Full Disclosure mailing list archives
RE: RE: Windows XP explorer.exe heap overflow.
From: "Otero, Hernan (EDS)" <HOtero () lanchile cl>
Date: Tue, 24 Feb 2004 15:51:07 -0400
For all those that consult by the source code, I do not have it..., I have been able to accede to some files online, in a site that is no longer available, related with bug published by gta () hush com -H -----Original Message----- From: Otero, Hernan (EDS) [mailto:HOtero () lanchile cl] Sent: Martes, 24 de Febrero de 2004 14:06 To: Michael Wojcik Cc: Chris Calabrese; sunglasses () bay-watch com; full-disclosure () lists netsys com Subject: RE: [Full-disclosure] RE: Windows XP explorer.exe heap overflow. I have modified this WMF and the explorer process take 100% of the cpu Using WinXP all patch applied -H -----Original Message----- From: Otero, Hernan (EDS) [mailto:HOtero () lanchile cl] Sent: Martes, 24 de Febrero de 2004 12:13 To: Michael Wojcik; bugtraq () securityfocus com Cc: Chris Calabrese; sunglasses () bay-watch com; full-disclosure () lists netsys com Subject: [Full-disclosure] RE: Windows XP explorer.exe heap overflow. Looking at the source... everyone knows where and how..., this piece of code could be part of the problem... // read in the header if (!Read(&emh, sizeof(emh))) //<--- This will fill up all header records return; _xWid = emh.rclBounds.right - emh.rclBounds.left; _yHei = emh.rclBounds.bottom - emh.rclBounds.top; // Post WHKNOWN OnSize(_xWid, _yHei, _lTrans); // allocate a buffer to hold metafile ulSize = emh.nBytes; //<---- This value could be any arbitrary value pbBuf = (LPBYTE)MemAlloc(Mt(CImgTaskEmfBuf), ulSize); //<-- Memory //allocation size is referenced to that arbitrary value. if (!pbBuf) return; // copy the header into the buffer memcpy(pbBuf, &emh, sizeof(emh)); <--// Arbitrary buf size receiving an //arbitrary size header // read the metafile into memory after the header if (!Read(pbBuf + sizeof(emh), ulSize - sizeof(emh))) goto Cleanup; Just supposed things... -H -----Original Message----- From: Michael Wojcik [mailto:Michael.Wojcik () microfocus com] Sent: Lunes, 23 de Febrero de 2004 18:37 To: bugtraq () securityfocus com Cc: Chris Calabrese; sunglasses () bay-watch com Subject: RE: Windows XP explorer.exe heap overflow. Yep. I suggested that on Vuln-Dev nearly four years ago [1], but I never pursued it, and this is the first time since then that I've seen it come up. In Outlook 2002 (aka Outlook XP, aka Outlook 10) and later, you can disable the automatic display of any kind of non-text content by forcing Outlook to render all email as plain text. This is a huge improvement over normal Outlook behavior; besides making Outlook much less dangerous, it spares you annoying markup of all kinds. Create the Registry key HKCU\Software\Microsoft\Office\10.0\Outlook\Options\Mail\READASPLAIN as a DWORD and set it to 1. Presto - no more HTML, no more RTF, no more pictures. 1. http://www.securityfocus.com/archive/82/50050 -- Michael Wojcik Principal Software Systems Developer, Micro Focus
-----Original Message----- From: Chris Calabrese [mailto:chris_calabrese () yahoo com] Sent: Monday, February 23, 2004 4:31 PM To: sunglasses () bay-watch com; bugtraq () securityfocus com Subject: Re: Windows XP explorer.exe heap overflow. This could actually be much worse since it looks like Internet Explorer and Outlook will happily display WMF files with no questions asked. Has anyone crafted a test WMF file we can use to check whether this could be exploited via an email worm through Outlook? On 2/20/2004 1:45 PM, sunglasses () bay-watch com wrote:Vulnerability in XP explorer.exe image loading ---------------------------------------------- Systems affected: Current XP - others not tested. Degree: Arbitrary code execution. Summary ------- A malformed .emf (Enhanced Metafile, a graphics format) filecan cause an exploitable heap overflow in (or near) shimgvw.dll.Details ------- The image preview code that explorer uses has an exploitable bufferoverflow.An .emf file with a "total size" field set to less than the headersize will causes explorer.exe to crash in the heap routines - in classic heap overflow style that should be exploitable a la the RPC exploits.There are two overflows here: 1. A buffer is allocated with the size indicated in the header (novalidity checks), then the header is copied into it - if the size is less than the header size, that's one overflow.2. They then proceed to read the rest of the file to a length of(size-headersize), which allows for an integer overflow causing the rest of the file to be appended to the already blown buffer.Exploit ------- To exploit this flaw (in explorer), simply place a malformed (invalid"size" field) .emf filein any directory, open explorer to that path, and view as Thumbnails.Bang. In it's simplestform it's a DOS - it affects all explorer windows, includingFile Open dialogs for many programs.Alternatively, without viewing as a Thumbnail, open the picturepreview window for the .emf file. (It's the default double-click action). Using this trigger causes a different crash point, which may not be exploitable, but I wouldn't rule it out.Additional notes ---------------- It may be worth checking out similar issues in .wmf files,as they are similar.- Jellytop, 2004 "If a man will begin with certainties, he shall end in doubts; but ifhe will be content tobegin with doubts he shall end in certainties."__________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools ______________________________________________________________ __________ This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com ______________________________________________________________ __________
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Windows XP explorer.exe heap overflow. Otero, Hernan (EDS) (Feb 24)
- <Possible follow-ups>
- RE: Windows XP explorer.exe heap overflow. Evgeny Pinchuk (Feb 24)
- RE: RE: Windows XP explorer.exe heap overflow. Larry Seltzer (Feb 24)
- Re: RE: Windows XP explorer.exe heap overflow. Eli Kara (Feb 25)
- RE: RE: Windows XP explorer.exe heap overflow. Larry Seltzer (Feb 24)
- RE: RE: Windows XP explorer.exe heap overflow. Otero, Hernan (EDS) (Feb 24)
- Re: RE: Windows XP explorer.exe heap overflow. gazpa (Feb 24)
- RE: RE: Windows XP explorer.exe heap overflow. Otero, Hernan (EDS) (Feb 24)
- Re: Windows XP explorer.exe heap overflow. disclosure (Feb 24)