Full Disclosure mailing list archives
RE: Re: [ GLSA 200601-09 ] Wine:Windows MetafileSETABORTPROC vulnerability
From: "Peter Ferrie" <pferrie () symantec com>
Date: Sun, 15 Jan 2006 14:39:08 -0800
There is no need for malformed input, though. The description isn't great, since upon return from the function, Windows will resume parsing the records in the usual way.IDK, but from reading the transcript there is malformed input in the form of an invalid record length that Gibson refers to, did you test the older metafile processing routines of the GDI, Peter?
Yes, I looked at Windows 3.1 (yes, really), 98, NT4, 2000, and XP. The code is effective identical in all of those cases.
It would be interesting to know whether the execution of a new thread is triggered by the same circumstances in all versions of Windows.
What's more interesting is Steve's claim of a thread being created. No thread is created. The callback is part of the existing code path, it is called periodically while parsing the file. Perhaps he meant that the thread is created in order to parse the WMF file (which is true).
I also don't know about the assertion of older versions of the GDI being vulnerable, but I *do* expect there may be merit in pursuing that.
See above - they're all the same. The difference is only the registered handler or lack thereof.
I think Gibson, if what he says is true makes an interesting argument concerning the invalid length == 1 issue.
It would be interesting if it were true, but it's not, so it's not.
Still, it is hard for me to concieve of this as being anything more than a design flaw that as someone said before resulted from 'ease of use / feature creep' -- perhaps it was even a requested feature by some third-party vendor, who knows?
Like the all-powerful CreateObject() scripting function. 8^) p. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Re: [ GLSA 200601-09 ] Wine: Windows MetafileSETABORTPROC vulnerability Todd Towles (Jan 13)
- Re: Re: [ GLSA 200601-09 ] Wine: Windows MetafileSETABORTPROC vulnerability bkfsec (Jan 13)
- RE: Re: [ GLSA 200601-09 ] Wine:Windows MetafileSETABORTPROC vulnerability Peter Ferrie (Jan 13)
- Re: Re: [ GLSA 200601-09 ] Wine:Windows MetafileSETABORTPROC vulnerability eric williams (Jan 13)
- RE: Re: [ GLSA 200601-09 ] Wine:Windows MetafileSETABORTPROC vulnerability Peter Ferrie (Jan 15)
- Re: Re: [ GLSA 200601-09 ] Wine:Windows MetafileSETABORTPROC vulnerability bkfsec (Jan 13)
- RE: Re: [ GLSA 200601-09 ] Wine:Windows MetafileSETABORTPROC vulnerability Peter Ferrie (Jan 13)
- Re: Re: [ GLSA 200601-09 ] Wine: Windows MetafileSETABORTPROC vulnerability bkfsec (Jan 13)