Re: Windows XP explorer.exe heap overflow.

To: sunglasses@xxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Windows XP explorer.exe heap overflow.
From: Chris Calabrese <chris_calabrese@xxxxxxxxx>
Date: Mon, 23 Feb 2004 13:31:07 -0800 (PST)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

This could actually be much worse since it looks like Internet Explorer
and Outlook will happily display WMF files with no questions asked.

Has anyone crafted a test WMF file we can use to check whether this
could be exploited via an email worm through Outlook?

On 2/20/2004 1:45 PM, sunglasses@xxxxxxxxxxxxx wrote:
>
>Vulnerability in XP explorer.exe image loading
>
>----------------------------------------------
>
>
>
>Systems affected: 
>
>  Current XP - others not tested.
>
>
>
>Degree: 
>
>  Arbitrary code execution.
>
>
>
>Summary
>
>-------
>
>A malformed .emf (Enhanced Metafile, a graphics format) file can cause
an exploitable heap overflow in (or near) shimgvw.dll.
>
>
>
>Details
>
>-------
>
>The image preview code that explorer uses has an exploitable buffer
overflow.
>
>
>
>An .emf file with a "total size" field set to less than the header
size will causes explorer.exe to crash in the heap routines - in
classic heap overflow style that should be exploitable a la the RPC
exploits.
>
>
>
>There are two overflows here:
>
>
>
>1. A buffer is allocated with the size indicated in the header (no
validity checks), then the header is copied into it - if the size is
less than the header size, that's one overflow.
>
>
>
>2. They then proceed to read the rest of the file to a length of
(size-headersize), which allows for an integer overflow causing the
rest of the file to be appended to the already blown buffer.
>
>
>
>Exploit
>
>-------
>
>To exploit this flaw (in explorer), simply place a malformed (invalid
"size" field) .emf file 
>
>in any directory, open explorer to that path, and view as Thumbnails.
Bang. In it's simplest 
>
>form it's a DOS - it affects all explorer windows, including File Open
dialogs for many programs.
>
>
>
>Alternatively, without viewing as a Thumbnail, open the picture
preview window for the .emf file. (It's the default double-click
action). Using this trigger causes a different crash point, which may
not be exploitable, but I wouldn't rule it out.
>
>
>
>Additional notes
>
>----------------
>
>It may be worth checking out similar issues in .wmf files, as they are
similar.
>
>
>
>
>
>- Jellytop, 2004 
>
>
>
>"If a man will begin with certainties, he shall end in doubts; but if
he will be content to 
>
>begin with doubts he shall end in certainties."
>


__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools

Follow-Ups:
- blocking gzip encoded files
  - From: Darwin Mecham

Prev by Date: Re: lbreakout2 < 2.4beta-2 local exploit
Next by Date: blocking gzip encoded files
Previous by thread: Re: Windows XP explorer.exe heap overflow.
Next by thread: blocking gzip encoded files
Index(es):
- Date
- Thread