Windows Metafile Multiple Heap Overflows

2005.11.09
Credit: Fang Xing
Risk: High
Local: Yes
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 7.6/10
Impact Subscore: 10/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Overview: eEye Digital Security has discovered a heap overflow vulnerability in the way the Windows Graphical Device Interface (GDI) processes Windows enhanced metafile images (file extensions EMF and WMF). An attacker could send a malicious metafile to a victim of his choice over any of a variety of media -- such as HTML e-mail, a link to a web page, a metafile-bearing Microsoft Office document, or a chat message -- in order to execute code on that user's system at the user's privilege level. Technical Details: The Windows metafile rendering code in GDI32.DLL contains a number of integer overflow flaws in its processing of EMF/WMF file data that lead to exploitable heap overflows through any number of specially crafted metafile structures. For example, the following disassembly from MRBP16::bCheckRecord demonstrates a size calculation that is susceptible to integer overflow and as a result may pass validation with a dangerous value: 77F6C759 mov edx, [ecx+18h] ; malicious count (e.g., 8000000Dh) 77F6C75C mov eax, [ecx+4] ; heap allocation size ... 77F6C764 lea edx, [edx*4+1Ch] ; EDX >= 3FFFFFF9h: integer overflow 77F6C76B cmp edx, eax ; validation check 77F6C76D jnz 77F6C77F Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx Credit: Discovery: Fang Xing Related Links: Retina Network Security Scanner - Free Trial Blink Endpoint Vulnerability Prevention - Free Trial Retina Network Security Scanner - Japanese Edition- http://www.sse.co.jp/eeye/index.html Greetings: Thanks Derek and and eEye guys helped me write this advisory. Greeting xfocus guys and venustech lab guys.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top