Full Disclosure mailing list archives
RE: Windows XP explorer.exe heap overflow.
From: Evgeny Pinchuk <EvgenyP () Radware com>
Date: Tue, 24 Feb 2004 17:42:22 +0200
Hi, I modified a WMF file at offset 24 (0x18h) which is the header size and could not recreate the bug. The header size of WMF file is always 9 and modifying it results only an error message that the file couldn't be shown. Some info on WMF files: Format: -Placeable Meta Header - (22 bytes) -Standard Meta Header - (18 bytes) -Standart Metafile Record1 - ... -Standart Metafile RecordN - Structures: typedef struct _PlaceableMetaHeader { DWORD Key; /* Magic number (always 9AC6CDD7h) */ WORD Handle; /* Metafile HANDLE number (always 0) */ SHORT Left; /* Left coordinate in metafile units */ SHORT Top; /* Top coordinate in metafile units */ SHORT Right; /* Right coordinate in metafile units */ SHORT Bottom; /* Bottom coordinate in metafile units */ WORD Inch; /* Number of metafile units per inch */ DWORD Reserved; /* Reserved (always 0) */ WORD Checksum; /* Checksum value for previous 10 WORDs */ } PLACEABLEMETAHEADER; typedef struct _WindowsMetaHeader { WORD FileType; /* Type of metafile (0=memory, 1=disk) */ WORD HeaderSize; /* Size of header in WORDS (always 9) */ WORD Version; /* Version of Microsoft Windows used */ DWORD FileSize; /* Total size of the metafile in WORDs */ WORD NumOfObjects; /* Number of objects in the file */ DWORD MaxRecordSize; /* The size of largest record in WORDs */ WORD NumOfParams; /* Not Used (always 0) */ } WMFHEAD; More information about WMF files can be found at http://www.whisqu.se/per/docs/wmf.htm Evgeny.
-----Original Message----- From: sunglasses () bay-watch com [mailto:sunglasses () bay-watch com] Sent: Friday, February 20, 2004 8:46 PM To: bugtraq () securityfocus com Subject: Windows XP explorer.exe heap overflow. Vulnerability in XP explorer.exe image loading ---------------------------------------------- Systems affected: Current XP - others not tested. Degree: Arbitrary code execution. Summary ------- A malformed .emf (Enhanced Metafile, a graphics format) file can cause an exploitable heap overflow in (or near) shimgvw.dll. Details ------- The image preview code that explorer uses has an exploitable buffer overflow. An .emf file with a "total size" field set to less than the header size will causes explorer.exe to crash in the heap routines - in classic heap overflow style that should be exploitable a la the RPC exploits. There are two overflows here: 1. A buffer is allocated with the size indicated in the header (no validity checks), then the header is copied into it - if the size is less than the header size, that's one overflow. 2. They then proceed to read the rest of the file to a length of (size- headersize), which allows for an integer overflow causing the rest of the file to be appended to the already blown buffer. Exploit ------- To exploit this flaw (in explorer), simply place a malformed (invalid "size" field) .emf file in any directory, open explorer to that path, and view as Thumbnails. Bang. In it's simplest form it's a DOS - it affects all explorer windows, including File Open dialogs for many programs. Alternatively, without viewing as a Thumbnail, open the picture preview window for the .emf file. (It's the default double-click action). Using this trigger causes a different crash point, which may not be exploitable, but I wouldn't rule it out. Additional notes ---------------- It may be worth checking out similar issues in .wmf files, as they are similar. - Jellytop, 2004 "If a man will begin with certainties, he shall end in doubts; but if he will be content to begin with doubts he shall end in certainties."
Current thread:
- RE: Windows XP explorer.exe heap overflow. Otero, Hernan (EDS) (Feb 24)
- <Possible follow-ups>
- RE: Windows XP explorer.exe heap overflow. Evgeny Pinchuk (Feb 24)
- RE: RE: Windows XP explorer.exe heap overflow. Larry Seltzer (Feb 24)
- Re: RE: Windows XP explorer.exe heap overflow. Eli Kara (Feb 25)
- RE: RE: Windows XP explorer.exe heap overflow. Larry Seltzer (Feb 24)
- RE: RE: Windows XP explorer.exe heap overflow. Otero, Hernan (EDS) (Feb 24)
- Re: RE: Windows XP explorer.exe heap overflow. gazpa (Feb 24)
- RE: RE: Windows XP explorer.exe heap overflow. Otero, Hernan (EDS) (Feb 24)
- Re: Windows XP explorer.exe heap overflow. disclosure (Feb 24)