Microsoft Windows Explorer Heap Overflow in Processing '.emf' Files Permits Code Execution
|
|
SecurityTracker Alert ID: 1009181
|
|
CVE Reference: CAN-2003-0906
(Links to External Site)
|
Updated: Apr 13 2004
|
Original Entry Date: Feb 23 2004
|
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
|
Description: A buffer overflow vulnerability was reported in Microsoft Windows Explorer in the processing of Enhanced Metafile graphics files. A user can cause arbitrary code to be executed on the target system.
It is reported that a user can create a specially crafted '.emf' file that, when previewed by Windows Explorer, will trigger a heap
overflow and execute arbitrary code with the privileges of the user running Windows Explorer.
It is reported that the software
allocates a buffer based on the 'total size' field. A header that is larger than this size will trigger the overflow, the report
said. It is also reported that the software attempts to read the remainder of the file to a value that is subject to an integer
overflow.
The overflows can be triggered when viewing a directory (containing a malicious file) as Thumbnails or by previewing
the picture.
The report indicates that there are similar flaws in the processing of '.wmf' files.
|
Impact: A remote or local user can create a malicious '.emf' file that, when previewed by the target user, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (XP)
|
Reported By: <sunglasses@bay-watch.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: 20 Feb 2004 18:45:39 -0000
From: <sunglasses@bay-watch.com>
Subject: Windows XP explorer.exe heap overflow.
|
Vulnerability in XP explorer.exe image loading
----------------------------------------------
Systems affected:
Current XP - others not tested.
Degree:
Arbitrary code execution.
Summary
-------
A malformed .emf (Enhanced Metafile, a graphics format) file can cause an exploitable heap overflow i
n (or near) shimgvw.dll.
Details
-------
The image preview code that explorer uses has an exploitable buffer overflow.
An .emf file with a "total size" field set to less than the header size will causes explore
r.exe to crash in the heap routines - in
classic heap overflow style that should be exploitable a la the RPC exploits.
There are two overflows here:
1. A buffer is allocated with the size indicated in the header (no validity checks), then the header
is copied into it - if the size
is less than the header size, that's one overflow.
2. They then proceed to read the rest of the file to a length of (size-headersize), which allows for
an integer overflow causing the
rest of the file to be appended to the already blown buffer.
Exploit
-------
To exploit this flaw (in explorer), simply place a malformed (invalid "size" field) .emf fi
le
in any directory, open explorer to that path, and view as Thumbnails. Bang. In it's simplest
form it's a DOS - it affects all explorer windows, including File Open dialogs for many programs.
Alternatively, without viewing as a Thumbnail, open the picture preview window for the .emf file. (It
's the default double-click action).
Using this trigger causes a different crash point, which may not be exploitable, but I wouldn't rule
it out.
Additional notes
----------------
It may be worth checking out similar issues in .wmf files, as they are similar.
- Jellytop, 2004
"If a man will begin with certainties, he shall end in doubts; but if he will be content to
begin with doubts he shall end in certainties."
|
|
