[NT] Windows Metafile SetPalette Entries Heap Overflow (MS05-053)

From: SecuriTeam (support_at_securiteam.com)
Date: 11/10/05

  • Next message: SecuriTeam: "[UNIX] Lynx Command Execution" 
    To: list@securiteam.com
Date: 10 Nov 2005 14:40:17 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Windows Metafile SetPalette Entries Heap Overflow (MS05-053)
    ------------------------------------------------------------------------

    SUMMARY

    Windows Metafile (WMF) is a common graphics file format on Microsoft
    Windows systems. It is a vector graphics format which also allows the
    inclusion of raster graphics. Essentially, a WMF file stores a list of
    commands that have to be issued to the Windows graphics layer GDI in order
    to restore the image. WMF is a 16-bit format introduced in Microsoft
    Windows 3; a newer 32-bit version with additional commands is called
    Enhanced Metafile (EMF). EMF is also used as a graphics language for
    printer drivers.

    A vulnerability has been discovered in the way the Windows Graphical
    Device Interface (GDI) processes Windows Metafile (WMF) format image files
    that would allow arbitrary code execution as a user who attempts to view a
    malicious image. An attacker could send such a metafile to a victim of his
    choice over any of a variety of attack vectors, including an HTML e-mail,
    a link to a web page, a metafile-bearing Microsoft Office document, or a
    chat message.

    DETAILS

    The code in GDI32.DLL responsible for rendering Windows Metafiles contains
    an integer overflow vulnerability in the function PlayMetaFileRecord,
    cases 36h and 37h, which handle "SetPaletteEntries"-type records. If the
    reported length of such a record is 7FFFFFFFh or FFFFFFFFh, the following
    code will experience an integer overflow and can be made to allocate an
    insufficient heap block, the success of which incorrectly implies the
    validity of the length:

        77F5BC38 mov eax, [ebx] ; length field
        77F5BC3A lea eax, [eax+eax+2] ; *** integer overflow ***
        77F5BC3E push eax
        77F5BC3F push edi
        77F5BC40 call ds:LocalAlloc
         ...
        77F5BC51 mov ecx, [ebx] ; length field
        77F5BC53 add eax, 2
        77F5BC56 shl ecx, 1 ; copy size != allocation size
        77F5BC58 mov edx, ecx ; intrinsic memcpy() follows
        77F5BC5A mov esi, ebx
        77F5BC5C mov edi, eax
        77F5BC5E shr ecx, 2
        77F5BC61 rep movsd
        77F5BC63 mov ecx, edx
        77F5BC65 and ecx, 3
         ...
        77F5BC6D rep movsb

    Although the copy length is similarly subject to an integer overflow, the
    two differ by a "+2" term, and therefore the allocation size can be made
    very small while keeping the copy length extremely large. The result is a
    complete heap overwrite with arbitrary binary data from the metafile.

    Vendor Status:
    Microsoft has released a patch for this vulnerability. The patch is
    available at:
     <http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx>
    http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx

    Related Links:
    This vulnerability has been assigned the following IDs:

     <http://eeye.com/html/research/advisories/AD20051108a.html>
    EEYEB-20050901
    OSVDB ID: <http://www.osvdb.org/displayvuln.php?osvdb_id=20579> 20579
    CVE ID: <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2123>
    CAN-2005-2123

    ADDITIONAL INFORMATION

    The information has been provided by eEye.
    The original article can be found at:
    <http://eeye.com/html/research/advisories/AD20051108a.htm>
    http://eeye.com/html/research/advisories/AD20051108a.htm

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Lynx Command Execution"

    Relevant Pages