lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050331144748.10155.qmail@www.securityfocus.com>
Date: 31 Mar 2005 14:47:48 -0000
From: <liquid@...erspace.org>
To: bugtraq@...urityfocus.com
Subject: WindowsXP malformed .wmf files DoS





Here is an example of malformed .wmf file which will cause DoS. Put this file in arbitrary folder (be sure that file has .wmf extension, otherwise this wouldn't work). Open that folder with Windows Explorer, and just move mouse over malformed file. CPU usage will rise to 100%, and stay that way. During this condition you can work with explorer, but it behaves very weird. It doesn't help if you close all explorer's windows, you must restart explorer.exe, only then CPU usage will get down to normal.
Instead of "mouseover" you could doubleclick on file to produce same effect.

Here is .wmf file:

00000000 :01 00 09 00 00 03 0E 00 - 00 00 01 00 05 00 00 00
00000010 :00 00 00 00 00 00 0B 02 - FF FF FF FF

Now, this was "bare" .wmf file, and if you put a link in html pointing to it, IE won't render it, and there is no problem. What we need is a placeable metafile, and this is one:

00000000 :D7 CD C6 9A 00 00 00 00 - 00 00 A1 21 EC 29 EC 09
00000010 :00 00 00 00 B0 56 01 00 - 09 00 00 03 0E 00 00 00
00000020 :01 00 05 00 00 00 00 00 - 00 00 00 00 0B 02 00 00
00000030 :00 00

To test it with IE, save this file with name "test.wmf", and put next .html in same folder:

<html><body><img src="test.wmf"></body></html>

When you open html document, IE will try to render test.wmf and CPU is again on 100%, and again you have to restart IE to slow it down. Malicious website could easily do the same.

This is tested on fully patched WindowsXP SP1. I didn't test this with other OSes from windows family but they may be vulnerable too. For basic .wmf file structure you may want to look here:

http://www.whisqu.se/per/docs/wmf.htm


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ