Advisories
Windows Metafile SetPalette Entries Heap Overflow Vulnerability (Graphics Rendering Engine Vulnerability)
Release Date:
November 8, 2005
Date Reported:
September 1, 2005
Patch Development Time (In Days):
Severity:
High (Remote Code Execution)
Vendor:
Microsoft
Systems Affected:
Windows NT Workstation
Windows NT Server
Windows NT Terminal Server
Windows 2000
Windows XP SP0, SP1
Windows Server 2003 SP0
Overview:
eEye Digital Security has discovered a vulnerability in the way the Windows Graphical Device Interface (GDI) processes Windows Metafile (WMF) format image files that would allow arbitrary code execution as a user who attempts to view a malicious image. An attacker could send such a metafile to a victim of his choice over any of a variety of attack vectors, including an HTML e-mail, a link to a web page, a metafile-bearing Microsoft Office document, or a chat message.
Technical Details:
The code in GDI32.DLL responsible for rendering Windows Metafiles contains an integer overflow vulnerability in the function PlayMetaFileRecord, cases 36h and 37h, which handle "SetPaletteEntries"-type records. If the reported length of such a record is 7FFFFFFFh or FFFFFFFFh, the following code will experience an integer overflow and can be made to allocate an insufficient heap block, the success of which incorrectly implies the validity of the length:
77F5BC38 mov eax, [ebx] ; length field
77F5BC3A lea eax, [eax+eax+2] ; *** integer overflow ***
77F5BC3E push eax
77F5BC3F push edi
77F5BC40 call ds:LocalAlloc
...
77F5BC51 mov ecx, [ebx] ; length field
77F5BC53 add eax, 2
77F5BC56 shl ecx, 1 ; copy size != allocation size
77F5BC58 mov edx, ecx ; intrinsic memcpy() follows
77F5BC5A mov esi, ebx
77F5BC5C mov edi, eax
77F5BC5E shr ecx, 2
77F5BC61 rep movsd
77F5BC63 mov ecx, edx
77F5BC65 and ecx, 3
...
77F5BC6D rep movsb
Although the copy length is similarly subject to an integer overflow, the two differ by a "+2" term, and therefore the allocation size can be made very small while keeping the copy length extremely large. The result is a complete heap overwrite with arbitrary binary data from the metafile.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx
Credit:
Discovery: Fang Xing
Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Retina Network Security Scanner - Japanese Edition- http://www.sse.co.jp/eeye/index.html
Greetings:
Thanks Derek and and eEye guys helped me write this advisory. Greeting xfocus guys and venustech lab guys.
Copyright (c) 1998-2009 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
November 8, 2005
Date Reported:
September 1, 2005
Patch Development Time (In Days):
 |
|
|
|
| 68 |
Severity:
High (Remote Code Execution)
Vendor:
Microsoft
Systems Affected:
Windows NT Workstation
Windows NT Server
Windows NT Terminal Server
Windows 2000
Windows XP SP0, SP1
Windows Server 2003 SP0
Overview:
eEye Digital Security has discovered a vulnerability in the way the Windows Graphical Device Interface (GDI) processes Windows Metafile (WMF) format image files that would allow arbitrary code execution as a user who attempts to view a malicious image. An attacker could send such a metafile to a victim of his choice over any of a variety of attack vectors, including an HTML e-mail, a link to a web page, a metafile-bearing Microsoft Office document, or a chat message.
Technical Details:
The code in GDI32.DLL responsible for rendering Windows Metafiles contains an integer overflow vulnerability in the function PlayMetaFileRecord, cases 36h and 37h, which handle "SetPaletteEntries"-type records. If the reported length of such a record is 7FFFFFFFh or FFFFFFFFh, the following code will experience an integer overflow and can be made to allocate an insufficient heap block, the success of which incorrectly implies the validity of the length:
77F5BC38 mov eax, [ebx] ; length field
77F5BC3A lea eax, [eax+eax+2] ; *** integer overflow ***
77F5BC3E push eax
77F5BC3F push edi
77F5BC40 call ds:LocalAlloc
...
77F5BC51 mov ecx, [ebx] ; length field
77F5BC53 add eax, 2
77F5BC56 shl ecx, 1 ; copy size != allocation size
77F5BC58 mov edx, ecx ; intrinsic memcpy() follows
77F5BC5A mov esi, ebx
77F5BC5C mov edi, eax
77F5BC5E shr ecx, 2
77F5BC61 rep movsd
77F5BC63 mov ecx, edx
77F5BC65 and ecx, 3
...
77F5BC6D rep movsb
Although the copy length is similarly subject to an integer overflow, the two differ by a "+2" term, and therefore the allocation size can be made very small while keeping the copy length extremely large. The result is a complete heap overwrite with arbitrary binary data from the metafile.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx
Credit:
Discovery: Fang Xing
Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Retina Network Security Scanner - Japanese Edition- http://www.sse.co.jp/eeye/index.html
Greetings:
Thanks Derek and and eEye guys helped me write this advisory. Greeting xfocus guys and venustech lab guys.
Copyright (c) 1998-2009 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
