Windows XP explorer.exe heap overflow.
Vulnerability in XP explorer.exe image loading
----------------------------------------------
Systems affected:
Current XP - others not tested.
Degree:
Arbitrary code execution.
Summary
-------
A malformed .emf (Enhanced Metafile, a graphics format) file can cause an
exploitable heap overflow in (or near) shimgvw.dll.
Details
-------
The image preview code that explorer uses has an exploitable buffer overflow.
An .emf file with a "total size" field set to less than the header size will
causes explorer.exe to crash in the heap routines - in classic heap overflow
style that should be exploitable a la the RPC exploits.
There are two overflows here:
1. A buffer is allocated with the size indicated in the header (no validity
checks), then the header is copied into it - if the size is less than the
header size, that's one overflow.
2. They then proceed to read the rest of the file to a length of
(size-headersize), which allows for an integer overflow causing the rest of the
file to be appended to the already blown buffer.
Exploit
-------
To exploit this flaw (in explorer), simply place a malformed (invalid "size"
field) .emf file
in any directory, open explorer to that path, and view as Thumbnails. Bang. In
it's simplest
form it's a DOS - it affects all explorer windows, including File Open dialogs
for many programs.
Alternatively, without viewing as a Thumbnail, open the picture preview window
for the .emf file. (It's the default double-click action). Using this trigger
causes a different crash point, which may not be exploitable, but I wouldn't
rule it out.
Additional notes
----------------
It may be worth checking out similar issues in .wmf files, as they are similar.
- Jellytop, 2004
"If a man will begin with certainties, he shall end in doubts; but if he will
be content to
begin with doubts he shall end in certainties."