Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Windows Metafile Multiple Heap Overflows (MS05-053)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Windows Metafile Multiple Heap Overflows (MS05-053)
Date: 9 Nov 2005 10:26:40 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Windows Metafile Multiple Heap Overflows (MS05-053)
------------------------------------------------------------------------


SUMMARY

Windows Metafile (WMF) is a common graphics file format on Microsoft 
Windows systems. It is a vector graphics format which also allows the 
inclusion of raster graphics. Essentially, a WMF file stores a list of 
commands that have to be issued to the Windows graphics layer GDI in order 
to restore the image. WMF is a 16-bit format introduced in Microsoft 
Windows 3; a newer 32-bit version with additional commands is called 
Enhanced Metafile (EMF). EMF is also used as a graphics language for 
printer drivers.

A heap overflow vulnerability has been discovered  in the way the Windows 
Graphical Device Interface (GDI) processes Windows enhanced metafile 
images (file extensions EMF and WMF).  An attacker could send a malicious 
metafile to a victim of his choice over any of a  variety of media - such 
as HTML e-mail, a link to a web page, a metafile-bearing Microsoft Office 
document, or a chat message in order to execute code on that user's system 
at the user's privilege level.

DETAILS

Affected Software:
 * Microsoft Windows 2000 Service Pack 4 -  
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F361FCCB-B273-47E7-BB15-BC9C27073446>
 Update
 * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service 
Pack 2 -  
<http://www.microsoft.com/downloads/details.aspx?FamilyId=E38372B2-3BF6-4393-B9A4-F34248C8073E>
 Update
 * Microsoft Windows XP Professional x64 Edition -  
<http://www.microsoft.com/downloads/details.aspx?FamilyId=086C6878-916C-4A4F-8CA8-A4C0E304FDA4>
 Update
 * Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service 
Pack 1 -  
<http://www.microsoft.com/downloads/details.aspx?FamilyId=CEE3DD3B-3C20-47A9-8BBD-1EA2FBB4AF96>
 Update
 * Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft 
Windows Server 2003 with SP1 for Itanium-based Systems -  
<http://www.microsoft.com/downloads/details.aspx?FamilyId=CCFF22BB-ADC4-4974-813C-7721BDB842C0>
 Update
 * Microsoft Windows Server 2003 x64 Edition -  
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F1ADB6E4-0A08-496C-B94C-A1B37178914A>
 Update

Non-Affected Software:
 * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and 
Microsoft Windows Millennium Edition (ME)

The Windows metafile rendering code in GDI32.DLL contains a number of 
integer overflow flaws in its processing of EMF/WMF file data that lead to 
exploitable heap overflows through any number of specially crafted 
metafile structures. For example, the following disassembly from 
MRBP16::bCheckRecord demonstrates a size calculation that is susceptible 
to integer overflow and as a result may pass validation with a dangerous 
value:

    77F6C759 mov edx, [ecx+18h] ; malicious count (e.g.,8000000Dh)
    77F6C75C mov eax, [ecx+4] ; heap allocation size
     ...
    77F6C764 lea edx, [edx*4+1Ch] ; EDX >= 3FFFFFF9h: integer overflow
    77F6C76B cmp edx, eax ; validation check
    77F6C76D jnz 77F6C77F

Vendor Status:
Microsoft has released a patch for this vulnerability.
The patch isavailable at:
 <http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx> 
http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx

Related Links:
This vulnerability has been assigned the following IDs:
 <http://www.eeye.com/html/research/advisories/AD20051108b.html> 
EEYEB-20050329
OSVDB ID:  <http://www.osvdb.org/displayvuln.php?osvdb_id=18820> 18820
CVE ID:  <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2124> 
CAN-2005-2124


ADDITIONAL INFORMATION

The information has been provided by eEye.
The original article can be found at:  
<http://www.eeye.com/html/research/advisories/AD20051108b.html> 
http://www.eeye.com/html/research/advisories/AD20051108b.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Windows Metafile Multiple Heap Overflows (MS05-053), SecuriTeam <=
Previous by Date:  [EXPL] F-Secure Internet Gatekeeper Local Root (Exploit), SecuriTeam
Next by Date:  [NT] Vulnerabilities in Graphics Rendering Engine Allows Code Execution (MS05-053), SecuriTeam
Previous by Thread:  [EXPL] F-Secure Internet Gatekeeper Local Root (Exploit), SecuriTeam
Next by Thread:  [NT] Vulnerabilities in Graphics Rendering Engine Allows Code Execution (MS05-053), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]