Re: Steve Gibson smokes crack?

[eric williams <nfobro () gmail com>]

On 1/13/06, Peter Ferrie <pferrie () symantec com> wrote:
> [snip]
> > does any know the circumstances, in all cases, where the bug is
> > triggered or is there only speculation based upon exploit code
> > "working" against a given vulnerable implementation of the API?
>
> The triggering mechanism is well-understood: this incorrect record
> length requirement is simply wrong.  There is no "magic key".
> It is possible to create entirely well-formed files that will
> execute.  I don't know why Steve couldn't get it working properly,
> and I'd like to know just how he managed to get it working at all
> on Windows 2000 (see below).  So, what we have is this:
>
> The file must not begin with the placeable (aka Aldus) meta file
> header.  If it does begin with that, then the function is ignored,
> and Windows continues to parse the file.
> This is why Windows 9x, NT, and 2000, do not execute anything from
> within Internet Explorer, for example - they do not support WMF
> files without the Aldus header.
>
> The record must be reachable.  It will not execute if the EOF
> record (function number 00) is seen first.

Ahh, perfect!  Thanks Peter that clears up a lot for me.  In fact does
this also infer that all you need is a "crapped" up pluggable viewer
for IE on Windows 9x, etc. to exploit this flaw on one of those O/Ss? 
Does this further indicate that Office 98 and other M$ Office versions
that run on the ealier O/Ss and support the WMF mapping are
'vulnerable' to exploitation - still ?

Thanks, you provided a cogent and direct response, it was very helpful
(at least to me) in getting to the meat of this dicussion.

-e

> That's all.  To clarify some other things:
>
> The record length can be any value at all, as long as it remains
> within the bounds of the file.  Before executing any record,
> Windows checks that the next record is accessible.
>
> The file does not have to end with the EOF record, but there must
> be one in the file.
>
> The smallest metafile is 18 bytes.  That's the header only.
> The smallest parsable metafile is 24 bytes (EOF record only).
> The smallest SetAbortProc file for Windows XP is 62 bytes.
>
> 8^) p.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/