lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 Feb 2004 12:10:03 -0500
From: "Larry Seltzer" <larry@...ryseltzer.com>
To: "'Evgeny Pinchuk'" <EvgenyP@...ware.com>, <sunglasses@...-watch.com>,
   <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.netsys.com>
Subject: RE: RE: Windows XP explorer.exe heap overflow.

I can confirm the non-error on a WMF file, but the alert referred to EMF files. I can't
locate one. Would they necessarily be the same?
 
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
larryseltzer@...fdavis.com 

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Evgeny Pinchuk
Sent: Tuesday, February 24, 2004 10:42 AM
To: 'sunglasses@...-watch.com'; bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] RE: Windows XP explorer.exe heap overflow.



Hi, 

I modified a WMF file at offset 24 (0x18h) which is the header size and could not
recreate the bug. 
The header size of WMF file is always 9 and modifying it results only an error message
that the file couldn't be shown. 

Some info on WMF files: 
Format: 
-Placeable Meta Header     - (22 bytes) 
-Standard Meta Header      - (18 bytes) 
-Standart Metafile Record1 - 
... 
-Standart Metafile RecordN - 

Structures: 
typedef struct _PlaceableMetaHeader 
{ 
  DWORD Key;           /* Magic number (always 9AC6CDD7h) */ 
  WORD  Handle;        /* Metafile HANDLE number (always 0) */ 
  SHORT Left;          /* Left coordinate in metafile units */ 
  SHORT Top;           /* Top coordinate in metafile units */ 
  SHORT Right;         /* Right coordinate in metafile units */ 
  SHORT Bottom;        /* Bottom coordinate in metafile units */ 
  WORD  Inch;          /* Number of metafile units per inch */ 
  DWORD Reserved;      /* Reserved (always 0) */ 
  WORD  Checksum;      /* Checksum value for previous 10 WORDs */ 
} PLACEABLEMETAHEADER; 

typedef struct _WindowsMetaHeader 
{ 
  WORD  FileType;       /* Type of metafile (0=memory, 1=disk) */ 
  WORD  HeaderSize;     /* Size of header in WORDS (always 9) */ 
  WORD  Version;        /* Version of Microsoft Windows used */ 
  DWORD FileSize;       /* Total size of the metafile in WORDs */ 
  WORD  NumOfObjects;   /* Number of objects in the file */ 
  DWORD MaxRecordSize;  /* The size of largest record in WORDs */ 
  WORD  NumOfParams;    /* Not Used (always 0) */ 
} WMFHEAD; 


More information about WMF files can be found at http://www.whisqu.se/per/docs/wmf.htm 


Evgeny. 

> -----Original Message----- 
> From: sunglasses@...-watch.com [mailto:sunglasses@...-watch.com] 
> Sent: Friday, February 20, 2004 8:46 PM 
> To: bugtraq@...urityfocus.com 
> Subject: Windows XP explorer.exe heap overflow. 
> 
> 
> 
> Vulnerability in XP explorer.exe image loading 
> ---------------------------------------------- 
> 
> Systems affected: 
>   Current XP - others not tested. 
> 
> Degree: 
>   Arbitrary code execution. 
> 
> Summary 
> ------- 
> A malformed .emf (Enhanced Metafile, a graphics format) file can cause an 
> exploitable heap overflow in (or near) shimgvw.dll. 
> 
> Details 
> ------- 
> The image preview code that explorer uses has an exploitable buffer 
> overflow. 
> 
> An .emf file with a "total size" field set to less than the header size 
> will causes explorer.exe to crash in the heap routines - in classic heap 
> overflow style that should be exploitable a la the RPC exploits. 
> 
> There are two overflows here: 
> 
> 1. A buffer is allocated with the size indicated in the header (no 
> validity checks), then the header is copied into it - if the size is less 
> than the header size, that's one overflow. 
> 
> 2. They then proceed to read the rest of the file to a length of (size- 
> headersize), which allows for an integer overflow causing the rest of the 
> file to be appended to the already blown buffer. 
> 
> Exploit 
> ------- 
> To exploit this flaw (in explorer), simply place a malformed (invalid 
> "size" field) .emf file 
> in any directory, open explorer to that path, and view as Thumbnails. 
> Bang. In it's simplest 
> form it's a DOS - it affects all explorer windows, including File Open 
> dialogs for many programs. 
> 
> Alternatively, without viewing as a Thumbnail, open the picture preview 
> window for the .emf file. (It's the default double-click action). Using 
> this trigger causes a different crash point, which may not be exploitable, 
> but I wouldn't rule it out. 
> 
> Additional notes 
> ---------------- 
> It may be worth checking out similar issues in .wmf files, as they are 
> similar. 
> 
> 
> - Jellytop, 2004 
> 
> "If a man will begin with certainties, he shall end in doubts; but if he 
> will be content to 
> begin with doubts he shall end in certainties." 


Content of type "text/html" skipped

Powered by blists - more mailing lists