Windows Metafile SetPalette Entries Heap OVerflow Vulnerability
(Graphics Rendering Engine Vulnerability)

Release Date:
November 8, 2005

Date Reported:
September 1, 2005

Severity:
High (Code Execution)

Vendor:
Microsoft

Systems Affected:
Windows 2000
Windows XP SP0, SP1
Windows Server 2003 SP0

Overview:
eEye Digital Security has discovered a vulnerability in the way the
Windows Graphical Device Interface (GDI) processes Windows Metafile
(WMF) format image files that would allow arbitrary code execution as a
user who attempts to view a malicious image.  An attacker could send
such a metafile to a victim of his choice over any of a variety of
attack vectors, including an HTML e-mail, a link to a web page, a
metafile-bearing Microsoft Office document, or a chat message.

Technical Details:
The code in GDI32.DLL responsible for rendering Windows Metafiles
contains an integer overflow vulnerability in the function
PlayMetaFileRecord, cases 36h and 37h, which handle
"SetPaletteEntries"-type records.  If the reported length of such a
record is 7FFFFFFFh or FFFFFFFFh, the following code will experience an
integer overflow and can be made to allocate an insufficient heap block,
the success of which incorrectly implies the validity of the length:

    77F5BC38    mov     eax, [ebx]         ; length field
    77F5BC3A    lea     eax, [eax+eax+2]   ; *** integer overflow ***
    77F5BC3E    push    eax
    77F5BC3F    push    edi
    77F5BC40    call    ds:LocalAlloc
     ...
    77F5BC51    mov     ecx, [ebx]         ; length field
    77F5BC53    add     eax, 2
    77F5BC56    shl     ecx, 1             ; copy size != allocation
size
    77F5BC58    mov     edx, ecx           ; intrinsic memcpy() follows
    77F5BC5A    mov     esi, ebx
    77F5BC5C    mov     edi, eax
    77F5BC5E    shr     ecx, 2
    77F5BC61    rep movsd
    77F5BC63    mov     ecx, edx
    77F5BC65    and     ecx, 3
     ...
    77F5BC6D    rep movsb

Although the copy length is similarly subject to an integer overflow,
the two differ by a "+2" term, and therefore the allocation size can be
made very small while keeping the copy length extremely large.  The
result is a complete heap overwrite with arbitrary binary data from the
metafile.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink Endpoint Protection proactively protects users from this
vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx 

Credit:
Fang Xing

Related Links:
This vulnerability has been assigned the following IDs;

EEYEB-20050901
OSVDB ID: 
CVE ID: CAN-2005-2123

Greetings:
Thanks Derek and and eEye guys help me wrote this advisory. Greeting
xfocus guys and venustech lab guys.

Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission. 

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.