lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <45A5AD9B.70801@determina.com>
Date: Wed, 10 Jan 2007 19:23:07 -0800
From: Alexander Sotirov <asotirov@...ermina.com>
To: bugtraq@...urityfocus.com
Subject: WMF CreateBrushIndirect vulnerability (DoS)

The following WMF exploit appeared on milw0rm today:
http://www.milw0rm.com/exploits/3111

The vulnerability is a result of the WMF parser passing a value from the file as
a pointer argument to the CreateBrushIndirect function. The function
dereferences the pointer and dies with an access violation.

The value in the file is only 16-bit and it is sign extended into a 32-bit
pointer. This means that we can only access addresses from 0x00000000 to
0x0000FFFF and from 0xFFFF0000 to 0xFFFFFFFF. Both of these ranges are always
invalid, so the vulnerability is just a DoS.

For more details and some commentary, see:
http://determina.blogspot.com/2007/01/whats-wrong-with-wmf.html


Alexander Sotirov
Determina Security Research


Download attachment "signature.asc" of type "application/pgp-signature" (250 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ