funsec mailing list archives
RE: Is The .WMF Exploit A ConsPiracy Gone Bad?
From: "Thomas Mannfred Carlsson" <thomas () carlsson fm>
Date: Fri, 13 Jan 2006 19:40:44 -0000
On 13 Jan 2006 at 12:47, Larry Seltzer wrote:
He gives an explanation for how what he found works and I can't follow him.
To quote the Gibson explanation: SG> "As I said before, each record in a metafile begins with a four- byte length, followed by a two-byte function number. So in other words, each metafile record has six bytes minimum that it can possibly be in size." [...] SG> "It turns out that the only way to get Windows to misbehave in this bizarre fashion is to set the length to one, which is an impossible value. I tried setting it to zero. It didn't trigger the exploit. I tried setting it to two, no effect. Three, no effect. Nothing, not even the correct length. Only one." I've not looked in detail at the WMF vulnerability so I don't know what the exploits out there do or look like. However, as a Windows programmer I'm gathering that he's basically claiming the following (I'm not making any comment on whether he's accurate or not, because as stated I've not looked at the WMF vulnerability or exploit).. The WMF format has data file records in it, which follow the basic file header. The data records look as follows (defined in windows.h): typedef struct _StandardMetaRecord { DWORD Size; /* Total size of the record in WORDs */ WORD Function; /* Function number (defined in WINDOWS.H) */ WORD Parameters[]; /* Parameter values passed to function */ } WMFRECORD; The Size variable is the total size in words (i.e. 16 bit values) including the header. The minimum possible size is therefore 3 if there are no parameters. What this Gibson guy is saying is, that successful exploitation requires the size to be deliberately set to 1 (which is an "impossible" size for the record, as the minimum possible size in words is 3). I.e. size can't be 0, 2, 3 or whatever. Only if Size is set as 1 will the code that follows the header be executed. IF what Gibson says is accurate re the above (i.e. this very specific/deliberate size value is how the WMF vulnerability is triggered), it isn't entirely unfair to wonder if this indeed is a deliberate backdoor.. Because it's difficult to see how a header parsing bug with such a specific setup requirement (i.e. only one specific illegal value of a bunch that programmers would not normally ever use) could result in such a specific outcome. Can anyone here who has experimented with the WMF vulnerability confirm or deny that portion of the Gibson announcement (i.e. that the vulnerability can only be triggered in Windows systems with Size = 1)?
BTW, if Gibson is right, how come Wine is vulnerable?
The problem with Wine's implementation could be different (I've as of yet to see Wine-specific exploits, and more importantly if and how they differ from the Win32 exploits). I must stress again that I've not looked at this vulnerability myself, so I'm not claiming anything re the validity of Gibson's statement - I'm merely explaining Gibson's assertion in programming terms. Best Regards, Thomas -- Thomas Mannfred Carlsson Researcher/Consultant e-mail: thomas () carlsson fm Public PGP key: http://www.beige.org/pgp.txt _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad?, (continued)
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad? Jonathan Glass (Jan 13)
- RE: Is The .WMF Exploit A ConsPiracy Gone Bad? Larry Seltzer (Jan 13)
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad? Valdis . Kletnieks (Jan 13)
- RE: Is The .WMF Exploit A ConsPiracy Gone Bad? Blanchard, Michael (InfoSec) (Jan 13)
- RE: Is The .WMF Exploit A ConsPiracy Gone Bad? Todd Towles (Jan 13)
- RE: Is The .WMF Exploit A ConsPiracy Gone Bad? Don Kennedy (Jan 13)
- Re[2]: Is The .WMF Exploit A ConsPiracy Gone Bad? Pierre Vandevenne (Jan 13)
- RE: Is The .WMF Exploit A ConsPiracy Gone Bad? Don Kennedy (Jan 13)
- RE: Is The .WMF Exploit A ConsPiracy Gone Bad? Todd Towles (Jan 13)
- RE: Is The .WMF Exploit A ConsPiracy Gone Bad? Larry Seltzer (Jan 13)
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad? Blue Boar (Jan 13)
- RE: Is The .WMF Exploit A ConsPiracy Gone Bad? Thomas Mannfred Carlsson (Jan 13)
- RE: Is The .WMF Exploit A ConsPiracy Gone Bad? Thomas Mannfred Carlsson (Jan 14)
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad? Gadi Evron (Jan 14)
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad? Valdis . Kletnieks (Jan 14)
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad? Technocrat (Jan 14)
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad? Nick FitzGerald (Jan 14)
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad? Gadi Evron (Jan 15)
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad? Ronaldo Vasconcellos (Jan 15)
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad? Valdis . Kletnieks (Jan 15)
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad? Nick FitzGerald (Jan 15)
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad? Matt Sergeant (Jan 15)
- RE: Is The .WMF Exploit A ConsPiracy Gone Bad? Larry Seltzer (Jan 13)