SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   OS (Microsoft)  >   Windows Explorer Vendors:   Microsoft
(Vendor Issues Fix) Microsoft Windows Explorer Heap Overflow in Processing '.emf' Files Permits Code Execution
SecurityTracker Alert ID:  1009756
SecurityTracker URL:  http://securitytracker.com/id/1009756
CVE Reference:   CAN-2003-0906   (Links to External Site)
Date:  Apr 13 2004
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A buffer overflow vulnerability was reported in Microsoft Windows Explorer in the processing of Enhanced Metafile graphics files. A user can cause arbitrary code to be executed on the target system.

It is reported that a user can create a specially crafted '.emf' file that, when previewed by Windows Explorer, will trigger a heap overflow and execute arbitrary code with the privileges of the user running Windows Explorer.

It is reported that the software allocates a buffer based on the 'total size' field. A header that is larger than this size will trigger the overflow, the report said. It is also reported that the software attempts to read the remainder of the file to a value that is subject to an integer overflow.

The overflows can be triggered when viewing a directory (containing a malicious file) as Thumbnails or by previewing the picture.

The report indicates that there are similar flaws in the processing of '.wmf' files.
Impact:   A remote or local user can create a malicious '.emf' file that, when previewed by the target user, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.
Solution:   The vendor has issued a fix as part of MS04-011. Patches are available for the following operating systems [please note that even though we have listed all the patches provided in MS04-011, not all operating systems are affected equally by all vulnerabilities]:

Microsoft Windows NT Workstation 4.0 Service Pack 6a:

http://www.microsoft.com/downloads/details.aspx?FamilyId=7F1713FC-F95C-43E5-B825-3CF72C1A0A3E&displaylang=en

Microsoft Windows NT Server 4.0 Service Pack 6a:

http://www.microsoft.com/downloads/details.aspx?FamilyId=67A6F461-D2FC-4AA0-957E-3B8DC44F9D79&displaylang=en

Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=62CBA527-A827-4777-8641-28092D3AAE4F&displaylang=en

Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4:

http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

Microsoft Windows XP and Microsoft Windows XP Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

Microsoft Windows XP 64-Bit Edition Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?FamilyId=C6B55EF2-D9FE-4DBE-AB7D-73A20C82FF73&displaylang=en

Microsoft Windows XP 64-Bit Edition Version 2003:

http://www.microsoft.com/downloads/details.aspx?FamilyId=C207D372-E883-44A6-A107-6CD2D29FC6F5&displaylang=en

Microsoft Windows Server 2003:

http://www.microsoft.com/downloads/details.aspx?FamilyId=EAB176D0-01CF-453E-AE7E-7495864E8D8C&displaylang=en

Microsoft Windows Server 2003 64-Bit Edition:

http://downloads/details.aspx?FamilyId=C207D372-E883-44A6-A107-6CD2D29FC6F5&displaylang=en

Microsoft NetMeeting: (no URL was provided)

A restart is required after installating any of these patches.

For Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME), the vendor indicates that you should read the "FAQ section" of the security bulletin for details about these operating systems.

Microsoft reports that the security update for Windows NT Server 4.0 Terminal Server Edition Service Pack 6 requires that you first have installed the Windows NT Server 4.0 Terminal Server Edition Security Rollup Package (SRP).

Although the MS04-011 bulletin addresses many vulnerabilities, it is not a cumulative security update, the vendor said.
Vendor URL:  www.microsoft.com/technet/security/bulletin/ms04-011.mspx (Links to External Site)
Cause:   Boundary error
Underlying OS:  

Message History:   This archive entry is a follow-up to the message listed below.
Feb 23 2004 Microsoft Windows Explorer Heap Overflow in Processing '.emf' Files Permits Code Execution


 Source Message Contents
Date:  Tue, 13 Apr 2004 15:44:51 -0400
Subject:  http://www.eeye.com/html/Research/Advisories/AD20040413F.html


http://www.eeye.com/html/Research/Advisories/AD20040413F.html

Windows Metafile Heap Overflow

Release Date:
April 13, 2004

Date Reported:
November 1, 2003

Severity:
High (Remote Code Execution)

Vendor:
Microsoft

Systems Affected:
Windows NT 4.0
Windows 2000
Windows XP

Description:


eEye Digital Security has discovered a buffer overflow in the APIs which handle Windows 
metafile-format images, implemented in the Windows GDI Client DLL (GDI32.dll). A Windows 
metafile is a collection of structures that stores a picture in a device-independent 
format. The GDI32.dll PlayMetaFileRecord() API, which plays a Windows-format metafile 
record by executing GDI functions specified within the record, has been found to contain 
an exploitable heap overflow.

A Windows metafile can be handled by many applications such as Internet Explorer, Outlook 
Express, Wordpad, the Windows shell (Explorer), the Office series 
(Word/Excel/PowerPoint/Outlook, etc.), and other third party applications. If any of these 
applications handle the corrupted metafile, it is possible to execute arbitrary code 
contained within the Windows metafile.

Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at: 
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.

Credit:
Discovery: Yuji Ukai

Related Links:
Retina Network Security Scanner - Free 15 Day Trial 
http://www.eeye.com/html/Products/Retina/download.html

Greetings:
all security guys in anti rootkit research team !!

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is 
not to be edited in any way without express consent of eEye. If you wish to reprint the 
whole or any part of this alert in any other medium excluding electronic medium, please 
email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information 
constitutes acceptance for use in an AS IS condition. There are no warranties, implied or 
express, with regard to this information. In no event shall the author be liable for any 
direct or indirect damages whatsoever arising out of or in connection with the use or 
spread of this information. Any use of this information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC