[VulnWatch] [EEYEB-20050901] Windows Metafile SetPalette Entries Heap OVerflow Vulnerability (Graphics Rendering Engine Vulnerability)

Date: 11/08/05

  • Next message: Advisories_at_eeye.com: "[VulnWatch] [EEYEB-20050329] Windows Metafile Multiple Heap Overflows"
    Date: Tue, 8 Nov 2005 11:39:31 -0800
    To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>, <ntbugtraq@nutbugtraq.com>, <full-disclosure@lists.grok.org.uk>

    Windows Metafile SetPalette Entries Heap OVerflow Vulnerability
    (Graphics Rendering Engine Vulnerability)

    Release Date:
    November 8, 2005

    Date Reported:
    September 1, 2005

    High (Code Execution)


    Systems Affected:
    Windows 2000
    Windows XP SP0, SP1
    Windows Server 2003 SP0

    eEye Digital Security has discovered a vulnerability in the way the
    Windows Graphical Device Interface (GDI) processes Windows Metafile
    (WMF) format image files that would allow arbitrary code execution as a
    user who attempts to view a malicious image. An attacker could send
    such a metafile to a victim of his choice over any of a variety of
    attack vectors, including an HTML e-mail, a link to a web page, a
    metafile-bearing Microsoft Office document, or a chat message.

    Technical Details:
    The code in GDI32.DLL responsible for rendering Windows Metafiles
    contains an integer overflow vulnerability in the function
    PlayMetaFileRecord, cases 36h and 37h, which handle
    "SetPaletteEntries"-type records. If the reported length of such a
    record is 7FFFFFFFh or FFFFFFFFh, the following code will experience an
    integer overflow and can be made to allocate an insufficient heap block,
    the success of which incorrectly implies the validity of the length:

        77F5BC38 mov eax, [ebx] ; length field
        77F5BC3A lea eax, [eax+eax+2] ; *** integer overflow ***
        77F5BC3E push eax
        77F5BC3F push edi
        77F5BC40 call ds:LocalAlloc
        77F5BC51 mov ecx, [ebx] ; length field
        77F5BC53 add eax, 2
        77F5BC56 shl ecx, 1 ; copy size != allocation
        77F5BC58 mov edx, ecx ; intrinsic memcpy() follows
        77F5BC5A mov esi, ebx
        77F5BC5C mov edi, eax
        77F5BC5E shr ecx, 2
        77F5BC61 rep movsd
        77F5BC63 mov ecx, edx
        77F5BC65 and ecx, 3
        77F5BC6D rep movsb

    Although the copy length is similarly subject to an integer overflow,
    the two differ by a "+2" term, and therefore the allocation size can be
    made very small while keeping the copy length extremely large. The
    result is a complete heap overwrite with arbitrary binary data from the

    Retina Network Security Scanner has been updated to identify this
    Blink Endpoint Protection proactively protects users from this

    Vendor Status:
    Microsoft has released a patch for this vulnerability. The patch is
    available at:

    Fang Xing

    Related Links:
    This vulnerability has been assigned the following IDs;

    CVE ID: CAN-2005-2123

    Thanks Derek and and eEye guys help me wrote this advisory. Greeting
    xfocus guys and venustech lab guys.

    Copyright (c) 1998-2005 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express
    consent of eEye. If you wish to reprint the whole or any part of this
    alert in any other medium excluding electronic medium, please email
    alert@eEye.com for permission.

    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There
    are no warranties, implied or express, with regard to this information.
    In no event shall the author be liable for any direct or indirect
    damages whatsoever arising out of or in connection with the use or
    spread of this information. Any use of this information is at the user's
    own risk.

  • Next message: Advisories_at_eeye.com: "[VulnWatch] [EEYEB-20050329] Windows Metafile Multiple Heap Overflows"