|
Windows Metafile SetPalette Entries Heap OVerflow Vulnerability
(Graphics Rendering Engine Vulnerability)
Release Date:
November 8, 2005
Date Reported:
September 1, 2005
Severity:
High (Code Execution)
Vendor:
Microsoft
Systems Affected:
Windows 2000
Windows XP SP0, SP1
Windows Server 2003 SP0
Overview:
eEye Digital Security has discovered a vulnerability in the way the
Windows Graphical Device Interface (GDI) processes Windows Metafile
(WMF) format image files that would allow arbitrary code execution as a
user who attempts to view a malicious image. An attacker could send
such a metafile to a victim of his choice over any of a variety of
attack vectors, including an HTML e-mail, a link to a web page, a
metafile-bearing Microsoft Office document, or a chat message.
Technical Details:
The code in GDI32.DLL responsible for rendering Windows Metafiles
contains an integer overflow vulnerability in the function
PlayMetaFileRecord, cases 36h and 37h, which handle
"SetPaletteEntries"-type records. If the reported length of such a
record is 7FFFFFFFh or FFFFFFFFh, the following code will experience an
integer overflow and can be made to allocate an insufficient heap block,
the success of which incorrectly implies the validity of the length:
77F5BC38 mov eax, [ebx] ; length field
77F5BC3A lea eax, [eax+eax+2] ; *** integer overflow ***
77F5BC3E push eax
77F5BC3F push edi
77F5BC40 call ds:LocalAlloc
...
77F5BC51 mov ecx, [ebx] ; length field
77F5BC53 add eax, 2
77F5BC56 shl ecx, 1 ; copy size != allocation
size
77F5BC58 mov edx, ecx ; intrinsic memcpy() follows
77F5BC5A mov esi, ebx
77F5BC5C mov edi, eax
77F5BC5E shr ecx, 2
77F5BC61 rep movsd
77F5BC63 mov ecx, edx
77F5BC65 and ecx, 3
...
77F5BC6D rep movsb
Although the copy length is similarly subject to an integer overflow,
the two differ by a "+2" term, and therefore the allocation size can be
made very small while keeping the copy length extremely large. The
result is a complete heap overwrite with arbitrary binary data from the
metafile.
Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink Endpoint Protection proactively protects users from this
vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx
Credit:
Fang Xing
Related Links:
This vulnerability has been assigned the following IDs;
EEYEB-20050901
OSVDB ID:
CVE ID: CAN-2005-2123
Greetings:
Thanks Derek and and eEye guys help me wrote this advisory. Greeting
xfocus guys and venustech lab guys.
Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.