SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Windows Explorer Vendors:   Microsoft
Microsoft Windows Explorer Heap Overflow in Processing '.emf' Files Permits Code Execution
SecurityTracker Alert ID:  1009181
SecurityTracker URL:  http://securitytracker.com/id/1009181
CVE Reference:   CVE-2003-0906   (Links to External Site)
Updated:  Apr 13 2004
Original Entry Date:  Feb 23 2004
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network


Description:   A buffer overflow vulnerability was reported in Microsoft Windows Explorer in the processing of Enhanced Metafile graphics files. A user can cause arbitrary code to be executed on the target system.

It is reported that a user can create a specially crafted '.emf' file that, when previewed by Windows Explorer, will trigger a heap overflow and execute arbitrary code with the privileges of the user running Windows Explorer.

It is reported that the software allocates a buffer based on the 'total size' field. A header that is larger than this size will trigger the overflow, the report said. It is also reported that the software attempts to read the remainder of the file to a value that is subject to an integer overflow.

The overflows can be triggered when viewing a directory (containing a malicious file) as Thumbnails or by previewing the picture.

The report indicates that there are similar flaws in the processing of '.wmf' files.

Impact:   A remote or local user can create a malicious '.emf' file that, when previewed by the target user, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Boundary error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 13 2004 (Vendor Issues Fix) Microsoft Windows Explorer Heap Overflow in Processing '.emf' Files Permits Code Execution
The vendor has issued a fix.



 Source Message Contents

Subject:  Windows XP explorer.exe heap overflow.




Vulnerability in XP explorer.exe image loading
----------------------------------------------

Systems affected: 
  Current XP - others not tested.

Degree: 
  Arbitrary code execution.

Summary
-------
A malformed .emf (Enhanced Metafile, a graphics format) file can cause an exploitable heap overflow in (or near) shimgvw.dll.

Details
-------
The image preview code that explorer uses has an exploitable buffer overflow.

An .emf file with a "total size" field set to less than the header size will causes explorer.exe to crash in the heap routines - in
 classic heap overflow style that should be exploitable a la the RPC exploits.

There are two overflows here:

1. A buffer is allocated with the size indicated in the header (no validity checks), then the header is copied into it - if the size
 is less than the header size, that's one overflow.

2. They then proceed to read the rest of the file to a length of (size-headersize), which allows for an integer overflow causing the
 rest of the file to be appended to the already blown buffer.

Exploit
-------
To exploit this flaw (in explorer), simply place a malformed (invalid "size" field) .emf file 
in any directory, open explorer to that path, and view as Thumbnails. Bang. In it's simplest 
form it's a DOS - it affects all explorer windows, including File Open dialogs for many programs.

Alternatively, without viewing as a Thumbnail, open the picture preview window for the .emf file. (It's the default double-click action).
 Using this trigger causes a different crash point, which may not be exploitable, but I wouldn't rule it out.

Additional notes
----------------
It may be worth checking out similar issues in .wmf files, as they are similar.


- Jellytop, 2004 

"If a man will begin with certainties, he shall end in doubts; but if he will be content to 
begin with doubts he shall end in certainties."

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC