WMF CreateBrushIndirect vulnerability (DoS)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: WMF CreateBrushIndirect vulnerability (DoS)
From: Alexander Sotirov <asotirov@xxxxxxxxxxxxx>
Date: Wed, 10 Jan 2007 19:23:07 -0800
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 1.5.0.9 (Windows/20061207)

The following WMF exploit appeared on milw0rm today:
http://www.milw0rm.com/exploits/3111

The vulnerability is a result of the WMF parser passing a value from the file as
a pointer argument to the CreateBrushIndirect function. The function
dereferences the pointer and dies with an access violation.

The value in the file is only 16-bit and it is sign extended into a 32-bit
pointer. This means that we can only access addresses from 0x00000000 to
0x0000FFFF and from 0xFFFF0000 to 0xFFFFFFFF. Both of these ranges are always
invalid, so the vulnerability is just a DoS.

For more details and some commentary, see:
http://determina.blogspot.com/2007/01/whats-wrong-with-wmf.html


Alexander Sotirov
Determina Security Research

Attachment: signature.asc
Description: OpenPGP digital signature

Follow-Ups:
- Re: WMF CreateBrushIndirect vulnerability (DoS)
  - From: temp0_123

Prev by Date: Computer Terrorism (UK) :: Incident Response Centre - Microsoft Outlook Vulnerability
Next by Date: Xine-ui format string Vulnerabilties.
Previous by thread: Computer Terrorism (UK) :: Incident Response Centre - Microsoft Outlook Vulnerability
Next by thread: Re: WMF CreateBrushIndirect vulnerability (DoS)
Index(es):
- Date
- Thread