[NT] Microsoft Windows WMF Triggerable Kernel Design Error DoS Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft Windows WMF Triggerable Kernel Design Error DoS Vulnerability
------------------------------------------------------------------------


SUMMARY

The Microsoft Windows kernel controls "which processes are allowed to run
and is responsible for accessing hardware such as storage devices and
video adapters, scheduling time for each process to execute, managing
memory, and other system control tasks".

Remote exploitation of a design error in certain kernel GDI functions in
multiple versions of Microsoft Corp.'s Windows operating system may allow
an attacker to cause a denial of service condition.

DETAILS

Vulnerable Systems:
* Windows XP with Service Pack 2
* Windows 2003 Server
* (Other Windows operating systems may also be affected).

During testing of the MS06-001 WMF (Windows Metafile) vulnerability, a
flaw was found in the handling of WMF files. This flaw can cause the
kernel to perform a bug check, also known as a "blue screen" or system
crash, when it tries to parse the file. The cause of this bug check is an
attempt by a function in a kernel system call to read a value obtained by
dereferencing an offset into a kernel structure. This value had been
previously created and then reset by previous system calls, and at the
point it is accessed it does not contain a valid memory reference. This
results in an access violation error, which in turn triggers the bug
check.

This vulnerability is different from both the Microsoft MS06-001 WMF
vulnerability and the MS05-053 WMF vulnerability and is not fixed by
either of these patches.

Exploitation of this vulnerability would allow a remote attacker to
perform a denial of service against an affected system.

Depending on where the file was saved and configuration details of the
target, this could result in a persistent denial of service condition,
causing an immediate reboot upon logging on after an attack. The results
of testing this vulnerability suggest that in some cases it may cause
corruption of the system in a manner that prevents the system from
rebooting.

It is likely that Enhanced Windows Metafiles (EMF) are also affected, but
this has not yet been confirmed.

Currently, due to the type of location being referenced by the kernel, it
appears that the vulnerability may only be exploitable by a remote
attacker to cause a DoS condition. The vectors that could be used to
remotely exploit this vulnerability would most likely be similar to those
that the MS06-001 vulnerability used.

Workaround:
Blocking .wmf files at all e-mail and Web gateways is strongly
recommended. However, this is not effective if blocking is done based on
file extensions (e.g., .wmf), as an attacker can simply rename the file to
a new extension.

Reading e-mail in plain-text can prevent automatic exploitation via
electronic mail.

Vendor Status:
Microsoft has addressed this vulnerability within
<http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx >
MS07-017.

Disclosure Timeline:
* 01/10/2006 - Initial vendor notification
* 01/10/2006 - Initial vendor response
* 04/03/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=499>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=499



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages