[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040224170825.GA3118@sentinelchicken.org>
Date: Tue, 24 Feb 2004 09:08:25 -0800
From: Tim <tim-security@...tinelchicken.org>
To: sunglasses@...-watch.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Windows XP explorer.exe heap overflow.
This is very similar (though perhaps different) than the DoS found by
Marc Ruef: http://seclists.org/lists/fulldisclosure/2003/Sep/0047.html
and later analyzed:
http://seclists.org/lists/fulldisclosure/2003/Sep/0078.html
http://seclists.org/lists/fulldisclosure/2003/Sep/0080.html
This older find boiled down to an overflow in parsing gif images that,
AFAIK, M$ refused to patch, or decided to patch silently (Ask Marc, he
would know for sure). It also would cause explorer.exe to crash
intermittently when the gif was previewed. I am curious to know if
these are related or not. Any comments on that Jellytop? (I have a
sample of the gif if you want to test.)
tim
On Fri, Feb 20, 2004 at 06:45:39PM -0000, sunglasses@...-watch.com wrote:
>
>
> Vulnerability in XP explorer.exe image loading
> ----------------------------------------------
>
> Systems affected:
> Current XP - others not tested.
>
> Degree:
> Arbitrary code execution.
>
> Summary
> -------
> A malformed .emf (Enhanced Metafile, a graphics format) file can cause
> an exploitable heap overflow in (or near) shimgvw.dll.
>
> Details
> -------
> The image preview code that explorer uses has an exploitable buffer overflow.
>
> An .emf file with a "total size" field set to less than the header
> size will causes explorer.exe to crash in the heap routines - in classic
> heap overflow style that should be exploitable a la the RPC exploits.
>
> There are two overflows here:
>
> 1. A buffer is allocated with the size indicated in the header (no
> validity checks), then the header is copied into it - if the size is
> less than the header size, that's one overflow.
>
> 2. They then proceed to read the rest of the file to a length of
> (size-headersize), which allows for an integer overflow causing the rest
> of the file to be appended to the already blown buffer.
>
> Exploit
> -------
> To exploit this flaw (in explorer), simply place a malformed (invalid
> "size" field) .emf file
> in any directory, open explorer to that path, and view as Thumbnails.
> Bang. In it's simplest
> form it's a DOS - it affects all explorer windows, including File Open
> dialogs for many programs.
>
> Alternatively, without viewing as a Thumbnail, open the picture
> preview window for the .emf file. (It's the default double-click
> action). Using this trigger causes a different crash point, which may
> not be exploitable, but I wouldn't rule it out.
>
> Additional notes
> ----------------
> It may be worth checking out similar issues in .wmf files, as they are
> similar.
>
>
> - Jellytop, 2004
>
> "If a man will begin with certainties, he shall end in doubts; but if
> he will be content to
> begin with doubts he shall end in certainties."
Powered by blists - more mailing lists