[NT] Vulnerabilities in Graphics Rendering Engine Allows Code Execution (MS05-053)

From: SecuriTeam (support_at_securiteam.com)
Date: 11/09/05

Next message: SecuriTeam: "[UNIX] FreeBSD sendfile Kernel Information Disclosure"

Previous message: SecuriTeam: "[NT] Windows Metafile Multiple Heap Overflows (MS05-053)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 9 Nov 2005 10:32:19 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Vulnerabilities in Graphics Rendering Engine Allows Code Execution
(MS05-053)
------------------------------------------------------------------------

SUMMARY

A remote code execution and denial of service vulnerabilities exists in
the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image
formats that could allow remote code execution or on an affected system.
Any program that renders WMF or EMF images on the affected systems could
be vulnerable to this attack. An attacker who successfully exploited this
vulnerability could take complete control of an affected system.

DETAILS

Affected Software:
* Microsoft Windows 2000 Service Pack 4 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F361FCCB-B273-47E7-BB15-BC9C27073446> Update
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=E38372B2-3BF6-4393-B9A4-F34248C8073E> Update
* Microsoft Windows XP Professional x64 Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=086C6878-916C-4A4F-8CA8-A4C0E304FDA4> Update
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
Pack 1 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=CEE3DD3B-3C20-47A9-8BBD-1EA2FBB4AF96> Update
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=CCFF22BB-ADC4-4974-813C-7721BDB842C0> Update
* Microsoft Windows Server 2003 x64 Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F1ADB6E4-0A08-496C-B94C-A1B37178914A> Update

Non-Affected Software:
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)

Graphics Rendering Engine -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2123>
CAN-2005-2123:
A remote code execution vulnerability exists in the rendering of Windows
Metafile (WMF) and Enhanced Metafile (EMF) image formats that could allow
remote code execution on an affected system. Any program that renders WMF
or EMF images on the affected systems could be vulnerable to this attack.
An attacker who successfully exploited this vulnerability could take
complete control of an affected system.

Mitigating Factors for Graphics Rendering Engine -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2123>
CAN-2005-2123:
The vulnerability could be exploited by an attacker who persuaded a user
to open a specially crafted file or to view a folder that contains the
specially crafted image. There is no way for an attacker to force a user
to open a malicious file, except potentially through previewing an email
message.

In a Web-based attack scenario, an attacker would have to host a Web site
that contains a Web page that is used to exploit this vulnerability. An
attacker would have no way to force users to visit a malicious Web site.
Instead, an attacker would have to persuade them to visit the Web site,
typically by getting them to click a link that takes them to the
attacker's Web site.

Workarounds for Graphics Rendering Engine -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2123>
CAN-2005-2123:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

* Read e-mail messages in plain text format if you are using Outlook 2002
or a later version, to help protect yourself from the HTML e-mail attack
vector.

Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or
a later version and Microsoft Outlook Express 6 users who have applied
Internet Explorer 6 Service Pack 1 or a later version can enable this
setting and view e-mail messages that are not digitally signed or e-mail
messages that are not encrypted in plain text only.

Digitally signed e-mail messages or encrypted e-mail messages are not
affected by the setting and may be read in their original formats. For
more information about how to enable this setting in Outlook 2002, see
<http://support.microsoft.com/kb/307594> Microsoft Knowledge Base Article
307594.

Impact of Workaround:
E-mail messages that are viewed in plain text format will not contain
pictures, specialized fonts, animations, or other rich content.
Additionally:
* The changes are applied to the preview pane and to open messages.
* Pictures become attachments so that they are not lost.
* Because the message is still in Rich Text or HTML format in the store,
the object model (custom code solutions) may behave unexpectedly.

FAQ for Graphics Rendering Engine -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2123>
CAN-2005-2123:

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user
rights. This vulnerability could also be used to attempt to perform a
local elevation of privilege or a remote denial of service.

What causes the vulnerability?
An unchecked buffer in the rendering of Windows Metafile (WMF) and
Enhanced Metafile (EMF) image formats.

What are Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats?
A WMF image is a 16-bit metafile format that can contain both vector
information and bitmap information. It is optimized for the Windows
operating system.

An EMF image is a 32-bit format that can contain both vector information
and bitmap information. This format is an improvement over the Windows
Metafile Format and contains extended features.

For more information about image types and formats, see
<http://support.microsoft.com/default.aspx?scid=kb;en-us;320314> Microsoft
Knowledge Base Article 320314. Additional information about these file
formats is also available at the
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdicpp/GDIPlus/AboutGDIPlus/ImagesBitmapsandMetafiles/Metafiles.asp> MSDN Library Web Site.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

How could an attacker exploit this vulnerability?
Any program that renders the affected image types could be vulnerable to
this attack. Here are some examples of how an attacker could attempt to
exploit this vulnerability:

* An attacker could host a malicious Web site that is designed to exploit
this vulnerability through Internet Explorer and then persuade a user to
view the Web site.

* An attacker could create an HTML e-mail message that has a specially
crafted image attached. The specially crafted image could be designed to
exploit this vulnerability through Microsoft Outlook or through Outlook
Express 6. An attacker could persuade the user to view the HTML e-mail
message.

* An attacker could embed a specially crafted image in an Office document
and then persuade the user to view the document.

* An attacker could add a specially crafted image to the local file
system or onto a network share and then persuade the user to preview the
folder.

* If an attacker is able to log on locally, they could then run a
specially-designed program that could exploit the vulnerability, and
thereby gain complete control over the affected system.

An attacker could also access the affected component through another
vector. For example, an attacker could log on to the system interactively
or by using another program that passes parameters to the vulnerable
component (locally or remotely). To locally exploit this vulnerability, an
attacker would first have to log on to the system. An attacker could then
run a specially-designed application that could exploit the vulnerability,
and thereby gain complete control over the affected system.

What systems are primarily at risk from the vulnerability?
The vulnerability could be exploited on the affected systems by an
attacker who persuaded a user to open a specially crafted file or to view
a folder that contains the specially crafted image. There is no way for an
attacker to force a user to open a specially crafted file, except
potentially through previewing an email message. Workstations and terminal
servers are primarily at risk. Servers could be at more risk if users who
do not have sufficient administrative permissions are given the ability to
log on to servers and run programs or browse the Internet. However, best
practices strongly discourage allowing this.

Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability through malicious
Web sites or through email over the Internet.

What does the update do?
The update removes the vulnerability by modifying the way that the
Graphics Rendering Engine processes Windows Metafile (WMF) and Enhanced
Metafile (EMF) image formats.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information to
indicate that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

Windows Metafile Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2124>
CAN-2005-2124:
A remote code execution vulnerability exists in the rendering of Windows
Metafile (WMF) image format that could allow remote code execution on an
affected system. Any program that renders WMF images on the affected
systems could be vulnerable to this attack. An attacker who successfully
exploited this vulnerability could take complete control of an affected
system.

Mitigating Factors for Windows Metafile Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2124>
CAN-2005-2124:

* The vulnerability could be exploited by an attacker who persuaded a
user to open a specially crafted file or to view a folder that contains
the specially crafted image. There is no way for an attacker to force a
user to open a malicious file, except potentially through previewing an
email message.

* In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability.
An attacker would have no way to force users to visit a malicious Web
site. Instead, an attacker would have to persuade them to visit the Web
site, typically by getting them to click a link that takes them to the
attacker's Web site.

Workarounds for Windows Metafile Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2124>
CAN-2005-2124:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

* Read e-mail messages in plain text format if you are using Outlook 2002
or a later version, to help protect yourself from the HTML e-mail attack
vector.

FAQ for Windows Metafile Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2124>
CAN-2005-2124:

What causes the vulnerability?
An unchecked buffer in the rendering of Windows Metafile (WMF) image
formats.

What are Windows Metafile (WMF) image formats?
A WMF image is a 16-bit metafile format that can contain both vector
information and bitmap information. It is optimized for the Windows
operating system.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

* An attacker could host a malicious Web site that is designed to exploit
this vulnerability through Internet Explorer and then persuade a user to
view the Web site.

* An attacker could embed a specially crafted image in an Office document
and then persuade the user to view the document.

* An attacker could add a specially crafted image to the local file
system or onto a network share and then persuade the user to preview the
folder.

* An attacker could locally log on to the system. An attacker could then
run a specially-designed program that could exploit the vulnerability, and
thereby gain complete control over the affected system.

* An attacker could also access the affected component through another
vector. For example, an attacker could log on to the system interactively
or by using another program that passes parameters to the vulnerable
component (locally or remotely). To locally exploit this vulnerability, an
attacker would first have to log on to the system.

* An attacker could then run a specially-designed application that could
exploit the vulnerability, and thereby gain complete control over the
affected system.

Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability through malicious
Web sites or through email over the Internet.

What does the update do?
The update removes the vulnerability by modifying the way that the
affected operating system versions validate the length of a message before
it passes the message to the allocated buffer.

Enhanced Metafile Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0803>
CAN-2005-0803:
A denial of service vulnerability exists in the rendering of Enhanced
Metafile (EMF) image format that could allow any program that renders EMF
images to be vulnerable to attack. An attacker who successfully exploited
this vulnerability could cause the affected programs to stop responding.

Mitigating Factors for Enhanced Metafile Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0803>
CAN-2005-0803:

Workarounds for Enhanced Metafile Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0803>
CAN-2005-0803:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

* Read e-mail messages in plain text format if you are using Outlook 2002
or a later version, to help protect yourself from the HTML e-mail attack
vector.

FAQ for Enhanced Metafile Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0803>
CAN-2005-0803:

What is the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who exploited this
vulnerability could cause the affected program to stop responding. The
program could be restarted in order to return to normal operation. Note
that the denial of service vulnerability would not allow attackers to
execute code or elevate their privileges, but it could cause the affected
program to stop responding.

What causes the vulnerability?
An unchecked buffer in the rendering of Enhanced Metafile (EMF) image
formats.

What are Enhanced Metafile (EMF) image formats?
An EMF image is a 32-bit format that can contain both vector information
and bitmap information. This format is an improvement over the Windows
Metafile Format and contains extended features.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause a
program to stop responding.

* An attacker could host a malicious Web site that is designed to exploit
this vulnerability through Internet Explorer and then persuade a user to
view the Web site.

* An attacker could embed a specially crafted image in an Office document
and then persuade the user to view the document.

* An attacker could add a specially crafted image to the local file
system or onto a network share and then persuade the user to preview the
folder.

* An attacker could locally log on to the system. An attacker could then
run a specially-designed program that could exploit the vulnerability.

Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability through malicious
Web sites or through email over the Internet.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned
Common Vulnerability and Exposure number CAN-2005-0803.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published
publicly but had not received any information to indicate that this
vulnerability had been publicly used to attack customers when this
security bulletin was originally issued.

Does applying this security update help protect customers from the code
that has been published publicly that attempts to exploit this
vulnerability?
Yes. This security update addresses the vulnerability that is currently
being exploited. The vulnerability that has been addressed has been
assigned the Common Vulnerability and Exposure number CAN-2005-0803.

Vulnerabilities reported by:
* eEye Digital Security reported the Metafile Vulnerability (
<">CAN-2005-2123).
* Venustech AdDLab, eEye Digital Security and Peter Ferrie of Symantec
Security Response reported the Windows Metafile Vulnerability (
<">CAN-2005-2124).

ADDITIONAL INFORMATION

The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx>
http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[UNIX] FreeBSD sendfile Kernel Information Disclosure"

Previous message: SecuriTeam: "[NT] Windows Metafile Multiple Heap Overflows (MS05-053)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[NT] Vulnerabilities in TCP/IP Allow Remote Code Execution and DoS (MS05-019)
... Validation, ICMP Connection Reset, ICMP Path MTU, TCP Connection Reset and ...
An attacker who successfully exploited the most severe of these ... vulnerabilities could
take complete control of an affected system. ... * ICMP Connection Reset Vulnerability
- CAN-2004-0790 ... (Securiteam)
[NT] Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (MS06-037)
... The following security advisory is sent to the securiteam mailing list, and can be found at
the SecuriTeam web site: http://www.securiteam.com ... Vulnerabilities in Microsoft
Excel Could Allow Remote Code Execution ... an attacker who successfully exploited
this ... vulnerability could take complete control of the client workstation. ...
(Securiteam)
[NEWS] Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to Execute
... security vulnerability results because an attacker can levy a buffer ...
The AppleScript would have to already be present on ... Unchecked Buffer in HTML Element:
... (Securiteam)
SecurityFocus Microsoft Newsletter #259
... MICROSOFT VULNERABILITY SUMMARY ... FL Studio FLP File Processing Heap Overflow
Vulnerability 4. ... wzdftpd is affected by a remote arbitrary command execution vulnerability.
... allowing a remote attacker to supply format specifiers ... (Focus-Microsoft)
[NT] Vulnerabilities in Microsoft Office Allow Remote Code Execution (MS06-012)
... Vulnerabilities in Microsoft Office Allow Remote Code Execution ... Using a
Malformed Range Vulnerability - CVE-2005-4131, ... an attacker who successfully
exploited this ... create new accounts with full user rights. ... (Securiteam)