Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] [EEYEB-20050901] Windows Metafile SetPalette Entries Heap OVerflow Vulnerability (Graphics Rendering Engine Vulnerability)

Date: Tue Nov 08 2005 - 13:39:31 CST

Windows Metafile SetPalette Entries Heap OVerflow Vulnerability
(Graphics Rendering Engine Vulnerability)

Release Date:
November 8, 2005

Date Reported:
September 1, 2005

High (Code Execution)


Systems Affected:
Windows 2000
Windows XP SP0, SP1
Windows Server 2003 SP0

eEye Digital Security has discovered a vulnerability in the way the
Windows Graphical Device Interface (GDI) processes Windows Metafile
(WMF) format image files that would allow arbitrary code execution as a
user who attempts to view a malicious image. An attacker could send
such a metafile to a victim of his choice over any of a variety of
attack vectors, including an HTML e-mail, a link to a web page, a
metafile-bearing Microsoft Office document, or a chat message.

Technical Details:
The code in GDI32.DLL responsible for rendering Windows Metafiles
contains an integer overflow vulnerability in the function
PlayMetaFileRecord, cases 36h and 37h, which handle
"SetPaletteEntries"-type records. If the reported length of such a
record is 7FFFFFFFh or FFFFFFFFh, the following code will experience an
integer overflow and can be made to allocate an insufficient heap block,
the success of which incorrectly implies the validity of the length:

    77F5BC38 mov eax, [ebx] ; length field
    77F5BC3A lea eax, [eax+eax+2] ; *** integer overflow ***
    77F5BC3E push eax
    77F5BC3F push edi
    77F5BC40 call ds:LocalAlloc
    77F5BC51 mov ecx, [ebx] ; length field
    77F5BC53 add eax, 2
    77F5BC56 shl ecx, 1 ; copy size != allocation
    77F5BC58 mov edx, ecx ; intrinsic memcpy() follows
    77F5BC5A mov esi, ebx
    77F5BC5C mov edi, eax
    77F5BC5E shr ecx, 2
    77F5BC61 rep movsd
    77F5BC63 mov ecx, edx
    77F5BC65 and ecx, 3
    77F5BC6D rep movsb

Although the copy length is similarly subject to an integer overflow,
the two differ by a "+2" term, and therefore the allocation size can be
made very small while keeping the copy length extremely large. The
result is a complete heap overwrite with arbitrary binary data from the

Retina Network Security Scanner has been updated to identify this
Blink Endpoint Protection proactively protects users from this

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:

Fang Xing

Related Links:
This vulnerability has been assigned the following IDs;

CVE ID: CAN-2005-2123

Thanks Derek and and eEye guys help me wrote this advisory. Greeting
xfocus guys and venustech lab guys.

Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alerteEye.com for permission.

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/