RE: [Full-Disclosure] RE: Windows XP explorer.exe heap overflow.
From: Larry Seltzer (larry_at_larryseltzer.com)
To: "'Evgeny Pinchuk'" <EvgenyP@Radware.com>, <email@example.com>, <firstname.lastname@example.org> Date: Tue, 24 Feb 2004 12:10:03 -0500
I can confirm the non-error on a WMF file, but the alert referred to EMF files. I can't
locate one. Would they necessarily be the same?
eWEEK.com Security Center Editor
[mailto:email@example.com] On Behalf Of Evgeny Pinchuk
Sent: Tuesday, February 24, 2004 10:42 AM
To: 'firstname.lastname@example.org'; email@example.com
Subject: [Full-Disclosure] RE: Windows XP explorer.exe heap overflow.
I modified a WMF file at offset 24 (0x18h) which is the header size and could not
recreate the bug.
The header size of WMF file is always 9 and modifying it results only an error message
that the file couldn't be shown.
Some info on WMF files:
-Placeable Meta Header - (22 bytes)
-Standard Meta Header - (18 bytes)
-Standart Metafile Record1 -
-Standart Metafile RecordN -
typedef struct _PlaceableMetaHeader
DWORD Key; /* Magic number (always 9AC6CDD7h) */
WORD Handle; /* Metafile HANDLE number (always 0) */
SHORT Left; /* Left coordinate in metafile units */
SHORT Top; /* Top coordinate in metafile units */
SHORT Right; /* Right coordinate in metafile units */
SHORT Bottom; /* Bottom coordinate in metafile units */
WORD Inch; /* Number of metafile units per inch */
DWORD Reserved; /* Reserved (always 0) */
WORD Checksum; /* Checksum value for previous 10 WORDs */
typedef struct _WindowsMetaHeader
WORD FileType; /* Type of metafile (0=memory, 1=disk) */
WORD HeaderSize; /* Size of header in WORDS (always 9) */
WORD Version; /* Version of Microsoft Windows used */
DWORD FileSize; /* Total size of the metafile in WORDs */
WORD NumOfObjects; /* Number of objects in the file */
DWORD MaxRecordSize; /* The size of largest record in WORDs */
WORD NumOfParams; /* Not Used (always 0) */
More information about WMF files can be found at http://www.whisqu.se/per/docs/wmf.htm
> -----Original Message-----
> From: firstname.lastname@example.org [mailto:email@example.com]
> Sent: Friday, February 20, 2004 8:46 PM
> To: firstname.lastname@example.org
> Subject: Windows XP explorer.exe heap overflow.
> Vulnerability in XP explorer.exe image loading
> Systems affected:
> Current XP - others not tested.
> Arbitrary code execution.
> A malformed .emf (Enhanced Metafile, a graphics format) file can cause an
> exploitable heap overflow in (or near) shimgvw.dll.
> The image preview code that explorer uses has an exploitable buffer
> An .emf file with a "total size" field set to less than the header size
> will causes explorer.exe to crash in the heap routines - in classic heap
> overflow style that should be exploitable a la the RPC exploits.
> There are two overflows here:
> 1. A buffer is allocated with the size indicated in the header (no
> validity checks), then the header is copied into it - if the size is less
> than the header size, that's one overflow.
> 2. They then proceed to read the rest of the file to a length of (size-
> headersize), which allows for an integer overflow causing the rest of the
> file to be appended to the already blown buffer.
> To exploit this flaw (in explorer), simply place a malformed (invalid
> "size" field) .emf file
> in any directory, open explorer to that path, and view as Thumbnails.
> Bang. In it's simplest
> form it's a DOS - it affects all explorer windows, including File Open
> dialogs for many programs.
> Alternatively, without viewing as a Thumbnail, open the picture preview
> window for the .emf file. (It's the default double-click action). Using
> this trigger causes a different crash point, which may not be exploitable,
> but I wouldn't rule it out.
> Additional notes
> It may be worth checking out similar issues in .wmf files, as they are
> - Jellytop, 2004
> "If a man will begin with certainties, he shall end in doubts; but if he
> will be content to
> begin with doubts he shall end in certainties."
Full-Disclosure - We believe in it.