Bug: Windows Metafile Multiple Heap Overflows (WLB-2005110023 Ascii Version)

English Version
WLB2

CVE WLB2

WLB2
Full List
Bugs
Bogus
Tricks
Exploits
CVE MAP
Full List
Vendors
Products
Tools
CWE Dictionary
Google Hacking
Search
General
CVE
CWE
RSS
Full List
Bugs
Exploits
Dorks
Information
Our services
Add note
About
Submit

To add a note,

use this form

or send email to

submit@cxsecurity.com

When contacting via email, we recommend coded messages.

Get our PGP public key

 Topic: Windows Metafile Multiple Heap Overflows
 Credit: Fang Xing
 Date: 2005.11.09
 CWE: N/A
 CVE: CVE-2005-2124 (Show details)

Use CVE to see details like:
- CVSS2,
- Affected Software,
- References

Risk
Local
Remote
High
Yes
Yes

Overview:
eEye Digital Security has discovered a heap overflow vulnerability in the way the Windows Graphical Device Interface
(GDI) processes Windows enhanced metafile images (file extensions EMF and WMF). An attacker could send a malicious
metafile to a victim of his choice over any of a variety of media -- such as HTML e-mail, a link to a web page, a
metafile-bearing Microsoft Office document, or a chat message -- in order to execute code on that user's system at the
user's privilege level.

Technical Details:
The Windows metafile rendering code in GDI32.DLL contains a number of integer overflow flaws in its processing of
EMF/WMF file data that lead to exploitable heap overflows through any number of specially crafted metafile structures.
For example, the following disassembly from MRBP16::bCheckRecord demonstrates a size calculation that is susceptible to
integer overflow and as a result may pass validation with a dangerous value:

77F6C759 mov edx, [ecx+18h] ; malicious count (e.g., 8000000Dh)
77F6C75C mov eax, [ecx+4] ; heap allocation size
...
77F6C764 lea edx, [edx*4+1Ch] ; EDX >= 3FFFFFF9h: integer overflow
77F6C76B cmp edx, eax ; validation check
77F6C76D jnz 77F6C77F

Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx

Credit:
Discovery: Fang Xing

Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Retina Network Security Scanner - Japanese Edition- http://www.sse.co.jp/eeye/index.html

Greetings:
Thanks Derek and and eEye guys helped me write this advisory. Greeting xfocus guys and venustech lab guys.

[ ASCII VERSION ]
Copyright 2012, cxsecurity.com