funsec mailing list archives
Re[2]: Ilfak's WMF patch
From: Ilfak Guilfanov <ig () datarescue be>
Date: Mon, 2 Jan 2006 02:09:01 +0100
Hello Matthew, Sunday, January 1, 2006, 11:44:53 PM, you wrote: MM> Not even a question. The ABORTPROC record type has *ZERO* legitimate MM> use in the real-world. It is designed to execute arbitrary code, making MM> it a security risk without legitimate value. If there are apps that use MM> the functionality, I for one, am happy to see them broken. I agree with you that the ABORTPROC record has no use in the WMF files. But there is a reason why it exists: WMF data can be file based and memory based. If it makes little sense to embed an executable procedure in a file, some programs may generate a memory based WMF with ABORTPROC. These memory based WMFs can be used to pass data between different parts of the program. In this setting the ABORTPROC record makes sense and poses no security risk. When I mentioned broken functionality in the description of the fix, I meant memory based WMFs. OTOH, I do not know what (if any) programs use them. MM> It might be worth noting that Ilfak only tested his patch on XP SP2. MM> It's been said to work on Windows Server 2003 SP1 by some, though it's MM> confirmed that it does indeed break on XP SP1, XP RTM, and there are MM> conflicting reports about Win2003 RTM. Windows 2000, Windows 98, and MM> Windows Me users aren't able to apply the fix, either. Given that the MM> number of Win2003 systems out there is going to be pretty small, it MM> seems that most non-XP desktop environments will be out of luck, as will MM> environments that haven't made the move up to SP2 from SP1 or (god MM> forbid) RTM. The fix has been tested on 2000, XP, and Server2003 machines so far. As about WinME/98 - I have no idea. It is quite possible that they are not vulnerable but this is to be checked. MM> As an aside, with source code being available, I imagine that Ilfak's MM> patch could be ported to different environments if copies of the MM> gdi32.dll file from those systems could be procured. Yes, I love to hear that. However, porting to Win9x systems will be a pain. I doubt that it is possible/desirable to patch gdi32.dll as it is done for NT based systems. -- Best regards, Ilfak mailto:ig () datarescue be _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Ilfak's WMF patch Gadi Evron (Jan 01)
- RE: Ilfak's WMF patch Peter Kruse (Jan 01)
- RE: Ilfak's WMF patch Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 02)
- Re: Ilfak's WMF patch Pierre Vandevenne (Jan 01)
- RE: Ilfak's WMF patch Larry Seltzer (Jan 01)
- Re: Ilfak's WMF patch Matthew Murphy (Jan 01)
- Re: Ilfak's WMF patch Valdis . Kletnieks (Jan 01)
- Re: Ilfak's WMF patch Matthew Murphy (Jan 01)
- Re[2]: Ilfak's WMF patch Ilfak Guilfanov (Jan 01)
- Re: Ilfak's WMF patch Matthew Murphy (Jan 01)
- RE: Re[2]: Ilfak's WMF patch Larry Seltzer (Jan 02)
- Re[4]: Ilfak's WMF patch Ilfak Guilfanov (Jan 02)
- RE: Re[4]: Ilfak's WMF patch Richard M. Smith (Jan 02)
- Re[6]: Ilfak's WMF patch Ilfak Guilfanov (Jan 02)
- Re: Re[4]: Ilfak's WMF patch Valdis . Kletnieks (Jan 02)
- RE: Ilfak's WMF patch Larry Seltzer (Jan 01)
- RE: Ilfak's WMF patch Peter Kruse (Jan 01)
- Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 01)
- Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 01)
- RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Hank Nussbacher (Jan 02)