Advisories
Windows Metafile Multiple Heap Overflows
Release Date:
November 8, 2005
Date Reported:
March 29, 2005
Patch Development Time (In Days):
Severity:
High (Remote Code Execution)
Vendor:
Microsoft
Systems Affected:
Windows NT Workstation
Windows NT Server
Windows NT Terminal Server
Windows 2000
Windows Server 2003
Overview:
eEye Digital Security has discovered a heap overflow vulnerability in the way the Windows Graphical Device Interface (GDI) processes Windows enhanced metafile images (file extensions EMF and WMF). An attacker could send a malicious metafile to a victim of his choice over any of a variety of media -- such as HTML e-mail, a link to a web page, a metafile-bearing Microsoft Office document, or a chat message -- in order to execute code on that user's system at the user's privilege level.
Technical Details:
The Windows metafile rendering code in GDI32.DLL contains a number of integer overflow flaws in its processing of EMF/WMF file data that lead to exploitable heap overflows through any number of specially crafted metafile structures. For example, the following disassembly from MRBP16::bCheckRecord demonstrates a size calculation that is susceptible to integer overflow and as a result may pass validation with a dangerous value:
77F6C759 mov edx, [ecx+18h] ; malicious count (e.g., 8000000Dh)
77F6C75C mov eax, [ecx+4] ; heap allocation size
...
77F6C764 lea edx, [edx*4+1Ch] ; EDX >= 3FFFFFF9h: integer overflow
77F6C76B cmp edx, eax ; validation check
77F6C76D jnz 77F6C77F
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx
Credit:
Discovery: Fang Xing
Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Retina Network Security Scanner - Japanese Edition- http://www.sse.co.jp/eeye/index.html
Greetings:
Thanks Derek and and eEye guys helped me write this advisory. Greeting xfocus guys and venustech lab guys.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
November 8, 2005
Date Reported:
March 29, 2005
Patch Development Time (In Days):
 |
|
|
|
| 224 |
Severity:
High (Remote Code Execution)
Vendor:
Microsoft
Systems Affected:
Windows NT Workstation
Windows NT Server
Windows NT Terminal Server
Windows 2000
Windows Server 2003
Overview:
eEye Digital Security has discovered a heap overflow vulnerability in the way the Windows Graphical Device Interface (GDI) processes Windows enhanced metafile images (file extensions EMF and WMF). An attacker could send a malicious metafile to a victim of his choice over any of a variety of media -- such as HTML e-mail, a link to a web page, a metafile-bearing Microsoft Office document, or a chat message -- in order to execute code on that user's system at the user's privilege level.
Technical Details:
The Windows metafile rendering code in GDI32.DLL contains a number of integer overflow flaws in its processing of EMF/WMF file data that lead to exploitable heap overflows through any number of specially crafted metafile structures. For example, the following disassembly from MRBP16::bCheckRecord demonstrates a size calculation that is susceptible to integer overflow and as a result may pass validation with a dangerous value:
77F6C759 mov edx, [ecx+18h] ; malicious count (e.g., 8000000Dh)
77F6C75C mov eax, [ecx+4] ; heap allocation size
...
77F6C764 lea edx, [edx*4+1Ch] ; EDX >= 3FFFFFF9h: integer overflow
77F6C76B cmp edx, eax ; validation check
77F6C76D jnz 77F6C77F
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx
Credit:
Discovery: Fang Xing
Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Retina Network Security Scanner - Japanese Edition- http://www.sse.co.jp/eeye/index.html
Greetings:
Thanks Derek and and eEye guys helped me write this advisory. Greeting xfocus guys and venustech lab guys.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
