ----------------------------------------------
>
> Systems affected:
> Current XP - others not tested.
>
> Degree:
> Arbitrary code execution.
>
> Summary
> -------
> A malformed .emf (Enhanced Metafile, a graphics format) file can cause an
> exploitable heap overflow in (or near) shimgvw.dll.
>
> Details
> -------
> The image preview code that explorer uses has an exploitable buffer
> overflow.
>
> An .emf file with a "total size" field set to less than the header size
> will causes explorer.exe to crash in the heap routines - in classic heap
> overflow style that should be exploitable a la the RPC exploits.
>
> There are two overflows here:
>
> 1. A buffer is allocated with the size indicated in the header (no
> validity checks), then the header is copied into it - if the size is less
> than the header size, that's one overflow.
>
> 2. They then proceed to read the rest of the file to a length of (size-
> headersize), which allows for an integer overflow causing the rest of the
> file to be appended to the already blown buffer.
>
> Exploit
> -------
> To exploit this flaw (in explorer), simply place a malformed (invalid
> "size" field) .emf file
> in any directory, open explorer to that path, and view as Thumbnails.
> Bang. In it's simplest
> form it's a DOS - it affects all explorer windows, including File Open
> dialogs for many programs.
>
> Alternatively, without viewing as a Thumbnail, open the picture preview
> window for the .emf file. (It's the default double-click action). Using
> this trigger causes a different crash point, which may not be exploitable,
> but I wouldn't rule it out.
>
> Additional notes
> ----------------
> It may be worth checking out similar issues in .wmf files, as they are
> similar.
>
>
> - Jellytop, 2004
>
> "If a man will begin with certainties, he shall end in doubts; but if he
> will be content to
> begin with doubts he shall end in certainties."
Content of type "text/html" skipped
Powered by blists - more mailing lists