RE: Windows XP explorer.exe heap overflow.

[Evgeny Pinchuk <EvgenyP () Radware com>]

Hi,

I modified a WMF file at offset 24 (0x18h) which is the header size and
could not recreate the bug.
The header size of WMF file is always 9 and modifying it results only an
error message that the file couldn't be shown.

Some info on WMF files:
Format:
-Placeable Meta Header     - (22 bytes)
-Standard Meta Header      - (18 bytes)
-Standart Metafile Record1 -
...
-Standart Metafile RecordN -

Structures:
typedef struct _PlaceableMetaHeader
{
  DWORD Key;           /* Magic number (always 9AC6CDD7h) */
  WORD  Handle;        /* Metafile HANDLE number (always 0) */
  SHORT Left;          /* Left coordinate in metafile units */
  SHORT Top;           /* Top coordinate in metafile units */
  SHORT Right;         /* Right coordinate in metafile units */
  SHORT Bottom;        /* Bottom coordinate in metafile units */
  WORD  Inch;          /* Number of metafile units per inch */
  DWORD Reserved;      /* Reserved (always 0) */
  WORD  Checksum;      /* Checksum value for previous 10 WORDs */
} PLACEABLEMETAHEADER;

typedef struct _WindowsMetaHeader
{
  WORD  FileType;       /* Type of metafile (0=memory, 1=disk) */
  WORD  HeaderSize;     /* Size of header in WORDS (always 9) */
  WORD  Version;        /* Version of Microsoft Windows used */
  DWORD FileSize;       /* Total size of the metafile in WORDs */
  WORD  NumOfObjects;   /* Number of objects in the file */
  DWORD MaxRecordSize;  /* The size of largest record in WORDs */
  WORD  NumOfParams;    /* Not Used (always 0) */
} WMFHEAD;


More information about WMF files can be found at
http://www.whisqu.se/per/docs/wmf.htm


Evgeny.

> -----Original Message-----
> From: sunglasses () bay-watch com [mailto:sunglasses () bay-watch com]
> Sent: Friday, February 20, 2004 8:46 PM
> To: bugtraq () securityfocus com
> Subject: Windows XP explorer.exe heap overflow.
>
>
>
> Vulnerability in XP explorer.exe image loading
> ----------------------------------------------
>
> Systems affected:
>   Current XP - others not tested.
>
> Degree:
>   Arbitrary code execution.
>
> Summary
> -------
> A malformed .emf (Enhanced Metafile, a graphics format) file can cause an
> exploitable heap overflow in (or near) shimgvw.dll.
>
> Details
> -------
> The image preview code that explorer uses has an exploitable buffer
> overflow.
>
> An .emf file with a "total size" field set to less than the header size
> will causes explorer.exe to crash in the heap routines - in classic heap
> overflow style that should be exploitable a la the RPC exploits.
>
> There are two overflows here:
>
> 1. A buffer is allocated with the size indicated in the header (no
> validity checks), then the header is copied into it - if the size is less
> than the header size, that's one overflow.
>
> 2. They then proceed to read the rest of the file to a length of (size-
> headersize), which allows for an integer overflow causing the rest of the
> file to be appended to the already blown buffer.
>
> Exploit
> -------
> To exploit this flaw (in explorer), simply place a malformed (invalid
> "size" field) .emf file
> in any directory, open explorer to that path, and view as Thumbnails.
> Bang. In it's simplest
> form it's a DOS - it affects all explorer windows, including File Open
> dialogs for many programs.
>
> Alternatively, without viewing as a Thumbnail, open the picture preview
> window for the .emf file. (It's the default double-click action). Using
> this trigger causes a different crash point, which may not be exploitable,
> but I wouldn't rule it out.
>
> Additional notes
> ----------------
> It may be worth checking out similar issues in .wmf files, as they are
> similar.
>
>
> - Jellytop, 2004
>
> "If a man will begin with certainties, he shall end in doubts; but if he
> will be content to
> begin with doubts he shall end in certainties."