[NT] Windows Metafile Multiple Heap Overflows (MS05-053)

From: SecuriTeam (support_at_securiteam.com)
Date: 11/09/05

  • Next message: SecuriTeam: "[NT] Vulnerabilities in Graphics Rendering Engine Allows Code Execution (MS05-053)" 
    To: list@securiteam.com
Date: 9 Nov 2005 10:26:40 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Windows Metafile Multiple Heap Overflows (MS05-053)
    ------------------------------------------------------------------------

    SUMMARY

    Windows Metafile (WMF) is a common graphics file format on Microsoft
    Windows systems. It is a vector graphics format which also allows the
    inclusion of raster graphics. Essentially, a WMF file stores a list of
    commands that have to be issued to the Windows graphics layer GDI in order
    to restore the image. WMF is a 16-bit format introduced in Microsoft
    Windows 3; a newer 32-bit version with additional commands is called
    Enhanced Metafile (EMF). EMF is also used as a graphics language for
    printer drivers.

    A heap overflow vulnerability has been discovered in the way the Windows
    Graphical Device Interface (GDI) processes Windows enhanced metafile
    images (file extensions EMF and WMF). An attacker could send a malicious
    metafile to a victim of his choice over any of a variety of media - such
    as HTML e-mail, a link to a web page, a metafile-bearing Microsoft Office
    document, or a chat message in order to execute code on that user's system
    at the user's privilege level.

    DETAILS

    Affected Software:
     * Microsoft Windows 2000 Service Pack 4 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=F361FCCB-B273-47E7-BB15-BC9C27073446> Update
     * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
    Pack 2 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=E38372B2-3BF6-4393-B9A4-F34248C8073E> Update
     * Microsoft Windows XP Professional x64 Edition -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=086C6878-916C-4A4F-8CA8-A4C0E304FDA4> Update
     * Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
    Pack 1 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=CEE3DD3B-3C20-47A9-8BBD-1EA2FBB4AF96> Update
     * Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
    Windows Server 2003 with SP1 for Itanium-based Systems -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=CCFF22BB-ADC4-4974-813C-7721BDB842C0> Update
     * Microsoft Windows Server 2003 x64 Edition -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=F1ADB6E4-0A08-496C-B94C-A1B37178914A> Update

    Non-Affected Software:
     * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
    Microsoft Windows Millennium Edition (ME)

    The Windows metafile rendering code in GDI32.DLL contains a number of
    integer overflow flaws in its processing of EMF/WMF file data that lead to
    exploitable heap overflows through any number of specially crafted
    metafile structures. For example, the following disassembly from
    MRBP16::bCheckRecord demonstrates a size calculation that is susceptible
    to integer overflow and as a result may pass validation with a dangerous
    value:

        77F6C759 mov edx, [ecx+18h] ; malicious count (e.g.,8000000Dh)
        77F6C75C mov eax, [ecx+4] ; heap allocation size
         ...
        77F6C764 lea edx, [edx*4+1Ch] ; EDX >= 3FFFFFF9h: integer overflow
        77F6C76B cmp edx, eax ; validation check
        77F6C76D jnz 77F6C77F

    Vendor Status:
    Microsoft has released a patch for this vulnerability.
    The patch isavailable at:
     <http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx>
    http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx

    Related Links:
    This vulnerability has been assigned the following IDs:
     <http://www.eeye.com/html/research/advisories/AD20051108b.html>
    EEYEB-20050329
    OSVDB ID: <http://www.osvdb.org/displayvuln.php?osvdb_id=18820> 18820
    CVE ID: <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2124>
    CAN-2005-2124

    ADDITIONAL INFORMATION

    The information has been provided by eEye.
    The original article can be found at:
    <http://www.eeye.com/html/research/advisories/AD20051108b.html>
    http://www.eeye.com/html/research/advisories/AD20051108b.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Vulnerabilities in Graphics Rendering Engine Allows Code Execution (MS05-053)"

    Relevant Pages