lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri Jan 13 23:36:51 2006
From: nfobro at gmail.com (eric williams)
Subject: Steve Gibson smokes crack?

On 1/13/06, Peter Ferrie <pferrie@...antec.com> wrote:
> [snip]
> >does any know the circumstances, in all cases, where the bug is
> >triggered or is there only speculation based upon exploit code
> >"working" against a given vulnerable implementation of the API?
>
> The triggering mechanism is well-understood: this incorrect record
> length requirement is simply wrong.  There is no "magic key".
> It is possible to create entirely well-formed files that will
> execute.  I don't know why Steve couldn't get it working properly,
> and I'd like to know just how he managed to get it working at all
> on Windows 2000 (see below).  So, what we have is this:
>
> The file must not begin with the placeable (aka Aldus) meta file
> header.  If it does begin with that, then the function is ignored,
> and Windows continues to parse the file.
> This is why Windows 9x, NT, and 2000, do not execute anything from
> within Internet Explorer, for example - they do not support WMF
> files without the Aldus header.
>
> The record must be reachable.  It will not execute if the EOF
> record (function number 00) is seen first.
>

Ahh, perfect!  Thanks Peter that clears up a lot for me.  In fact does
this also infer that all you need is a "crapped" up pluggable viewer
for IE on Windows 9x, etc. to exploit this flaw on one of those O/Ss? 
Does this further indicate that Office 98 and other M$ Office versions
that run on the ealier O/Ss and support the WMF mapping are
'vulnerable' to exploitation - still ?

Thanks, you provided a cogent and direct response, it was very helpful
(at least to me) in getting to the meat of this dicussion.

-e

> That's all.  To clarify some other things:
>
> The record length can be any value at all, as long as it remains
> within the bounds of the file.  Before executing any record,
> Windows checks that the next record is accessible.
>
> The file does not have to end with the EOF record, but there must
> be one in the file.
>
> The smallest metafile is 18 bytes.  That's the header only.
> The smallest parsable metafile is 24 bytes (EOF record only).
> The smallest SetAbortProc file for Windows XP is 62 bytes.
>
> 8^) p.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ