Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Windows Metafile SetPalette Entries Heap Overflow (MS05-053)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Windows Metafile SetPalette Entries Heap Overflow (MS05-053)
Date: 10 Nov 2005 14:40:17 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Windows Metafile SetPalette Entries Heap Overflow (MS05-053)
------------------------------------------------------------------------


SUMMARY

Windows Metafile (WMF) is a common graphics file format on Microsoft 
Windows systems. It is a vector graphics format which also allows the 
inclusion of raster graphics. Essentially, a WMF file stores a list of 
commands that have to be issued to the Windows graphics layer GDI in order 
to restore the image. WMF is a 16-bit format introduced in Microsoft 
Windows 3; a newer 32-bit version with additional commands is called 
Enhanced Metafile (EMF). EMF is also used as a graphics language for 
printer drivers.

A vulnerability has been discovered in the way the Windows Graphical 
Device Interface (GDI) processes Windows Metafile (WMF) format image files 
that would allow arbitrary code execution as a user who attempts to view a 
malicious image. An attacker could send such a metafile to a victim of his 
choice over any of a variety of attack vectors, including an HTML e-mail, 
a link to a web page, a metafile-bearing Microsoft Office document, or a 
chat message.

DETAILS

The code in GDI32.DLL responsible for rendering Windows Metafiles contains 
an integer overflow vulnerability in the function PlayMetaFileRecord, 
cases 36h and 37h, which handle "SetPaletteEntries"-type records. If the 
reported length of such a record is 7FFFFFFFh or FFFFFFFFh, the following 
code will experience an integer overflow and can be made to allocate an 
insufficient heap block, the success of which incorrectly implies the 
validity of the length:

    77F5BC38 mov eax, [ebx] ; length field
    77F5BC3A lea eax, [eax+eax+2] ; *** integer overflow ***
    77F5BC3E push eax
    77F5BC3F push edi
    77F5BC40 call ds:LocalAlloc
     ...
    77F5BC51 mov ecx, [ebx] ; length field
    77F5BC53 add eax, 2
    77F5BC56 shl ecx, 1 ; copy size != allocation size
    77F5BC58 mov edx, ecx ; intrinsic memcpy() follows
    77F5BC5A mov esi, ebx
    77F5BC5C mov edi, eax
    77F5BC5E shr ecx, 2
    77F5BC61 rep movsd
    77F5BC63 mov ecx, edx
    77F5BC65 and ecx, 3
     ...
    77F5BC6D rep movsb

Although the copy length is similarly subject to an integer overflow, the 
two differ by a "+2" term, and therefore the allocation size can be made 
very small while keeping the copy length extremely large. The result is a 
complete heap overwrite with arbitrary binary data from the metafile.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is 
available at:
 <http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx> 
http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx

Related Links:
This vulnerability has been assigned the following IDs:

 <http://eeye.com/html/research/advisories/AD20051108a.html> 
EEYEB-20050901
OSVDB ID:  <http://www.osvdb.org/displayvuln.php?osvdb_id=20579> 20579
CVE ID:  <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2123> 
CAN-2005-2123


ADDITIONAL INFORMATION

The information has been provided by eEye.
The original article can be found at:  
<http://eeye.com/html/research/advisories/AD20051108a.htm> 
http://eeye.com/html/research/advisories/AD20051108a.htm



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Windows Metafile SetPalette Entries Heap Overflow (MS05-053), SecuriTeam <=
Previous by Date:  [UNIX] Apache Tomcat DoS, SecuriTeam
Next by Date:  [UNIX] Lynx Command Execution, SecuriTeam
Previous by Thread:  [UNIX] Apache Tomcat DoS, SecuriTeam
Next by Thread:  [UNIX] Lynx Command Execution, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]