Bugtraq mailing list archives
Re: WMF CreateBrushIndirect vulnerability (DoS)
From: temp0_123 () mail ru
Date: Sat, 13 Jan 2007 12:16:40 +0300
The following WMF exploit appeared on milw0rm today: http://www.milw0rm.com/exploits/3111
Another 'old new thing' (i.e. plagiarism): http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048530.html http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048547.html
The vulnerability is a result of the WMF parser passing a value from the file as a pointer argument to the CreateBrushIndirect function. The function dereferences the pointer and dies with an access violation.
The value in the file is only 16-bit and it is sign extended into a 32-bit pointer. This means that we can only access addresses from 0x00000000 to 0x0000FFFF and from 0xFFFF0000 to 0xFFFFFFFF. Both of these ranges are always invalid, so the vulnerability is just a DoS.
For more details and some commentary, see: http://determina.blogspot.com/2007/01/whats-wrong-with-wmf.html
Current thread:
- WMF CreateBrushIndirect vulnerability (DoS) Alexander Sotirov (Jan 11)
- Re: WMF CreateBrushIndirect vulnerability (DoS) temp0_123 (Jan 16)