Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] [EEYEB-20050329] Windows Metafile Multiple Heap Overfl

from [Advisories] Network Security [Permanent Link]
Subject: [Full-disclosure] [EEYEB-20050329] Windows Metafile Multiple Heap Overflows
Date: Tue, 8 Nov 2005 11:39:44 -0800 
Windows Metafile Multiple Heap Overflows

Release Date:
November 8, 2005

Date Reported:
March 29, 2005

Severity:
High (Code Execution)

Vendor:
Microsoft

Systems Affected:
Windows 2000
Windows Server 2003

Overview:
eEye Digital Security has discovered a heap overflow vulnerability in
the way the Windows Graphical Device Interface (GDI) processes Windows
enhanced metafile images (file extensions EMF and WMF).  An attacker
could send a malicious metafile to a victim of his choice over any of a
variety of media -- such as HTML e-mail, a link to a web page, a
metafile-bearing Microsoft Office document, or a chat message -- in
order to execute code on that user's system at the user's privilege
level.

Technical Details:
The Windows metafile rendering code in GDI32.DLL contains a number of
integer overflow flaws in its processing of EMF/WMF file data that lead
to exploitable heap overflows through any number of specially crafted
metafile structures.  For example, the following disassembly from
MRBP16::bCheckRecord demonstrates a size calculation that is susceptible
to integer overflow and as a result may pass validation with a dangerous
value:

    77F6C759    mov     edx, [ecx+18h]    ; malicious count (e.g.,
8000000Dh)
    77F6C75C    mov     eax, [ecx+4]      ; heap allocation size
     ...
    77F6C764    lea     edx, [edx*4+1Ch]  ; EDX >= 3FFFFFF9h: integer
overflow
    77F6C76B    cmp     edx, eax          ; validation check
    77F6C76D    jnz     77F6C77F

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink Endpoint Protection proactively protects users from this
vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx

Credit:
Fang Xing

Related Links:
This vulnerability has been assigned the following IDs;

EEYEB-20050329
OSVDB ID: 18820
CVE ID: CAN-2005-2124

Greetings:
Thanks Derek and and eEye guys help me wrote this advisory. Greeting
xfocus guys and venustech lab guys.


Copyright (c) 1998-2005 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] [EEYEB-20050329] Windows Metafile Multiple Heap Overflows, Advisories <=
Previous by Date:  [Full-disclosure] [EEYEB-20050901] Windows Metafile SetPalette Entries Heap OVerflow Vulnerability (Graphics Rendering Engine Vulnerability), Advisories
Next by Date:  [Full-disclosure] [EEYEB-20050510] - RealPlayer Data Packet Stack Overflow, Advisories
Previous by Thread:  [Full-disclosure] [EEYEB-20050901] Windows Metafile SetPalette Entries Heap OVerflow Vulnerability (Graphics Rendering Engine Vulnerability), Advisories
Next by Thread:  [Full-disclosure] [EEYEB-20050510] - RealPlayer Data Packet Stack Overflow, Advisories
Indexes:  [Date] [Thread] [Top] [All Lists]