[VulnWatch] [EEYEB-20050329] Windows Metafile Multiple Heap Overflows

From: Advisories@private
Date: Tue Nov 08 2005 - 11:39:44 PST

Windows Metafile Multiple Heap Overflows

Release Date:
November 8, 2005

Date Reported:
March 29, 2005

High (Code Execution)


Systems Affected:
Windows 2000
Windows Server 2003

eEye Digital Security has discovered a heap overflow vulnerability in
the way the Windows Graphical Device Interface (GDI) processes Windows
enhanced metafile images (file extensions EMF and WMF).  An attacker
could send a malicious metafile to a victim of his choice over any of a
variety of media -- such as HTML e-mail, a link to a web page, a
metafile-bearing Microsoft Office document, or a chat message -- in
order to execute code on that user's system at the user's privilege

Technical Details:
The Windows metafile rendering code in GDI32.DLL contains a number of
integer overflow flaws in its processing of EMF/WMF file data that lead
to exploitable heap overflows through any number of specially crafted
metafile structures.  For example, the following disassembly from
MRBP16::bCheckRecord demonstrates a size calculation that is susceptible
to integer overflow and as a result may pass validation with a dangerous

    77F6C759    mov     edx, [ecx+18h]    ; malicious count (e.g.,
    77F6C75C    mov     eax, [ecx+4]      ; heap allocation size
    77F6C764    lea     edx, [edx*4+1Ch]  ; EDX >= 3FFFFFF9h: integer
    77F6C76B    cmp     edx, eax          ; validation check
    77F6C76D    jnz     77F6C77F

Retina Network Security Scanner has been updated to identify this
Blink Endpoint Protection proactively protects users from this

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:

Fang Xing

Related Links:
This vulnerability has been assigned the following IDs;

OSVDB ID: 18820
CVE ID: CAN-2005-2124

Thanks Derek and and eEye guys help me wrote this advisory. Greeting
xfocus guys and venustech lab guys.

Copyright (c) 1998-2005 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@private for permission.

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.

This archive was generated by hypermail 2.1.3 : Tue Nov 08 2005 - 13:38:42 PST