lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 Feb 2004 17:42:22 +0200
From: Evgeny Pinchuk <EvgenyP@...ware.com>
To: "'sunglasses@...-watch.com'" <sunglasses@...-watch.com>,
   bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: RE: Windows XP explorer.exe heap overflow.

Hi,

I modified a WMF file at offset 24 (0x18h) which is the header size and
could not recreate the bug.
The header size of WMF file is always 9 and modifying it results only an
error message that the file couldn't be shown.

Some info on WMF files:
Format:
-Placeable Meta Header     - (22 bytes)
-Standard Meta Header      - (18 bytes)
-Standart Metafile Record1 -
...
-Standart Metafile RecordN -

Structures:
typedef struct _PlaceableMetaHeader
{
  DWORD Key;           /* Magic number (always 9AC6CDD7h) */
  WORD  Handle;        /* Metafile HANDLE number (always 0) */
  SHORT Left;          /* Left coordinate in metafile units */
  SHORT Top;           /* Top coordinate in metafile units */
  SHORT Right;         /* Right coordinate in metafile units */
  SHORT Bottom;        /* Bottom coordinate in metafile units */
  WORD  Inch;          /* Number of metafile units per inch */
  DWORD Reserved;      /* Reserved (always 0) */
  WORD  Checksum;      /* Checksum value for previous 10 WORDs */
} PLACEABLEMETAHEADER;

typedef struct _WindowsMetaHeader
{
  WORD  FileType;       /* Type of metafile (0=memory, 1=disk) */
  WORD  HeaderSize;     /* Size of header in WORDS (always 9) */
  WORD  Version;        /* Version of Microsoft Windows used */
  DWORD FileSize;       /* Total size of the metafile in WORDs */
  WORD  NumOfObjects;   /* Number of objects in the file */
  DWORD MaxRecordSize;  /* The size of largest record in WORDs */
  WORD  NumOfParams;    /* Not Used (always 0) */
} WMFHEAD;


More information about WMF files can be found at
http://www.whisqu.se/per/docs/wmf.htm


Evgeny.

> -----Original Message-----
> From: sunglasses@...-watch.com [mailto:sunglasses@...-watch.com]
> Sent: Friday, February 20, 2004 8:46 PM
> To: bugtraq@...urityfocus.com
> Subject: Windows XP explorer.exe heap overflow.
> 
> 
> 
> Vulnerability in XP explorer.exe image loading
> ----------------------------------------------
> 
> Systems affected:
>   Current XP - others not tested.
> 
> Degree:
>   Arbitrary code execution.
> 
> Summary
> -------
> A malformed .emf (Enhanced Metafile, a graphics format) file can cause an
> exploitable heap overflow in (or near) shimgvw.dll.
> 
> Details
> -------
> The image preview code that explorer uses has an exploitable buffer
> overflow.
> 
> An .emf file with a "total size" field set to less than the header size
> will causes explorer.exe to crash in the heap routines - in classic heap
> overflow style that should be exploitable a la the RPC exploits.
> 
> There are two overflows here:
> 
> 1. A buffer is allocated with the size indicated in the header (no
> validity checks), then the header is copied into it - if the size is less
> than the header size, that's one overflow.
> 
> 2. They then proceed to read the rest of the file to a length of (size-
> headersize), which allows for an integer overflow causing the rest of the
> file to be appended to the already blown buffer.
> 
> Exploit
> -------
> To exploit this flaw (in explorer), simply place a malformed (invalid
> "size" field) .emf file
> in any directory, open explorer to that path, and view as Thumbnails.
> Bang. In it's simplest
> form it's a DOS - it affects all explorer windows, including File Open
> dialogs for many programs.
> 
> Alternatively, without viewing as a Thumbnail, open the picture preview
> window for the .emf file. (It's the default double-click action). Using
> this trigger causes a different crash point, which may not be exploitable,
> but I wouldn't rule it out.
> 
> Additional notes
> ----------------
> It may be worth checking out similar issues in .wmf files, as they are
> similar.
> 
> 
> - Jellytop, 2004
> 
> "If a man will begin with certainties, he shall end in doubts; but if he
> will be content to
> begin with doubts he shall end in certainties."

Content of type "text/html" skipped

Powered by blists - more mailing lists