SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
Search :
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Windows Metafile Multiple Heap Overflows


Arrow  SecurityAlert : 161
Arrow  CVE : CVE-2005-2124
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : Yes
Arrow  Exploit Given : No
Arrow  Credit : Fang Xing
Arrow  Published : 09.11.2005

Arrow  Affected Software :
Windows NT Workstation
Windows NT Server
Windows NT Terminal Server
Windows 2000
Windows Server 2003



Arrow  Advisory Text :  

Overview:
eEye Digital Security has discovered a heap overflow vulnerability in the
way the Windows Graphical Device Interface (GDI) processes Windows enhanced
metafile images (file extensions EMF and WMF). An attacker could send a
malicious metafile to a victim of his choice over any of a variety of media
-- such as HTML e-mail, a link to a web page, a metafile-bearing Microsoft
Office document, or a chat message -- in order to execute code on that
user's system at the user's privilege level.

Technical Details:
The Windows metafile rendering code in GDI32.DLL contains a number of
integer overflow flaws in its processing of EMF/WMF file data that lead to
exploitable heap overflows through any number of specially crafted metafile
structures. For example, the following disassembly from
MRBP16::bCheckRecord demonstrates a size calculation that is susceptible to
integer overflow and as a result may pass validation with a dangerous
value:

77F6C759 mov edx, [ecx+18h] ; malicious count (e.g., 8000000Dh)
77F6C75C mov eax, [ecx+4] ; heap allocation size
...
77F6C764 lea edx, [edx*4+1Ch] ; EDX >= 3FFFFFF9h: integer overflow
77F6C76B cmp edx, eax ; validation check
77F6C76D jnz 77F6C77F

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from this
vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx

Credit:
Discovery: Fang Xing

Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Retina Network Security Scanner - Japanese Edition-
http://www.sse.co.jp/eeye/index.html

Greetings:
Thanks Derek and and eEye guys helped me write this advisory. Greeting
xfocus guys and venustech lab guys.



Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

Multiple Vendors libc/gdtoa printf(3) Array Overrun

Security Risk High- 2009-05-30

SecurityReason realised new advisory about vulnerabilities libc/gdtoa...
Apache RSS Apache Alert

» Apache Tomcat
   RequestDispatcher
   directory traversal
   vulnerability

» Apache mod_dav / svn
   Remote Denial of Service
   Exploit

» Apache Tomcat Information
   disclosure

» Apache Tomcat User
   enumeration vulnerability
   with FORM authentication
PHP RSS PHP Alert

» PHP 5.2.9 curl safe_mode
   & open_basedir bypass

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file
Copyright © SecurityReason.com. All Rights Reserved.