Full Disclosure mailing list archives

Re: RE: Windows XP explorer.exe heap overflow.

From: Eli Kara <elik () beyondsecurity com>
Date: Wed, 25 Feb 2004 09:49:10 +0200

I have tried to recreate the problem with an already existing EMF file.
I have changed the total file size (offset 30h) to about 20h or something
small such as that.

The file's reported header size was 6Ch (for some reason...) and I've tested
it on WinXP to no avail.

Eli

On Tuesday 24 February 2004 19:10, Larry Seltzer wrote:

I can confirm the non-error on a WMF file, but the alert referred to EMF
files. I can't locate one. Would they necessarily be the same?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
larryseltzer () ziffdavis com

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Evgeny Pinchuk
Sent: Tuesday, February 24, 2004 10:42 AM
To: 'sunglasses () bay-watch com'; bugtraq () securityfocus com
Cc: full-disclosure () lists netsys com
Subject: [Full-disclosure] RE: Windows XP explorer.exe heap overflow.



Hi,

I modified a WMF file at offset 24 (0x18h) which is the header size and
could not recreate the bug.
The header size of WMF file is always 9 and modifying it results only an
error message that the file couldn't be shown.

Some info on WMF files:
Format:
-Placeable Meta Header     - (22 bytes)
-Standard Meta Header      - (18 bytes)
-Standart Metafile Record1 -
...
-Standart Metafile RecordN -

Structures:
typedef struct _PlaceableMetaHeader
{
  DWORD Key;           /* Magic number (always 9AC6CDD7h) */
  WORD  Handle;        /* Metafile HANDLE number (always 0) */
  SHORT Left;          /* Left coordinate in metafile units */
  SHORT Top;           /* Top coordinate in metafile units */
  SHORT Right;         /* Right coordinate in metafile units */
  SHORT Bottom;        /* Bottom coordinate in metafile units */
  WORD  Inch;          /* Number of metafile units per inch */
  DWORD Reserved;      /* Reserved (always 0) */
  WORD  Checksum;      /* Checksum value for previous 10 WORDs */
} PLACEABLEMETAHEADER;

typedef struct _WindowsMetaHeader
{
  WORD  FileType;       /* Type of metafile (0=memory, 1=disk) */
  WORD  HeaderSize;     /* Size of header in WORDS (always 9) */
  WORD  Version;        /* Version of Microsoft Windows used */
  DWORD FileSize;       /* Total size of the metafile in WORDs */
  WORD  NumOfObjects;   /* Number of objects in the file */
  DWORD MaxRecordSize;  /* The size of largest record in WORDs */
  WORD  NumOfParams;    /* Not Used (always 0) */
} WMFHEAD;


More information about WMF files can be found at
http://www.whisqu.se/per/docs/wmf.htm


Evgeny.

-----Original Message-----
From: sunglasses () bay-watch com [mailto:sunglasses () bay-watch com]
Sent: Friday, February 20, 2004 8:46 PM
To: bugtraq () securityfocus com
Subject: Windows XP explorer.exe heap overflow.

Vulnerability in XP explorer.exe image loading
----------------------------------------------

Systems affected:
  Current XP - others not tested.

Degree:
  Arbitrary code execution.

Summary
-------
A malformed .emf (Enhanced Metafile, a graphics format) file can cause an
exploitable heap overflow in (or near) shimgvw.dll.

Details
-------
The image preview code that explorer uses has an exploitable buffer
overflow.

An .emf file with a "total size" field set to less than the header size
will causes explorer.exe to crash in the heap routines - in classic heap
overflow style that should be exploitable a la the RPC exploits.

There are two overflows here:

1. A buffer is allocated with the size indicated in the header (no
validity checks), then the header is copied into it - if the size is less
than the header size, that's one overflow.

2. They then proceed to read the rest of the file to a length of (size-
headersize), which allows for an integer overflow causing the rest of the
file to be appended to the already blown buffer.

Exploit
-------
To exploit this flaw (in explorer), simply place a malformed (invalid
"size" field) .emf file
in any directory, open explorer to that path, and view as Thumbnails.
Bang. In it's simplest
form it's a DOS - it affects all explorer windows, including File Open
dialogs for many programs.

Alternatively, without viewing as a Thumbnail, open the picture preview
window for the .emf file. (It's the default double-click action). Using
this trigger causes a different crash point, which may not be
exploitable, but I wouldn't rule it out.

Additional notes
----------------
It may be worth checking out similar issues in .wmf files, as they are
similar.

- Jellytop, 2004

"If a man will begin with certainties, he shall end in doubts; but if he
will be content to
begin with doubts he shall end in certainties."


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: Windows XP explorer.exe heap overflow. Otero, Hernan (EDS) (Feb 24)
- <Possible follow-ups>
- RE: Windows XP explorer.exe heap overflow. Evgeny Pinchuk (Feb 24)
  - RE: RE: Windows XP explorer.exe heap overflow. Larry Seltzer (Feb 24)
    - Re: RE: Windows XP explorer.exe heap overflow. Eli Kara (Feb 25)
- RE: RE: Windows XP explorer.exe heap overflow. Otero, Hernan (EDS) (Feb 24)
  - Re: RE: Windows XP explorer.exe heap overflow. gazpa (Feb 24)
- RE: RE: Windows XP explorer.exe heap overflow. Otero, Hernan (EDS) (Feb 24)
- Re: Windows XP explorer.exe heap overflow. disclosure (Feb 24)