SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow SecurityAlert Database

Arrow  Topic :

Windows Metafile Multiple Heap Overflows


Arrow  SecurityAlert : 161
Arrow  CVE : CVE-2005-2124
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : Yes
Arrow  Exploit Available : No
Arrow  Credit : Fang Xing
Arrow  Published : 09.11.2005

Arrow  Affected Software :
Windows NT Workstation
Windows NT Server
Windows NT Terminal Server
Windows 2000
Windows Server 2003



Arrow  Advisory Content :  

Overview:
eEye Digital Security has discovered a heap overflow vulnerability in the
way the Windows Graphical Device Interface (GDI) processes Windows enhanced
metafile images (file extensions EMF and WMF). An attacker could send a
malicious metafile to a victim of his choice over any of a variety of media
-- such as HTML e-mail, a link to a web page, a metafile-bearing Microsoft
Office document, or a chat message -- in order to execute code on that
user's system at the user's privilege level.

Technical Details:
The Windows metafile rendering code in GDI32.DLL contains a number of
integer overflow flaws in its processing of EMF/WMF file data that lead to
exploitable heap overflows through any number of specially crafted metafile
structures. For example, the following disassembly from
MRBP16::bCheckRecord demonstrates a size calculation that is susceptible to
integer overflow and as a result may pass validation with a dangerous
value:

77F6C759 mov edx, [ecx+18h] ; malicious count (e.g., 8000000Dh)
77F6C75C mov eax, [ecx+4] ; heap allocation size
...
77F6C764 lea edx, [edx*4+1Ch] ; EDX >= 3FFFFFF9h: integer overflow
77F6C76B cmp edx, eax ; validation check
77F6C76D jnz 77F6C77F

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from this
vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx

Credit:
Discovery: Fang Xing

Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Retina Network Security Scanner - Japanese Edition-
http://www.sse.co.jp/eeye/index.html

Greetings:
Thanks Derek and and eEye guys helped me write this advisory. Greeting
xfocus guys and venustech lab guys.





Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...

Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration

PHP RSS PHP Alert

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass

» PHP 5.3.0 5.2.11
   posix_mkfifo()
   open_basedir bypass

Copyright © SecurityReason.com. All Rights Reserved.