[VulnWatch] [EEYEB-20050329] Windows Metafile Multiple Heap Overflows

Date: 11/08/05

  • Next message: Advisories_at_eeye.com: "[VulnWatch] [EEYEB-20050510] - RealPlayer Data Packet Stack Overflow"
    Date: Tue, 8 Nov 2005 11:39:44 -0800
    To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>, <ntbugtraq@nutbugtraq.com>, <full-disclosure@lists.grok.org.uk>

    Windows Metafile Multiple Heap Overflows

    Release Date:
    November 8, 2005

    Date Reported:
    March 29, 2005

    High (Code Execution)


    Systems Affected:
    Windows 2000
    Windows Server 2003

    eEye Digital Security has discovered a heap overflow vulnerability in
    the way the Windows Graphical Device Interface (GDI) processes Windows
    enhanced metafile images (file extensions EMF and WMF). An attacker
    could send a malicious metafile to a victim of his choice over any of a
    variety of media -- such as HTML e-mail, a link to a web page, a
    metafile-bearing Microsoft Office document, or a chat message -- in
    order to execute code on that user's system at the user's privilege

    Technical Details:
    The Windows metafile rendering code in GDI32.DLL contains a number of
    integer overflow flaws in its processing of EMF/WMF file data that lead
    to exploitable heap overflows through any number of specially crafted
    metafile structures. For example, the following disassembly from
    MRBP16::bCheckRecord demonstrates a size calculation that is susceptible
    to integer overflow and as a result may pass validation with a dangerous

        77F6C759 mov edx, [ecx+18h] ; malicious count (e.g.,
        77F6C75C mov eax, [ecx+4] ; heap allocation size
        77F6C764 lea edx, [edx*4+1Ch] ; EDX >= 3FFFFFF9h: integer
        77F6C76B cmp edx, eax ; validation check
        77F6C76D jnz 77F6C77F

    Retina Network Security Scanner has been updated to identify this
    Blink Endpoint Protection proactively protects users from this

    Vendor Status:
    Microsoft has released a patch for this vulnerability. The patch is
    available at:

    Fang Xing

    Related Links:
    This vulnerability has been assigned the following IDs;

    OSVDB ID: 18820
    CVE ID: CAN-2005-2124

    Thanks Derek and and eEye guys help me wrote this advisory. Greeting
    xfocus guys and venustech lab guys.

    Copyright (c) 1998-2005 eEye Digital Security Permission is hereby
    granted for the redistribution of this alert electronically. It is not
    to be edited in any way without express consent of eEye. If you wish to
    reprint the whole or any part of this alert in any other medium
    excluding electronic medium, please email alert@eEye.com for permission.

    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There
    are no warranties, implied or express, with regard to this information.
    In no event shall the author be liable for any direct or indirect
    damages whatsoever arising out of or in connection with the use or
    spread of this information. Any use of this information is at the user's
    own risk.

  • Next message: Advisories_at_eeye.com: "[VulnWatch] [EEYEB-20050510] - RealPlayer Data Packet Stack Overflow"

    Relevant Pages