From Advisories@eeye.com Wed Nov 9 15:04:24 2005 From: Advisories@eeye.com To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, ntbugtraq@nutbugtraq.com, full-disclosure@lists.grok.org.uk Date: Tue, 8 Nov 2005 11:39:31 -0800 Subject: [EEYEB-20050901] Windows Metafile SetPalette Entries Heap OVerflow Vulnerability (Graphics Rendering Engine Vulnerability) Windows Metafile SetPalette Entries Heap OVerflow Vulnerability (Graphics Rendering Engine Vulnerability) Release Date: November 8, 2005 Date Reported: September 1, 2005 Severity: High (Code Execution) Vendor: Microsoft Systems Affected: Windows 2000 Windows XP SP0, SP1 Windows Server 2003 SP0 Overview: eEye Digital Security has discovered a vulnerability in the way the Windows Graphical Device Interface (GDI) processes Windows Metafile (WMF) format image files that would allow arbitrary code execution as a user who attempts to view a malicious image. An attacker could send such a metafile to a victim of his choice over any of a variety of attack vectors, including an HTML e-mail, a link to a web page, a metafile-bearing Microsoft Office document, or a chat message. Technical Details: The code in GDI32.DLL responsible for rendering Windows Metafiles contains an integer overflow vulnerability in the function PlayMetaFileRecord, cases 36h and 37h, which handle "SetPaletteEntries"-type records. If the reported length of such a record is 7FFFFFFFh or FFFFFFFFh, the following code will experience an integer overflow and can be made to allocate an insufficient heap block, the success of which incorrectly implies the validity of the length: 77F5BC38 mov eax, [ebx] ; length field 77F5BC3A lea eax, [eax+eax+2] ; *** integer overflow *** 77F5BC3E push eax 77F5BC3F push edi 77F5BC40 call ds:LocalAlloc ... 77F5BC51 mov ecx, [ebx] ; length field 77F5BC53 add eax, 2 77F5BC56 shl ecx, 1 ; copy size != allocation size 77F5BC58 mov edx, ecx ; intrinsic memcpy() follows 77F5BC5A mov esi, ebx 77F5BC5C mov edi, eax 77F5BC5E shr ecx, 2 77F5BC61 rep movsd 77F5BC63 mov ecx, edx 77F5BC65 and ecx, 3 ... 77F5BC6D rep movsb Although the copy length is similarly subject to an integer overflow, the two differ by a "+2" term, and therefore the allocation size can be made very small while keeping the copy length extremely large. The result is a complete heap overwrite with arbitrary binary data from the metafile. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Blink Endpoint Protection proactively protects users from this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx Credit: Fang Xing Related Links: This vulnerability has been assigned the following IDs; EEYEB-20050901 OSVDB ID: CVE ID: CAN-2005-2123 Greetings: Thanks Derek and and eEye guys help me wrote this advisory. Greeting xfocus guys and venustech lab guys. Copyright (c) 1998-2005 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.