RE: [Full-Disclosure] RE: Windows XP explorer.exe heap overflow.

From: Larry Seltzer (larry_at_larryseltzer.com)
Date: 02/24/04

  • Next message: maarten: "Re: [Full-Disclosure] Coming soon: CPU fix for buffer overflows"
    To: "'Evgeny Pinchuk'" <EvgenyP@Radware.com>, <sunglasses@bay-watch.com>, <bugtraq@securityfocus.com>
    Date: Tue, 24 Feb 2004 12:10:03 -0500
    
    

    I can confirm the non-error on a WMF file, but the alert referred to EMF files. I can't
    locate one. Would they necessarily be the same?
     
    Larry Seltzer
    eWEEK.com Security Center Editor
    http://security.eweek.com/
    larryseltzer@ziffdavis.com

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Evgeny Pinchuk
    Sent: Tuesday, February 24, 2004 10:42 AM
    To: 'sunglasses@bay-watch.com'; bugtraq@securityfocus.com
    Cc: full-disclosure@lists.netsys.com
    Subject: [Full-Disclosure] RE: Windows XP explorer.exe heap overflow.

    Hi,

    I modified a WMF file at offset 24 (0x18h) which is the header size and could not
    recreate the bug.
    The header size of WMF file is always 9 and modifying it results only an error message
    that the file couldn't be shown.

    Some info on WMF files:
    Format:
    -Placeable Meta Header - (22 bytes)
    -Standard Meta Header - (18 bytes)
    -Standart Metafile Record1 -
    ...
    -Standart Metafile RecordN -

    Structures:
    typedef struct _PlaceableMetaHeader
    {
      DWORD Key; /* Magic number (always 9AC6CDD7h) */
      WORD Handle; /* Metafile HANDLE number (always 0) */
      SHORT Left; /* Left coordinate in metafile units */
      SHORT Top; /* Top coordinate in metafile units */
      SHORT Right; /* Right coordinate in metafile units */
      SHORT Bottom; /* Bottom coordinate in metafile units */
      WORD Inch; /* Number of metafile units per inch */
      DWORD Reserved; /* Reserved (always 0) */
      WORD Checksum; /* Checksum value for previous 10 WORDs */
    } PLACEABLEMETAHEADER;

    typedef struct _WindowsMetaHeader
    {
      WORD FileType; /* Type of metafile (0=memory, 1=disk) */
      WORD HeaderSize; /* Size of header in WORDS (always 9) */
      WORD Version; /* Version of Microsoft Windows used */
      DWORD FileSize; /* Total size of the metafile in WORDs */
      WORD NumOfObjects; /* Number of objects in the file */
      DWORD MaxRecordSize; /* The size of largest record in WORDs */
      WORD NumOfParams; /* Not Used (always 0) */
    } WMFHEAD;

    More information about WMF files can be found at http://www.whisqu.se/per/docs/wmf.htm

    Evgeny.

    > -----Original Message-----
    > From: sunglasses@bay-watch.com [mailto:sunglasses@bay-watch.com]
    > Sent: Friday, February 20, 2004 8:46 PM
    > To: bugtraq@securityfocus.com
    > Subject: Windows XP explorer.exe heap overflow.
    >
    >
    >
    > Vulnerability in XP explorer.exe image loading
    > ----------------------------------------------
    >
    > Systems affected:
    > Current XP - others not tested.
    >
    > Degree:
    > Arbitrary code execution.
    >
    > Summary
    > -------
    > A malformed .emf (Enhanced Metafile, a graphics format) file can cause an
    > exploitable heap overflow in (or near) shimgvw.dll.
    >
    > Details
    > -------
    > The image preview code that explorer uses has an exploitable buffer
    > overflow.
    >
    > An .emf file with a "total size" field set to less than the header size
    > will causes explorer.exe to crash in the heap routines - in classic heap
    > overflow style that should be exploitable a la the RPC exploits.
    >
    > There are two overflows here:
    >
    > 1. A buffer is allocated with the size indicated in the header (no
    > validity checks), then the header is copied into it - if the size is less
    > than the header size, that's one overflow.
    >
    > 2. They then proceed to read the rest of the file to a length of (size-
    > headersize), which allows for an integer overflow causing the rest of the
    > file to be appended to the already blown buffer.
    >
    > Exploit
    > -------
    > To exploit this flaw (in explorer), simply place a malformed (invalid
    > "size" field) .emf file
    > in any directory, open explorer to that path, and view as Thumbnails.
    > Bang. In it's simplest
    > form it's a DOS - it affects all explorer windows, including File Open
    > dialogs for many programs.
    >
    > Alternatively, without viewing as a Thumbnail, open the picture preview
    > window for the .emf file. (It's the default double-click action). Using
    > this trigger causes a different crash point, which may not be exploitable,
    > but I wouldn't rule it out.
    >
    > Additional notes
    > ----------------
    > It may be worth checking out similar issues in .wmf files, as they are
    > similar.
    >
    >
    > - Jellytop, 2004
    >
    > "If a man will begin with certainties, he shall end in doubts; but if he
    > will be content to
    > begin with doubts he shall end in certainties."

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: maarten: "Re: [Full-Disclosure] Coming soon: CPU fix for buffer overflows"