Bugtraq: Re: Windows XP explorer.exe heap overflow.

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Windows XP explorer.exe heap overflow.

From: Tim <tim-security () sentinelchicken org>
Date: Tue, 24 Feb 2004 09:08:25 -0800

This is very similar (though perhaps different) than the DoS found by
Marc Ruef: http://seclists.org/lists/fulldisclosure/2003/Sep/0047.html
and later analyzed: 
  http://seclists.org/lists/fulldisclosure/2003/Sep/0078.html
  http://seclists.org/lists/fulldisclosure/2003/Sep/0080.html

This older find boiled down to an overflow in parsing gif images that,
AFAIK, M$ refused to patch, or decided to patch silently (Ask Marc, he
would know for sure).  It also would cause explorer.exe to crash
intermittently when the gif was previewed.  I am curious to know if
these are related or not.  Any comments on that Jellytop?  (I have a
sample of the gif if you want to test.)

tim


On Fri, Feb 20, 2004 at 06:45:39PM -0000, sunglasses () bay-watch com wrote:



Vulnerability in XP explorer.exe image loading
----------------------------------------------

Systems affected: 
  Current XP - others not tested.

Degree: 
  Arbitrary code execution.

Summary
-------
A malformed .emf (Enhanced Metafile, a graphics format) file can cause
an exploitable heap overflow in (or near) shimgvw.dll.

Details
-------
The image preview code that explorer uses has an exploitable buffer overflow.

An .emf file with a "total size" field set to less than the header
size will causes explorer.exe to crash in the heap routines - in classic
heap overflow style that should be exploitable a la the RPC exploits.  

There are two overflows here:

1. A buffer is allocated with the size indicated in the header (no
validity checks), then the header is copied into it - if the size is
less than the header size, that's one overflow.

2. They then proceed to read the rest of the file to a length of
(size-headersize), which allows for an integer overflow causing the rest
of the file to be appended to the already blown buffer.

Exploit
-------
To exploit this flaw (in explorer), simply place a malformed (invalid
"size" field) .emf file  
in any directory, open explorer to that path, and view as Thumbnails.
Bang. In it's simplest  
form it's a DOS - it affects all explorer windows, including File Open
dialogs for many programs. 

Alternatively, without viewing as a Thumbnail, open the picture
preview window for the .emf file. (It's the default double-click
action). Using this trigger causes a different crash point, which may
not be exploitable, but I wouldn't rule it out.   

Additional notes
----------------
It may be worth checking out similar issues in .wmf files, as they are
similar. 


- Jellytop, 2004 

"If a man will begin with certainties, he shall end in doubts; but if
he will be content to  
begin with doubts he shall end in certainties."

By Date By Thread

Current thread:

Windows XP explorer.exe heap overflow. sunglasses (Feb 23)
- Re: Windows XP explorer.exe heap overflow. Eli K. (Feb 24)
  - RE: Windows XP explorer.exe heap overflow. Larry Seltzer (Feb 25)
    - Re: Windows XP explorer.exe heap overflow. Eli Kara (Feb 25)
    - Re: Windows XP explorer.exe heap overflow. Dragos Ruiu (Feb 26)
- Re: Windows XP explorer.exe heap overflow. Tim (Feb 24)
- <Possible follow-ups>
- Re: Windows XP explorer.exe heap overflow. Chris Calabrese (Feb 23)
  - blocking gzip encoded files Darwin Mecham (Feb 23)
    - Re: blocking gzip encoded files mgotts (Feb 24)
    - Re: blocking gzip encoded files Josep L. Guallar-Esteve (Feb 24)
- RE: Windows XP explorer.exe heap overflow. Michael Wojcik (Feb 23)