Vulnerability in XP explorer.exe image loading ----------------------------------------------
Systems affected: Current XP - others not tested.
Degree: Arbitrary code execution.
Summary ------- A malformed .emf (Enhanced Metafile, a graphics format) file can cause an exploitable heap overflow in (or near) shimgvw.dll.
Details ------- The image preview code that explorer uses has an exploitable buffer overflow.
An .emf file with a "total size" field set to less than the header size will causes explorer.exe to crash in the heap routines - in classic heap overflow style that should be exploitable a la the RPC exploits.
There are two overflows here:
1. A buffer is allocated with the size indicated in the header (no validity checks), then the header is copied into it - if the size is less than the header size, that's one overflow.
2. They then proceed to read the rest of the file to a length of (size-headersize), which allows for an integer overflow causing the rest of the file to be appended to the already blown buffer.
Exploit ------- To exploit this flaw (in explorer), simply place a malformed (invalid "size" field) .emf file in any directory, open explorer to that path, and view as Thumbnails. Bang. In it's simplest form it's a DOS - it affects all explorer windows, including File Open dialogs for many programs.
Alternatively, without viewing as a Thumbnail, open the picture preview window for the .emf file. (It's the default double-click action). Using this trigger causes a different crash point, which may not be exploitable, but I wouldn't rule it out.
Additional notes ---------------- It may be worth checking out similar issues in .wmf files, as they are similar.
- Jellytop, 2004
bitwild
Feb 24 2004, 10:17 AM
been playing around with this... helpfull info :
@://www.wotsit.org/download.asp?f=wmf
CODE
typedef struct _EnhancedMetaHeader { DWORD RecordType; /* Record type */ DWORD RecordSize; /* Size of the record in bytes */ LONG BoundsLeft; /* Left inclusive bounds */ LONG BoundsRight; /* Right inclusive bounds */ LONG BoundsTop; /* Top inclusive bounds */ LONG BoundsBottom; /* Bottom inclusive bounds */ LONG FrameLeft; /* Left side of inclusive picture frame */ LONG FrameRight; /* Right side of inclusive picture frame */ LONG FrameTop; /* Top side of inclusive picture frame */ LONG FrameBottom; /* Bottom side of inclusive picture frame */ DWORD Signature; /* Signature ID (always 0x464D4520) */ DWORD Version; /* Version of the metafile */ DWORD Size; /* Size of the metafile in bytes */ DWORD NumOfRecords; /* Number of records in the metafile */ WORD NumOfHandles; /* Number of handles in the handle table */ WORD Reserved; /* Not used (always 0) */ DWORD SizeOfDescrip; /* Size of description string in WORDs */ DWORD OffsOfDescrip; /* Offset of description string in metafile */ DWORD NumPalEntries; /* Number of color palette entries */ LONG WidthDevPixels; /* Width of reference device in pixels */ LONG HeightDevPixels; /* Height of reference device in pixels */ LONG WidthDevMM; /* Width of reference device in millimeters */ LONG HeightDevMM; /* Height of reference device in millimeters */ } ENHANCEDMETAHEADER;
BLOCK 30h-33h - DWORD Size;
...
QUOTE
Alternatively, without viewing as a Thumbnail, open the picture preview window for the .emf file. (It's the default double-click action). Using this trigger causes a different crash point, which may not be exploitable, but I wouldn't rule it out.
only.for.info: (even works with 1x right klick on emf file[in 'details' view]) (open the .emf file via cmd.exe avoids crashing of explorer.exe, -xp picture viewer succ. opened)
i just keep on playing ... but first need some coffee :)) have fun and share your results :)
ST.
Feb 24 2004, 10:22 AM
the same works if *avi file is less than in the header, explorer will crach when thumnailing files
bitwild
Feb 24 2004, 10:24 AM
time for a new worm <eg> ;))
x1`
Feb 24 2004, 10:57 AM
is this only local exploit or will it work over the net on port 80 ? thanks for the info
icenix
Feb 27 2004, 04:00 AM
Hey...im also wondering why Securina tells us that its Remote... im not sure on what terms they mean by that though. Remote as in ???? im hoping that its going to be remote as in DoS Target etc.. i dont understand how its possible though... im guessing its one of those gotta click it open things. anyway.. keep em comming guys!!! IceNix pls mail me on any updates!
Sorry for being a newb guys but how do you use this expolit? I don't know how to execute it but I'd like to learn.
xlulux
Feb 29 2004, 02:58 AM
chill_factor why do you want to use it, i dont mean to rant but its skiddies like you that give the real hackers a bad image and lead to 3 new exploits a day that are usable to every 5 year old with a mouse and half a brain, which are you missing?
buuuut im in a good mood so let me help you out
you get the exploit and read the code, and the comments, then you go to the website and you talk to the makers , and if by then you cant use it . come back and tell us that youve tried , hack to learn dont learn to hack
btw do you know how to program ? how about the osi or the dod layer model, if you dont know about those then go learn more
shaun2k2
Feb 29 2004, 08:41 AM
QUOTE
you get the exploit and read the code, and the comments, then you go to the website and you talk to the makers , and if by then you cant use it . come back and tell us that youve tried , hack to learn dont learn to hack
Before blatantly insulting somebody for doing nothing wrong, please learn the circumstances. This vulnerability does not require an exploit program, rather a malformed EMF image file. Please read the member's question instead of jumping in with both feet hoping to embarass somebody, eh?
QUOTE
btw do you know how to program ? how about the osi or the dod layer model, if you dont know about those then go learn more
Do you? I'd love to see some of your homegrown tools.
The member was not asking how to hack, only how to experiment with this vulnerability. Don't pick out a user's skills, that's just nasty. Don't try to embarass people...he only asked a question, did not want to get insulted.
-Shaun.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
