RE: Is The .WMF Exploit A ConsPiracy Gone Bad?

["Thomas Mannfred Carlsson" <thomas () carlsson fm>]

On 13 Jan 2006 at 12:47, Larry Seltzer wrote:

> He gives an explanation for how what he found works and
> I can't follow him. 

To quote the Gibson explanation: 

SG> "As I said before, each record in a metafile begins with a four-
byte length, followed by a two-byte function number. So in other 
words, each metafile record has six bytes minimum that it can 
possibly be in size." [...] 

SG> "It turns out that the only way to get Windows to misbehave in 
this bizarre fashion is to set the length to one, which is an 
impossible value. I tried setting it to zero. It didn't trigger the 
exploit. I tried setting it to two, no effect. Three, no effect. 
Nothing, not even the correct length. Only one."

I've not looked in detail at the WMF vulnerability so I don't know 
what the exploits out there do or look like. However, as a Windows 
programmer I'm gathering that he's basically claiming the following 
(I'm not making any comment on whether he's accurate or not, because 
as stated I've not looked at the WMF vulnerability or exploit)..

The WMF format has data file records in it, which follow the basic 
file header. The data records look as follows (defined in windows.h):

typedef struct _StandardMetaRecord
{
    DWORD Size;          /* Total size of the record in WORDs */
    WORD  Function;      /* Function number (defined in WINDOWS.H) */
    WORD  Parameters[];  /* Parameter values passed to function */
} WMFRECORD;

The Size variable is the total size in words (i.e. 16 bit values) 
including the header. The minimum possible size is therefore 3 if 
there are no parameters. What this Gibson guy is saying is, that 
successful exploitation requires the size to be deliberately set to 1 
(which is an "impossible" size for the record, as the minimum 
possible size in words is 3). I.e. size can't be 0, 2, 3 or whatever. 
Only if Size is set as 1 will the code that follows the header be 
executed.

IF what Gibson says is accurate re the above (i.e. this very 
specific/deliberate size value is how the WMF vulnerability is 
triggered), it isn't entirely unfair to wonder if this indeed is a 
deliberate backdoor.. Because it's difficult to see how a header 
parsing bug with such a specific setup requirement (i.e. only one 
specific illegal value of a bunch that programmers would not normally 
ever use) could result in such a specific outcome.

Can anyone here who has experimented with the WMF vulnerability 
confirm or deny that portion of the Gibson announcement (i.e. that 
the vulnerability can only be triggered in Windows systems with Size 
= 1)?

> BTW, if Gibson is right, how come Wine is vulnerable? 

The problem with Wine's implementation could be different (I've as of 
yet to see Wine-specific exploits, and more importantly if and how 
they differ from the Win32 exploits).

I must stress again that I've not looked at this vulnerability 
myself, so I'm not claiming anything re the validity of Gibson's 
statement - I'm merely explaining Gibson's assertion in programming 
terms.

Best Regards,

Thomas

-- 
  Thomas Mannfred Carlsson
  Researcher/Consultant
  e-mail: thomas () carlsson fm
  Public PGP key: http://www.beige.org/pgp.txt

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.