Bugtraq mailing list archives
Re: Windows XP explorer.exe heap overflow.
From: Chris Calabrese <chris_calabrese () yahoo com>
Date: Mon, 23 Feb 2004 13:31:07 -0800 (PST)
This could actually be much worse since it looks like Internet Explorer and Outlook will happily display WMF files with no questions asked. Has anyone crafted a test WMF file we can use to check whether this could be exploited via an email worm through Outlook? On 2/20/2004 1:45 PM, sunglasses () bay-watch com wrote:
Vulnerability in XP explorer.exe image loading ---------------------------------------------- Systems affected: Current XP - others not tested. Degree: Arbitrary code execution. Summary ------- A malformed .emf (Enhanced Metafile, a graphics format) file can cause
an exploitable heap overflow in (or near) shimgvw.dll.
Details ------- The image preview code that explorer uses has an exploitable buffer
overflow.
An .emf file with a "total size" field set to less than the header
size will causes explorer.exe to crash in the heap routines - in classic heap overflow style that should be exploitable a la the RPC exploits.
There are two overflows here: 1. A buffer is allocated with the size indicated in the header (no
validity checks), then the header is copied into it - if the size is less than the header size, that's one overflow.
2. They then proceed to read the rest of the file to a length of
(size-headersize), which allows for an integer overflow causing the rest of the file to be appended to the already blown buffer.
Exploit ------- To exploit this flaw (in explorer), simply place a malformed (invalid
"size" field) .emf file
in any directory, open explorer to that path, and view as Thumbnails.
Bang. In it's simplest
form it's a DOS - it affects all explorer windows, including File Open
dialogs for many programs.
Alternatively, without viewing as a Thumbnail, open the picture
preview window for the .emf file. (It's the default double-click action). Using this trigger causes a different crash point, which may not be exploitable, but I wouldn't rule it out.
Additional notes ---------------- It may be worth checking out similar issues in .wmf files, as they are
similar.
- Jellytop, 2004 "If a man will begin with certainties, he shall end in doubts; but if
he will be content to
begin with doubts he shall end in certainties."
__________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools
Current thread:
- Windows XP explorer.exe heap overflow. sunglasses (Feb 23)
- Re: Windows XP explorer.exe heap overflow. Eli K. (Feb 24)
- RE: Windows XP explorer.exe heap overflow. Larry Seltzer (Feb 25)
- Re: Windows XP explorer.exe heap overflow. Eli Kara (Feb 25)
- Re: Windows XP explorer.exe heap overflow. Dragos Ruiu (Feb 26)
- RE: Windows XP explorer.exe heap overflow. Larry Seltzer (Feb 25)
- Re: Windows XP explorer.exe heap overflow. Tim (Feb 24)
- <Possible follow-ups>
- Re: Windows XP explorer.exe heap overflow. Chris Calabrese (Feb 23)
- blocking gzip encoded files Darwin Mecham (Feb 23)
- Re: blocking gzip encoded files mgotts (Feb 24)
- Re: blocking gzip encoded files Josep L. Guallar-Esteve (Feb 24)
- blocking gzip encoded files Darwin Mecham (Feb 23)
- RE: Windows XP explorer.exe heap overflow. Michael Wojcik (Feb 23)
- Re: Windows XP explorer.exe heap overflow. Eli K. (Feb 24)