ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [VulnWatch] [EEYEB-20050901] Windows Metafile SetPalette Entries Heap OVerflow Vulnerability (Graphics Rendering Engine Vulnerability)



> 
> Windows Metafile SetPalette Entries Heap OVerflow Vulnerability
> (Graphics Rendering Engine Vulnerability)
> 
> Release Date:
> November 8, 2005
> 
> Date Reported:
> September 1, 2005
> 
> Severity:
> High (Code Execution)
> 
> Vendor:
> Microsoft
> 
> Systems Affected:
> Windows 2000
> Windows XP SP0, SP1
> Windows Server 2003 SP0
> 
> Overview:
> eEye Digital Security has discovered a vulnerability in the way the
> Windows Graphical Device Interface (GDI) processes Windows Metafile
> (WMF) format image files that would allow arbitrary code 
> execution as a
> user who attempts to view a malicious image.  An attacker could send
> such a metafile to a victim of his choice over any of a variety of
> attack vectors, including an HTML e-mail, a link to a web page, a
> metafile-bearing Microsoft Office document, or a chat message.
> 
> Technical Details:
> The code in GDI32.DLL responsible for rendering Windows Metafiles
> contains an integer overflow vulnerability in the function
> PlayMetaFileRecord, cases 36h and 37h, which handle
> "SetPaletteEntries"-type records.  If the reported length of such a
> record is 7FFFFFFFh or FFFFFFFFh, the following code will 
> experience an
> integer overflow and can be made to allocate an insufficient 
> heap block,
> the success of which incorrectly implies the validity of the length:
> 
>     77F5BC38    mov     eax, [ebx]         ; length field
>     77F5BC3A    lea     eax, [eax+eax+2]   ; *** integer overflow ***
>     77F5BC3E    push    eax
>     77F5BC3F    push    edi
>     77F5BC40    call    ds:LocalAlloc
>      ...
>     77F5BC51    mov     ecx, [ebx]         ; length field
>     77F5BC53    add     eax, 2
>     77F5BC56    shl     ecx, 1             ; copy size != allocation
> size
>     77F5BC58    mov     edx, ecx           ; intrinsic 
> memcpy() follows
>     77F5BC5A    mov     esi, ebx
>     77F5BC5C    mov     edi, eax
>     77F5BC5E    shr     ecx, 2
>     77F5BC61    rep movsd
>     77F5BC63    mov     ecx, edx
>     77F5BC65    and     ecx, 3
>      ...
>     77F5BC6D    rep movsb
> 
> Although the copy length is similarly subject to an integer overflow,
> the two differ by a "+2" term, and therefore the allocation 
> size can be
> made very small while keeping the copy length extremely large.  The
> result is a complete heap overwrite with arbitrary binary 
> data from the
> metafile.
> 
> Protection:
> Retina Network Security Scanner has been updated to identify this
> vulnerability.
> Blink Endpoint Protection proactively protects users from this
> vulnerability.
> 
> Vendor Status:
> Microsoft has released a patch for this vulnerability. The patch is
> available at:
> http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx
> 
> Credit:
> Fang Xing
> 
> Related Links:
> This vulnerability has been assigned the following IDs;
> 
> EEYEB-20050901
> OSVDB ID: 
> CVE ID: CAN-2005-2123
> 
> Greetings:
> Thanks Derek and and eEye guys help me wrote this advisory. Greeting
> xfocus guys and venustech lab guys.
> 
> Copyright (c) 1998-2005 eEye Digital Security
> Permission is hereby granted for the redistribution of this alert
> electronically. It is not to be edited in any way without express
> consent of eEye. If you wish to reprint the whole or any part of this
> alert in any other medium excluding electronic medium, please email
> alert@xxxxxxxx for permission.
> 
> Disclaimer
> The information within this paper may change without notice. 
> Use of this
> information constitutes acceptance for use in an AS IS 
> condition. There
> are no warranties, implied or express, with regard to this 
> information.
> In no event shall the author be liable for any direct or indirect
> damages whatsoever arising out of or in connection with the use or
> spread of this information. Any use of this information is at 
> the user's
> own risk.
> 




 




Copyright © Lexa Software, 1996-2009.