AOH :: HP Unsorted W :: C07-1827.HTM

WMF CreateBrushIndirect vulnerability (DoS)



WMF CreateBrushIndirect vulnerability (DoS)
WMF CreateBrushIndirect vulnerability (DoS)



This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig9EC526736E4A01E74570CD09
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

The following WMF exploit appeared on milw0rm today:
http://www.milw0rm.com/exploits/3111 

The vulnerability is a result of the WMF parser passing a value from the file as
a pointer argument to the CreateBrushIndirect function. The function
dereferences the pointer and dies with an access violation.

The value in the file is only 16-bit and it is sign extended into a 32-bit
pointer. This means that we can only access addresses from 0x00000000 to
0x0000FFFF and from 0xFFFF0000 to 0xFFFFFFFF. Both of these ranges are always
invalid, so the vulnerability is just a DoS.

For more details and some commentary, see:
http://determina.blogspot.com/2007/01/whats-wrong-with-wmf.html 


Alexander Sotirov
Determina Security Research


--------------enig9EC526736E4A01E74570CD09
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org 

iD8DBQFFpa2lTS+0yyhMJeMRAsK9AKCUNE/rE3ONA4GSK7ZyTGJzfRIUzgCeM9yj
RRjwWykUJKN2lacvDpf0LGU=xokA
-----END PGP SIGNATURE-----

--------------enig9EC526736E4A01E74570CD09--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.