>
> Windows Metafile SetPalette Entries Heap OVerflow Vulnerability
> (Graphics Rendering Engine Vulnerability)
>
> Release Date:
> November 8, 2005
>
> Date Reported:
> September 1, 2005
>
> Severity:
> High (Code Execution)
>
> Vendor:
> Microsoft
>
> Systems Affected:
> Windows 2000
> Windows XP SP0, SP1
> Windows Server 2003 SP0
>
> Overview:
> eEye Digital Security has discovered a vulnerability in the way the
> Windows Graphical Device Interface (GDI) processes Windows Metafile
> (WMF) format image files that would allow arbitrary code
> execution as a
> user who attempts to view a malicious image. An attacker could send
> such a metafile to a victim of his choice over any of a variety of
> attack vectors, including an HTML e-mail, a link to a web page, a
> metafile-bearing Microsoft Office document, or a chat message.
>
> Technical Details:
> The code in GDI32.DLL responsible for rendering Windows Metafiles
> contains an integer overflow vulnerability in the function
> PlayMetaFileRecord, cases 36h and 37h, which handle
> "SetPaletteEntries"-type records. If the reported length of such a
> record is 7FFFFFFFh or FFFFFFFFh, the following code will
> experience an
> integer overflow and can be made to allocate an insufficient
> heap block,
> the success of which incorrectly implies the validity of the length:
>
> 77F5BC38 mov eax, [ebx] ; length field
> 77F5BC3A lea eax, [eax+eax+2] ; *** integer overflow ***
> 77F5BC3E push eax
> 77F5BC3F push edi
> 77F5BC40 call ds:LocalAlloc
> ...
> 77F5BC51 mov ecx, [ebx] ; length field
> 77F5BC53 add eax, 2
> 77F5BC56 shl ecx, 1 ; copy size != allocation
> size
> 77F5BC58 mov edx, ecx ; intrinsic
> memcpy() follows
> 77F5BC5A mov esi, ebx
> 77F5BC5C mov edi, eax
> 77F5BC5E shr ecx, 2
> 77F5BC61 rep movsd
> 77F5BC63 mov ecx, edx
> 77F5BC65 and ecx, 3
> ...
> 77F5BC6D rep movsb
>
> Although the copy length is similarly subject to an integer overflow,
> the two differ by a "+2" term, and therefore the allocation
> size can be
> made very small while keeping the copy length extremely large. The
> result is a complete heap overwrite with arbitrary binary
> data from the
> metafile.
>
> Protection:
> Retina Network Security Scanner has been updated to identify this
> vulnerability.
> Blink Endpoint Protection proactively protects users from this
> vulnerability.
>
> Vendor Status:
> Microsoft has released a patch for this vulnerability. The patch is
> available at:
>
>
> Credit:
> Fang Xing
>
> Related Links:
> This vulnerability has been assigned the following IDs;
>
> EEYEB-20050901
> OSVDB ID:
> CVE ID: CAN-2005-2123
>
> Greetings:
> Thanks Derek and and eEye guys help me wrote this advisory. Greeting
> xfocus guys and venustech lab guys.
>
> Copyright (c) 1998-2005 eEye Digital Security
> Permission is hereby granted for the redistribution of this alert
> electronically. It is not to be edited in any way without express
> consent of eEye. If you wish to reprint the whole or any part of this
> alert in any other medium excluding electronic medium, please email
> alert@xxxxxxxx for permission.
>
> Disclaimer
> The information within this paper may change without notice.
> Use of this
> information constitutes acceptance for use in an AS IS
> condition. There
> are no warranties, implied or express, with regard to this
> information.
> In no event shall the author be liable for any direct or indirect
> damages whatsoever arising out of or in connection with the use or
> spread of this information. Any use of this information is at
> the user's
> own risk.
>
