SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Windows Metafile Multiple Heap Overflows


Arrow  SecurityAlert : 161
Arrow  CVE : CVE-2005-2124
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : Yes
Arrow  Exploit Available : No
Arrow  Credit : Fang Xing
Arrow  Published : 09.11.2005

Arrow  Affected Software :
Windows NT Workstation
Windows NT Server
Windows NT Terminal Server
Windows 2000
Windows Server 2003



Arrow  Advisory Content :  

Overview:
eEye Digital Security has discovered a heap overflow vulnerability in the
way the Windows Graphical Device Interface (GDI) processes Windows enhanced
metafile images (file extensions EMF and WMF). An attacker could send a
malicious metafile to a victim of his choice over any of a variety of media
-- such as HTML e-mail, a link to a web page, a metafile-bearing Microsoft
Office document, or a chat message -- in order to execute code on that
user's system at the user's privilege level.

Technical Details:
The Windows metafile rendering code in GDI32.DLL contains a number of
integer overflow flaws in its processing of EMF/WMF file data that lead to
exploitable heap overflows through any number of specially crafted metafile
structures. For example, the following disassembly from
MRBP16::bCheckRecord demonstrates a size calculation that is susceptible to
integer overflow and as a result may pass validation with a dangerous
value:

77F6C759 mov edx, [ecx+18h] ; malicious count (e.g., 8000000Dh)
77F6C75C mov eax, [ecx+4] ; heap allocation size
...
77F6C764 lea edx, [edx*4+1Ch] ; EDX >= 3FFFFFF9h: integer overflow
77F6C76B cmp edx, eax ; validation check
77F6C76D jnz 77F6C77F

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from this
vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx

Credit:
Discovery: Fang Xing

Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Retina Network Security Scanner - Japanese Edition-
http://www.sse.co.jp/eeye/index.html

Greetings:
Thanks Derek and and eEye guys helped me write this advisory. Greeting
xfocus guys and venustech lab guys.




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...
Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration
PHP RSS PHP Alert

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass

» PHP 5.3.0 5.2.11
   posix_mkfifo()
   open_basedir bypass
Copyright © SecurityReason.com. All Rights Reserved.