MS08-0 5 2 WMF vulnerability analysis and vulnerability testing-vulnerability warning-the black bar safety net

ID MYHACK58:62200820539
Type myhack58
Reporter 佚名
Modified 2008-09-27T00:00:00


------ by CuteK

A background knowledge

By the file format to start with,to analyze the MS08-0 5 2 vulnerability, and construct a you can make without the patch the program crash pictures,

1 WMF file structure


| Files head |


| File-record |



| File-record |



| File-record |


the windows file header structure is as follows

typedef struct { INT16 Left; INT16 Top; INT16 Right; INT16 Bottom; } PWMFRect16;

typedef struct { UINT32 Key; // GDIP_WMF_PLACEABLEKEY INT16 Hmf; // Metafile HANDLE number (always 0) PWMFRect16 BoundingBox; // Coordinates in metafile units INT16 Inch; // Number of metafile units per inch UINT32 Reserved; // Reserved (always 0) INT16 Checksum; // Checksum value for previous 1 0 WORDs } WmfPlaceableFileHeader;

typedef struct tagMETAHEADER { WORD mtType; // 0 1 disk WORD mtHeaderSize; // 0x0009 head size 9 a word WORD mtVersion; DWORD mtSize; // not WmfPlaceableFileHeader head size WORD mtNoObjects; DWORD mtMaxRecord; WORD mtNoParameters; } METAHEADER; ! attachments/200809/26_092026_1.jpg Figure 1.1 file header

The file recorded by the file record size(4 bytes) file Record Type(2 bytes) of the file record body composition,which 0x0538 type is polypolygon type,and it was on this record improper handling lead to the overflow, the record structure is as follows

Record size

Record Type

polygon number(assumed to be x)

The 1 a polygon of the points(y a) 2 polygon points.... X-th polygon of the points .

No. 1 polygon No. 1 point 1st polygon 2nd point.... The 1 a polygon of the y-th point


X-th polygon of the first 1 point................................. X-th polygon of the last 1 point

By Figure 1. 2 see the record size is 0x73 word length. The Record Type is 0x0538 the record the polygon number is 1 , the polygon points to 0x37, 0x37 word length of the data is the polygon of the point. Want to read the record of the first allocated space,but not according to 0x73 to assignment,but according to polygon the number of,and each of the polygon points are added to the allocated space. ! attachments/2 0 0 8 0 9/26_092051_1.2. bmp Figure 1.2 polypolygon record

The second vulnerability is part of the code ! attachments/200809/26_092111_2.1.jpg Figure 2. 1 has a vulnerability in the code ! attachments/200809/26_092132_2.2.jpg Figure 2. 2 Microsoft patched code

In addition to the determines whether is less than 0 and determine whether added through the overflow.

Three WMF file structure

Construct a wmf file polypoygon recording, with great polygon and each polygon the number of points is very large, so that it is calculated to achieve an integer overflow,use the no patch gdiplus the program to view the file,you can directly crash, test picture connection http://bbs. antiy. cn/viewthread. php? tid=1 0 8 7&extra=page%3D1&frombbs=1 No Trojans. Oh ! attachments/2 0 0 8 0 9/26_092200_123123. png Four solutions

There are vulnerabilities get patched.

Five summary

Graphic file format is composed of many“sections”constituting the data stream, and each segment consists of:length, type,parameters, data, etc. constituting the structure, the program parses the file format of the time will be based on the“type”to confirm the section, and read parameters” for a certain operation, and then based on these parameters to process is then followed by the“data.” The vulnerability of the reason is that in the parameters for computing the time believe the file input of parameters without confirmation caused. In addition to the graphics file format outside of excel biff format is the same by the Section Head determines the subsequent data read, and a variable data object. There is an input there is a risk.

Six references

[1] GDI+ could allow remote code execution (

[2] Microsoft GDI+ WMF PolyPolygon Record Parsing Integer Overflow 2 0 0 8

[3] Wmf pdf 2 0 0 8