Full Disclosure mailing list archives

RE: RE: Windows XP explorer.exe heap overflow.

From: "Larry Seltzer" <larry () larryseltzer com>
Date: Tue, 24 Feb 2004 12:10:03 -0500

I can confirm the non-error on a WMF file, but the alert referred to EMF files. I can't
locate one. Would they necessarily be the same?
 
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
larryseltzer () ziffdavis com 

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Evgeny Pinchuk
Sent: Tuesday, February 24, 2004 10:42 AM
To: 'sunglasses () bay-watch com'; bugtraq () securityfocus com
Cc: full-disclosure () lists netsys com
Subject: [Full-disclosure] RE: Windows XP explorer.exe heap overflow.



Hi, 

I modified a WMF file at offset 24 (0x18h) which is the header size and could not
recreate the bug. 
The header size of WMF file is always 9 and modifying it results only an error message
that the file couldn't be shown. 

Some info on WMF files: 
Format: 
-Placeable Meta Header     - (22 bytes) 
-Standard Meta Header      - (18 bytes) 
-Standart Metafile Record1 - 
... 
-Standart Metafile RecordN - 

Structures: 
typedef struct _PlaceableMetaHeader 
{ 
  DWORD Key;           /* Magic number (always 9AC6CDD7h) */ 
  WORD  Handle;        /* Metafile HANDLE number (always 0) */ 
  SHORT Left;          /* Left coordinate in metafile units */ 
  SHORT Top;           /* Top coordinate in metafile units */ 
  SHORT Right;         /* Right coordinate in metafile units */ 
  SHORT Bottom;        /* Bottom coordinate in metafile units */ 
  WORD  Inch;          /* Number of metafile units per inch */ 
  DWORD Reserved;      /* Reserved (always 0) */ 
  WORD  Checksum;      /* Checksum value for previous 10 WORDs */ 
} PLACEABLEMETAHEADER; 

typedef struct _WindowsMetaHeader 
{ 
  WORD  FileType;       /* Type of metafile (0=memory, 1=disk) */ 
  WORD  HeaderSize;     /* Size of header in WORDS (always 9) */ 
  WORD  Version;        /* Version of Microsoft Windows used */ 
  DWORD FileSize;       /* Total size of the metafile in WORDs */ 
  WORD  NumOfObjects;   /* Number of objects in the file */ 
  DWORD MaxRecordSize;  /* The size of largest record in WORDs */ 
  WORD  NumOfParams;    /* Not Used (always 0) */ 
} WMFHEAD; 


More information about WMF files can be found at http://www.whisqu.se/per/docs/wmf.htm 


Evgeny.

-----Original Message----- 
From: sunglasses () bay-watch com [mailto:sunglasses () bay-watch com] 
Sent: Friday, February 20, 2004 8:46 PM 
To: bugtraq () securityfocus com 
Subject: Windows XP explorer.exe heap overflow. 

Vulnerability in XP explorer.exe image loading 
---------------------------------------------- 

Systems affected: 
  Current XP - others not tested. 

Degree: 
  Arbitrary code execution. 

Summary 
------- 
A malformed .emf (Enhanced Metafile, a graphics format) file can cause an 
exploitable heap overflow in (or near) shimgvw.dll. 

Details 
------- 
The image preview code that explorer uses has an exploitable buffer 
overflow. 

An .emf file with a "total size" field set to less than the header size 
will causes explorer.exe to crash in the heap routines - in classic heap 
overflow style that should be exploitable a la the RPC exploits. 

There are two overflows here: 

1. A buffer is allocated with the size indicated in the header (no 
validity checks), then the header is copied into it - if the size is less 
than the header size, that's one overflow. 

2. They then proceed to read the rest of the file to a length of (size- 
headersize), which allows for an integer overflow causing the rest of the 
file to be appended to the already blown buffer. 

Exploit 
------- 
To exploit this flaw (in explorer), simply place a malformed (invalid 
"size" field) .emf file 
in any directory, open explorer to that path, and view as Thumbnails. 
Bang. In it's simplest 
form it's a DOS - it affects all explorer windows, including File Open 
dialogs for many programs. 

Alternatively, without viewing as a Thumbnail, open the picture preview 
window for the .emf file. (It's the default double-click action). Using 
this trigger causes a different crash point, which may not be exploitable, 
but I wouldn't rule it out. 

Additional notes 
---------------- 
It may be worth checking out similar issues in .wmf files, as they are 
similar. 

- Jellytop, 2004 

"If a man will begin with certainties, he shall end in doubts; but if he 
will be content to 
begin with doubts he shall end in certainties."

Current thread:

RE: Windows XP explorer.exe heap overflow. Otero, Hernan (EDS) (Feb 24)
- <Possible follow-ups>
- RE: Windows XP explorer.exe heap overflow. Evgeny Pinchuk (Feb 24)
  - RE: RE: Windows XP explorer.exe heap overflow. Larry Seltzer (Feb 24)
    - Re: RE: Windows XP explorer.exe heap overflow. Eli Kara (Feb 25)
- RE: RE: Windows XP explorer.exe heap overflow. Otero, Hernan (EDS) (Feb 24)
  - Re: RE: Windows XP explorer.exe heap overflow. gazpa (Feb 24)
- RE: RE: Windows XP explorer.exe heap overflow. Otero, Hernan (EDS) (Feb 24)
- Re: Windows XP explorer.exe heap overflow. disclosure (Feb 24)