This could actually be much worse since it looks like Internet Explorer and Outlook will happily display WMF files with no questions asked. Has anyone crafted a test WMF file we can use to check whether this could be exploited via an email worm through Outlook? On 2/20/2004 1:45 PM, sunglasses@bay-watch.com wrote: > >Vulnerability in XP explorer.exe image loading > >---------------------------------------------- > > > >Systems affected: > > Current XP - others not tested. > > > >Degree: > > Arbitrary code execution. > > > >Summary > >------- > >A malformed .emf (Enhanced Metafile, a graphics format) file can cause an exploitable heap overflow in (or near) shimgvw.dll. > > > >Details > >------- > >The image preview code that explorer uses has an exploitable buffer overflow. > > > >An .emf file with a "total size" field set to less than the header size will causes explorer.exe to crash in the heap routines - in classic heap overflow style that should be exploitable a la the RPC exploits. > > > >There are two overflows here: > > > >1. A buffer is allocated with the size indicated in the header (no validity checks), then the header is copied into it - if the size is less than the header size, that's one overflow. > > > >2. They then proceed to read the rest of the file to a length of (size-headersize), which allows for an integer overflow causing the rest of the file to be appended to the already blown buffer. > > > >Exploit > >------- > >To exploit this flaw (in explorer), simply place a malformed (invalid "size" field) .emf file > >in any directory, open explorer to that path, and view as Thumbnails. Bang. In it's simplest > >form it's a DOS - it affects all explorer windows, including File Open dialogs for many programs. > > > >Alternatively, without viewing as a Thumbnail, open the picture preview window for the .emf file. (It's the default double-click action). Using this trigger causes a different crash point, which may not be exploitable, but I wouldn't rule it out. > > > >Additional notes > >---------------- > >It may be worth checking out similar issues in .wmf files, as they are similar. > > > > > >- Jellytop, 2004 > > > >"If a man will begin with certainties, he shall end in doubts; but if he will be content to > >begin with doubts he shall end in certainties." > __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools
