Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Steve Gibson smokes crack?
From: "Peter Ferrie" <pferrie () symantec com>
Date: Fri, 13 Jan 2006 15:15:40 -0800

does any know the circumstances, in all cases, where the bug is
triggered or is there only speculation based upon exploit code
"working" against a given vulnerable implementation of the API?

The triggering mechanism is well-understood: this incorrect record
length requirement is simply wrong.  There is no "magic key".
It is possible to create entirely well-formed files that will
execute.  I don't know why Steve couldn't get it working properly,
and I'd like to know just how he managed to get it working at all
on Windows 2000 (see below).  So, what we have is this:
The file must not begin with the placeable (aka Aldus) meta file
header.  If it does begin with that, then the function is ignored,
and Windows continues to parse the file.
This is why Windows 9x, NT, and 2000, do not execute anything from
within Internet Explorer, for example - they do not support WMF
files without the Aldus header. 
The record must be reachable.  It will not execute if the EOF
record (function number 00) is seen first.
That's all.  To clarify some other things:
The record length can be any value at all, as long as it remains
within the bounds of the file.  Before executing any record,
Windows checks that the next record is accessible.
The file does not have to end with the EOF record, but there must
be one in the file.
The smallest metafile is 18 bytes.  That's the header only.
The smallest parsable metafile is 24 bytes (EOF record only).
The smallest SetAbortProc file for Windows XP is 62 bytes.
8^) p.
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]