eEye Digital Security has discovered a heap overflow vulnerability in the way the Windows Graphical Device Interface (GDI) processes Windows enhanced metafile images (file extensions EMF and WMF). An attacker could send a malicious metafile to a victim of his choice over any of a variety of media -- such as HTML e-mail, a link to a web page, a metafile-bearing Microsoft Office document, or a chat message -- in order to execute code on that user's system at the user's privilege level.
The Windows metafile rendering code in GDI32.DLL contains a number of integer overflow flaws in its processing of EMF/WMF file data that lead to exploitable heap overflows through any number of specially crafted metafile structures. For example, the following disassembly from MRBP16::bCheckRecord demonstrates a size calculation that is susceptible to integer overflow and as a result may pass validation with a dangerous value:
77F6C759 mov edx, [ecx+18h] ; malicious count (e.g., 8000000Dh)
77F6C75C mov eax, [ecx+4] ; heap allocation size
77F6C764 lea edx, [edx*4+1Ch] ; EDX >= 3FFFFFF9h: integer overflow
77F6C76B cmp edx, eax ; validation check
77F6C76D jnz 77F6C77F
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability.
Microsoft has released a patch for this vulnerability. The patch is available at:
Discovery: Fang Xing
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Retina Network Security Scanner - Japanese Edition- http://www.sse.co.jp/eeye/index.html
Thanks Derek and and eEye guys helped me write this advisory. Greeting xfocus guys and venustech lab guys.