funsec mailing list archives
Re: Ilfak's WMF patch
From: Matthew Murphy <mattmurphy () kc rr com>
Date: Sun, 01 Jan 2006 19:40:21 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Ilfak Guilfanov wrote:
Hello Matthew, Sunday, January 1, 2006, 11:44:53 PM, you wrote: MM> Not even a question. The ABORTPROC record type has *ZERO* legitimate MM> use in the real-world. It is designed to execute arbitrary code, making MM> it a security risk without legitimate value. If there are apps that use MM> the functionality, I for one, am happy to see them broken. I agree with you that the ABORTPROC record has no use in the WMF files. But there is a reason why it exists: WMF data can be file based and memory based. If it makes little sense to embed an executable procedure in a file, some programs may generate a memory based WMF with ABORTPROC. These memory based WMFs can be used to pass data between different parts of the program. In this setting the ABORTPROC record makes sense and poses no security risk. When I mentioned broken functionality in the description of the fix, I meant memory based WMFs. OTOH, I do not know what (if any) programs use them.
Interesting note. As I looked at the ABORTPROC record's technical specifics, it seemed highly unlikely that a file could use it in such a way as to do something meaningful that was not limited to a specific editor. In the context of in-memory WMFs, though, that wouldn't be much of a drawback. That's good research on your part. While it is possible, I don't see too many graphics editors using this functionality -- it's just too much of a kludge. Aside from the fact that WMF is an *_antiquated_* 16-bit format, most editor programs use a native or more common format. So, for the "what (if any) programs use them", I suspect the answer is: none. I'll just put it this way... I'm none-too-concerned about any real-world breakage from the fix you've offered. :-) I suspect MS will follow suit, disabling ABORTPROC for at least on-disk files. Given that the on-disk/in-memory determination is made based on a bit in the image header, Microsoft may be forced to take the exact same course of action you have. We shall soon see, as it doesn't seem Microsoft can afford to waste time getting this fix out the door.
MM> It might be worth noting that Ilfak only tested his patch on XP SP2. MM> It's been said to work on Windows Server 2003 SP1 by some, though it's MM> confirmed that it does indeed break on XP SP1, XP RTM, and there are MM> conflicting reports about Win2003 RTM. Windows 2000, Windows 98, and MM> Windows Me users aren't able to apply the fix, either. Given that the MM> number of Win2003 systems out there is going to be pretty small, it MM> seems that most non-XP desktop environments will be out of luck, as will MM> environments that haven't made the move up to SP2 from SP1 or (god MM> forbid) RTM. The fix has been tested on 2000, XP, and Server2003 machines so far. As about WinME/98 - I have no idea. It is quite possible that they are not vulnerable but this is to be checked.
My apologies! I had visited your site previous to the update that enabled Windows 2000 support. Nice work. Excuse me while I pull my foot out from between my teeth.
MM> As an aside, with source code being available, I imagine that Ilfak's MM> patch could be ported to different environments if copies of the MM> gdi32.dll file from those systems could be procured. Yes, I love to hear that. However, porting to Win9x systems will be a pain. I doubt that it is possible/desirable to patch gdi32.dll as it is done for NT based systems.
The patching semantics would be different, but I imagine it's still possible. That aside, though, being your patch supports the systems in the most use for desktop OSes (Windows 2000 and Windows XP), I'm not nearly as concerned. Windows 98 and Windows Me are on their last legs as viable OSes, and the "criticals only" patch policy for it has left it a minefield as is. I will be counting my blessings the day that support for the operating scourges... er, systems... known as Windows 98 and Windows Me expires. 6 months and 30 days. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDuISFfp4vUrVETTgRA/VZAKCf5q+TIspWYR1AYCac7UjFxI2/YQCfZllC WUVeoJwTV5NgTHqvaqi7lg8= =cGZo -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Ilfak's WMF patch Gadi Evron (Jan 01)
- RE: Ilfak's WMF patch Peter Kruse (Jan 01)
- RE: Ilfak's WMF patch Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 02)
- Re: Ilfak's WMF patch Pierre Vandevenne (Jan 01)
- RE: Ilfak's WMF patch Larry Seltzer (Jan 01)
- Re: Ilfak's WMF patch Matthew Murphy (Jan 01)
- Re: Ilfak's WMF patch Valdis . Kletnieks (Jan 01)
- Re: Ilfak's WMF patch Matthew Murphy (Jan 01)
- Re[2]: Ilfak's WMF patch Ilfak Guilfanov (Jan 01)
- Re: Ilfak's WMF patch Matthew Murphy (Jan 01)
- RE: Re[2]: Ilfak's WMF patch Larry Seltzer (Jan 02)
- Re[4]: Ilfak's WMF patch Ilfak Guilfanov (Jan 02)
- RE: Re[4]: Ilfak's WMF patch Richard M. Smith (Jan 02)
- Re[6]: Ilfak's WMF patch Ilfak Guilfanov (Jan 02)
- Re: Re[4]: Ilfak's WMF patch Valdis . Kletnieks (Jan 02)
- RE: Ilfak's WMF patch Larry Seltzer (Jan 01)
- RE: Ilfak's WMF patch Peter Kruse (Jan 01)
- Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 01)
- Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 01)
- RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Hank Nussbacher (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)