Bugtraq mailing list archives

Re: Windows XP explorer.exe heap overflow.

From: Chris Calabrese <chris_calabrese () yahoo com>
Date: Mon, 23 Feb 2004 13:31:07 -0800 (PST)

This could actually be much worse since it looks like Internet Explorer
and Outlook will happily display WMF files with no questions asked.

Has anyone crafted a test WMF file we can use to check whether this
could be exploited via an email worm through Outlook?

On 2/20/2004 1:45 PM, sunglasses () bay-watch com wrote:


Vulnerability in XP explorer.exe image loading

----------------------------------------------



Systems affected: 

 Current XP - others not tested.



Degree: 

 Arbitrary code execution.



Summary

-------

A malformed .emf (Enhanced Metafile, a graphics format) file can cause

an exploitable heap overflow in (or near) shimgvw.dll.




Details

-------

The image preview code that explorer uses has an exploitable buffer

overflow.




An .emf file with a "total size" field set to less than the header

size will causes explorer.exe to crash in the heap routines - in
classic heap overflow style that should be exploitable a la the RPC
exploits.




There are two overflows here:



1. A buffer is allocated with the size indicated in the header (no

validity checks), then the header is copied into it - if the size is
less than the header size, that's one overflow.




2. They then proceed to read the rest of the file to a length of

(size-headersize), which allows for an integer overflow causing the
rest of the file to be appended to the already blown buffer.




Exploit

-------

To exploit this flaw (in explorer), simply place a malformed (invalid

"size" field) .emf file


in any directory, open explorer to that path, and view as Thumbnails.

Bang. In it's simplest


form it's a DOS - it affects all explorer windows, including File Open

dialogs for many programs.




Alternatively, without viewing as a Thumbnail, open the picture

preview window for the .emf file. (It's the default double-click
action). Using this trigger causes a different crash point, which may
not be exploitable, but I wouldn't rule it out.




Additional notes

----------------

It may be worth checking out similar issues in .wmf files, as they are

similar.






- Jellytop, 2004 



"If a man will begin with certainties, he shall end in doubts; but if

he will be content to


begin with doubts he shall end in certainties."



__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools

Current thread:

Windows XP explorer.exe heap overflow. sunglasses (Feb 23)
- Re: Windows XP explorer.exe heap overflow. Eli K. (Feb 24)
  - RE: Windows XP explorer.exe heap overflow. Larry Seltzer (Feb 25)
    - Re: Windows XP explorer.exe heap overflow. Eli Kara (Feb 25)
    - Re: Windows XP explorer.exe heap overflow. Dragos Ruiu (Feb 26)
- Re: Windows XP explorer.exe heap overflow. Tim (Feb 24)
- <Possible follow-ups>
- Re: Windows XP explorer.exe heap overflow. Chris Calabrese (Feb 23)
  - blocking gzip encoded files Darwin Mecham (Feb 23)
    - Re: blocking gzip encoded files mgotts (Feb 24)
    - Re: blocking gzip encoded files Josep L. Guallar-Esteve (Feb 24)
- RE: Windows XP explorer.exe heap overflow. Michael Wojcik (Feb 23)