ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [VulnWatch] [EEYEB-20050329] Windows Metafile Multiple Heap Overflows



> 
> Windows Metafile Multiple Heap Overflows
> 
> Release Date:
> November 8, 2005
> 
> Date Reported:
> March 29, 2005
> 
> Severity:
> High (Code Execution)
> 
> Vendor:
> Microsoft
> 
> Systems Affected:
> Windows 2000
> Windows Server 2003
> 
> Overview:
> eEye Digital Security has discovered a heap overflow vulnerability in
> the way the Windows Graphical Device Interface (GDI) processes Windows
> enhanced metafile images (file extensions EMF and WMF).  An attacker
> could send a malicious metafile to a victim of his choice 
> over any of a
> variety of media -- such as HTML e-mail, a link to a web page, a
> metafile-bearing Microsoft Office document, or a chat message -- in
> order to execute code on that user's system at the user's privilege
> level.
> 
> Technical Details:
> The Windows metafile rendering code in GDI32.DLL contains a number of
> integer overflow flaws in its processing of EMF/WMF file data 
> that lead
> to exploitable heap overflows through any number of specially crafted
> metafile structures.  For example, the following disassembly from
> MRBP16::bCheckRecord demonstrates a size calculation that is 
> susceptible
> to integer overflow and as a result may pass validation with 
> a dangerous
> value:
> 
>     77F6C759    mov     edx, [ecx+18h]    ; malicious count (e.g.,
> 8000000Dh)
>     77F6C75C    mov     eax, [ecx+4]      ; heap allocation size
>      ...
>     77F6C764    lea     edx, [edx*4+1Ch]  ; EDX >= 3FFFFFF9h: integer
> overflow
>     77F6C76B    cmp     edx, eax          ; validation check
>     77F6C76D    jnz     77F6C77F
> 
> Protection:
> Retina Network Security Scanner has been updated to identify this
> vulnerability.
> Blink Endpoint Protection proactively protects users from this
> vulnerability.
> 
> Vendor Status:
> Microsoft has released a patch for this vulnerability. The patch is
> available at:
> http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx
> 
> Credit:
> Fang Xing
> 
> Related Links:
> This vulnerability has been assigned the following IDs;
> 
> EEYEB-20050329
> OSVDB ID: 18820
> CVE ID: CAN-2005-2124
> 
> Greetings:
> Thanks Derek and and eEye guys help me wrote this advisory. Greeting
> xfocus guys and venustech lab guys.
> 
> 
> Copyright (c) 1998-2005 eEye Digital Security Permission is hereby
> granted for the redistribution of this alert electronically. It is not
> to be edited in any way without express consent of eEye. If 
> you wish to
> reprint the whole or any part of this alert in any other medium
> excluding electronic medium, please email alert@xxxxxxxx for 
> permission.
> 
> Disclaimer
> The information within this paper may change without notice. 
> Use of this
> information constitutes acceptance for use in an AS IS 
> condition. There
> are no warranties, implied or express, with regard to this 
> information.
> In no event shall the author be liable for any direct or indirect
> damages whatsoever arising out of or in connection with the use or
> spread of this information. Any use of this information is at 
> the user's
> own risk.
> 




 




Copyright © Lexa Software, 1996-2009.