Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[Full-Disclosure] RE: Windows XP explorer.exe heap overflow.
From: Evgeny Pinchuk (EvgenyPRadware.com)
Date: Tue Feb 24 2004 - 09:42:22 CST
I modified a WMF file at offset 24 (0x18h) which is the header size and
could not recreate the bug.
The header size of WMF file is always 9 and modifying it results only an
error message that the file couldn't be shown.
Some info on WMF files:
-Placeable Meta Header - (22 bytes)
-Standard Meta Header - (18 bytes)
-Standart Metafile Record1 -
-Standart Metafile RecordN -
typedef struct _PlaceableMetaHeader
DWORD Key; /* Magic number (always 9AC6CDD7h) */
WORD Handle; /* Metafile HANDLE number (always 0) */
SHORT Left; /* Left coordinate in metafile units */
SHORT Top; /* Top coordinate in metafile units */
SHORT Right; /* Right coordinate in metafile units */
SHORT Bottom; /* Bottom coordinate in metafile units */
WORD Inch; /* Number of metafile units per inch */
DWORD Reserved; /* Reserved (always 0) */
WORD Checksum; /* Checksum value for previous 10 WORDs */
typedef struct _WindowsMetaHeader
WORD FileType; /* Type of metafile (0=memory, 1=disk) */
WORD HeaderSize; /* Size of header in WORDS (always 9) */
WORD Version; /* Version of Microsoft Windows used */
DWORD FileSize; /* Total size of the metafile in WORDs */
WORD NumOfObjects; /* Number of objects in the file */
DWORD MaxRecordSize; /* The size of largest record in WORDs */
WORD NumOfParams; /* Not Used (always 0) */
More information about WMF files can be found at
> -----Original Message-----
> From: sunglassesbay-watch.com [mailto:sunglassesbay-watch.com]
> Sent: Friday, February 20, 2004 8:46 PM
> To: bugtraqsecurityfocus.com
> Subject: Windows XP explorer.exe heap overflow.
> Vulnerability in XP explorer.exe image loading
> Systems affected:
> Current XP - others not tested.
> Arbitrary code execution.
> A malformed .emf (Enhanced Metafile, a graphics format) file can cause an
> exploitable heap overflow in (or near) shimgvw.dll.
> The image preview code that explorer uses has an exploitable buffer
> An .emf file with a "total size" field set to less than the header size
> will causes explorer.exe to crash in the heap routines - in classic heap
> overflow style that should be exploitable a la the RPC exploits.
> There are two overflows here:
> 1. A buffer is allocated with the size indicated in the header (no
> validity checks), then the header is copied into it - if the size is less
> than the header size, that's one overflow.
> 2. They then proceed to read the rest of the file to a length of (size-
> headersize), which allows for an integer overflow causing the rest of the
> file to be appended to the already blown buffer.
> To exploit this flaw (in explorer), simply place a malformed (invalid
> "size" field) .emf file
> in any directory, open explorer to that path, and view as Thumbnails.
> Bang. In it's simplest
> form it's a DOS - it affects all explorer windows, including File Open
> dialogs for many programs.
> Alternatively, without viewing as a Thumbnail, open the picture preview
> window for the .emf file. (It's the default double-click action). Using
> this trigger causes a different crash point, which may not be exploitable,
> but I wouldn't rule it out.
> Additional notes
> It may be worth checking out similar issues in .wmf files, as they are
> - Jellytop, 2004
> "If a man will begin with certainties, he shall end in doubts; but if he
> will be content to
> begin with doubts he shall end in certainties."
Full-Disclosure - We believe in it.