Full Disclosure mailing list archives
Re: Steve Gibson smokes crack?
From: eric williams <nfobro () gmail com>
Date: Fri, 13 Jan 2006 23:36:43 +0000
On 1/13/06, Peter Ferrie <pferrie () symantec com> wrote:
[snip]does any know the circumstances, in all cases, where the bug is triggered or is there only speculation based upon exploit code "working" against a given vulnerable implementation of the API?The triggering mechanism is well-understood: this incorrect record length requirement is simply wrong. There is no "magic key". It is possible to create entirely well-formed files that will execute. I don't know why Steve couldn't get it working properly, and I'd like to know just how he managed to get it working at all on Windows 2000 (see below). So, what we have is this: The file must not begin with the placeable (aka Aldus) meta file header. If it does begin with that, then the function is ignored, and Windows continues to parse the file. This is why Windows 9x, NT, and 2000, do not execute anything from within Internet Explorer, for example - they do not support WMF files without the Aldus header. The record must be reachable. It will not execute if the EOF record (function number 00) is seen first.
Ahh, perfect! Thanks Peter that clears up a lot for me. In fact does this also infer that all you need is a "crapped" up pluggable viewer for IE on Windows 9x, etc. to exploit this flaw on one of those O/Ss? Does this further indicate that Office 98 and other M$ Office versions that run on the ealier O/Ss and support the WMF mapping are 'vulnerable' to exploitation - still ? Thanks, you provided a cogent and direct response, it was very helpful (at least to me) in getting to the meat of this dicussion. -e
That's all. To clarify some other things: The record length can be any value at all, as long as it remains within the bounds of the file. Before executing any record, Windows checks that the next record is accessible. The file does not have to end with the EOF record, but there must be one in the file. The smallest metafile is 18 bytes. That's the header only. The smallest parsable metafile is 24 bytes (EOF record only). The smallest SetAbortProc file for Windows XP is 62 bytes. 8^) p. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Steve Gibson smokes crack?, (continued)
- Re: Steve Gibson smokes crack? eric williams (Jan 13)
- Re: Steve Gibson smokes crack? bkfsec (Jan 13)
- Re: Steve Gibson smokes crack? Stan Bubrouski (Jan 13)
- Re: Steve Gibson smokes crack? Jason Coombs (Jan 13)
- Re: Steve Gibson smokes crack? bkfsec (Jan 13)
- RE: Steve Gibson smokes crack William Lefkovics (Jan 13)
- Re: Steve Gibson smokes crack? eric williams (Jan 13)
- Re: Steve Gibson smokes crack? Stan Bubrouski (Jan 13)
- RE: Steve Gibson smokes crack? Peter Ferrie (Jan 13)
- Re: Steve Gibson smokes crack? eric williams (Jan 13)
- RE: Steve Gibson smokes crack? Peter Ferrie (Jan 15)
- Re: Steve Gibson smokes crack? Stan Bubrouski (Jan 13)
- Re: Steve Gibson smokes crack? Byron Sonne (Jan 14)
- Re: Steve Gibson smokes crack? eric williams (Jan 13)