Microsoft Windows Enhanced/Windows Metafile Handling

2004-02-20T13:45:39
ID OSVDB:4059
Type osvdb
Reporter Jellytop()
Modified 2004-02-20T13:45:39

Description

Vulnerability Description

A remote overflow exists in Microsoft Windows XP. The Windows Enhanced Metafile image code fails to perform proper bounds checking resulting in a dual-part heap and buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of confidentiality, integrity, and availability.

Technical Description

The image preview code that explorer uses has an exploitable buffer overflow.

An .emf file with a "total size" field set to less than the header size will causes explorer.exe to crash in the heap routines - in classic heap overflow style that should be exploitable a la the RPC exploits.

There are two overflows here:

  1. A buffer is allocated with the size indicated in the header (no validity checks), then the header is copied into it - if the size is less than the header size, that's one overflow.

  2. They then proceed to read the rest of the file to a length of (size-headersize), which allows for an integer overflow causing the rest of the file to be appended to the already blown buffer.

To exploit this flaw (in explorer), simply place a malformed (invalid "size" field) .emf file in any directory, open explorer to that path, and view as Thumbnails. Bang. In it's simplest form it's a DOS - it affects all explorer windows, including File Open dialogs for many programs and also the preview in Outlook.

Alternatively, without viewing as a Thumbnail, open the picture preview window for the .emf file. (It's the default double-click action). Using this trigger causes a different crash point, which may not be exploitable, but I wouldn't rule it out.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

A remote overflow exists in Microsoft Windows XP. The Windows Enhanced Metafile image code fails to perform proper bounds checking resulting in a dual-part heap and buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of confidentiality, integrity, and availability.

References:

Secunia Advisory ID:10968 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-02/0633.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-02/0594.html Keyword: microsoft,windows,xp,heap overflow,integer overflow,emf,enhanced metafile format,shimgvw.dll ISS X-Force ID: 15284 Bugtraq ID: 9707