exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

libwmf0284.txt

libwmf0284.txt
Posted Jul 2, 2006
Authored by infamous41md

libwmf version 0.2.8.4 has been found susceptible to an integer overflow in memory allocation that leads to a heap overflow.

tags | advisory, overflow
SHA-256 | bd8dadf074afb77c1e1dcaff5970a2d24b3b85d8a32148d37d67bb55551bbb06

libwmf0284.txt

Change Mirror Download
Sorry I don't have time to chase down multiple email addresses of alleged
developers; so here this is after weeks of no response. POC is not attached
unlike advisory says. It's not very difficult to exploit.

++++++++++++++++++++++++++++++++++++++++++++

Subject:

libwmf integer/heap overflow

++++++++++++++++++++++++++++++++++++++++++++

Product:

libwmf is a library for reading vector images in Microsøft's native Windøws
Metafile Format (WMF) and for either (a) displaying them in, e.g., an X window;
or (b) converting them to more standard/open file formats such as, e.g., the
W3C's XML-based Scaleable Vector Graphic (SVG) format.

http://wvware.sourceforge.net/libwmf.html

++++++++++++++++++++++++++++++++++++++++++++

Vulnerable:

I tested the most recent release, 0.2.8.4

++++++++++++++++++++++++++++++++++++++++++++

Summary:

An integer overflow in memory allocation leads to a heap overflow.

++++++++++++++++++++++++++++++++++++++++++++

Details:


-------------------------------------------------------------------------------
file: src/meta.c +117
-------------------------------------------------------------------------------


wmf_error_t wmf_header_read (wmfAPI* API)
{ U16 u16a;
U16 u16b;

...snip...


if (API->File->wmfheader->HeaderSize == 9)
{ API->File->wmfheader->Version = wmf_read_16 (API);
API->File->wmfheader->FileSize = wmf_read_32 (API,0,0);
API->File->wmfheader->NumOfObjects = wmf_read_16 (API);
1] API->File->wmfheader->MaxRecordSize = wmf_read_32 (API,0,0);
API->File->wmfheader->NumOfParams = wmf_read_16 (API);


1) This value is taken directly from the wmf file, later it will be used
to allocate memory. It is not sanitized at any point.


-------------------------------------------------------------------------------
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
file: src/player.c +86
-------------------------------------------------------------------------------


wmf_error_t wmf_scan (wmfAPI* API,unsigned long flags,wmfD_Rect* d_r)
{ wmfPlayer_t* P = (wmfPlayer_t*) API->player_data;


...snip...

wmf_header_read (API);

...snip...

1]

/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE
(API)-3) * 2 * sizeof (unsigned char)); */ P->Parameters = (unsigned
char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned
char)); /* HOLE */


WmfPlayMetaFile (API);



1) Overflow the calculation.


**************************


static wmf_error_t WmfPlayMetaFile (wmfAPI* API)
{ int i;
int byte;
int changed;

unsigned char* Par;


...snip...


1] Par = P->Parameters;


...snip...

number = 0;
do
{ if (++number < API->store.count)
{ atts = API->store.attrlist + number;
}
else
{ atts = &attrlist;
wmf_attr_clear (API, atts);
}

2] Size = wmf_read_32 (API,0,0);
Function = wmf_read_16 (API);

if ((Size == 3) && (Function == 0))
{ if (SCAN (API)) wmf_write (API, Size, Function,
"empty", atts->atts, 0, 0);
break; /* Probably final record ?? */
}

/* if ((Size > MAX_REC_SIZE (API)) || (Size < 3))
*/ if (((Size - 3) > MAX_REC_SIZE (API)) || (Size < 3))
{ WMF_ERROR (API,"libwmf: wmf with bizarre record size;
bailing..."); WMF_ERROR (API," please send it to us at
http://www.wvware.com/"); wmf_printf (API,"maximum record size = %u\n",
(unsigned) MAX_REC_SIZE (API)); wmf_printf (API,"record size = %u\n",(unsigned)
Size); API->err = wmf_E_BadFormat;
break;
}

pos_params = WMF_TELL (API);

if (pos_params < 0)
{ WMF_ERROR (API,"API's tell() failed on input stream!");
API->err = wmf_E_BadFile;
break;
}

3] for (i = 0; i < ((Size - 3) * 2); i++)
{ byte = WMF_READ (API);
if (byte == (-1))
{ WMF_ERROR (API,"Unexpected EOF!");
API->err = wmf_E_EOF;
break;
}
Par[i] = (unsigned char) byte; /* VECTOR */
}


1) Points to the memory we allocated above.

2) Controls the number of bytes we write into the buffer.

3) Overflow the buffer by arbitrarily huge amounts.

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------

++++++++++++++++++++++++++++++++++++++++++++

Mitigating factors:

None.

++++++++++++++++++++++++++++++++++++++++++++

Workaround:

Do not open up untrusted wmf files.

++++++++++++++++++++++++++++++++++++++++++++

Notes:

libwmf is used by:

wv
abiword
freetype
gimp
libgsf
imagemagick

++++++++++++++++++++++++++++++++++++++++++++


Exploits:

POC is provided that crashes in free(). The easiest way to test is to use the
example conversion programs that come with libwmf, they are found in the
src/convert/.libs directory:


sean@hydra:~/libwmf-0.2.8.4/src/convert/.libs$ gcc -Wall exwmf.c
sean@hydra:~/libwmf-0.2.8.4/src/convert/.libs$ ./a.out > evil.wmf
sean@hydra:~/libwmf-0.2.8.4/src/convert/.libs$ gdb wmf2x
GNU gdb 6.3-debian

(gdb) r evil.wmf
Starting program: /home/sean/libwmf-0.2.8.4/src/convert/.libs/wmf2x evil.wmf
ERROR: player.c (482): Unexpected EOF!

Program received signal SIGSEGV, Segmentation fault.
0x402d5354 in mallopt () from /lib/libc.so.6
(gdb) bt
#0 0x402d5354 in mallopt () from /lib/libc.so.6
#1 0x402d415f in free () from /lib/libc.so.6
#2 0x402c283b in fclose () from /lib/libc.so.6
#3 0x4006e10e in wmf_file_close (API=0x804ad38) at bbuf.c:137
#4 0x4006d7d8 in wmf_lite_destroy (API=0x804ad38) at api.c:336
#5 0x40021e6f in wmf_api_destroy (API=0x804ad38) at wmf.c:167
#6 0x08048aec in wmf2x_draw (pdata=0xbffff8a0) at wmf2x.c:279
#7 0x08049518 in main (argc=1229353872, argv=0x49467390) at wmf2x.c:401

(gdb) up 1
#1 0x402d415f in free () from /lib/libc.so.6

(gdb) x/4x $ebp
0xbffff654: 0xbffff688 0x402c283b 0x08053258 0x00000000
^^^
chunk being free()'d


(gdb) x/30x 0x08053258-16
0x8053248: 0x41414141 0x41414141 0x41414141 0x41414141
^^^^^
chunk header


0x8053258: 0x00000000 0x40087000 0x40087000 0x40087000
0x8053268: 0x40087000 0x40087000 0x40087000 0x40087000
0x8053278: 0x40088000 0x00000000 0x00000000 0x00000000
0x8053288: 0x00000000 0x4038c440 0x00000006 0x00000000
0x8053298: 0x0804bb70 0x08000000 0x080532f0 0x00001018
0x80532a8: 0x00000000 0x0804bbe8 0x08053308 0xffffffff
0x80532b8: 0x0804bc30 0x0804bc40
(gdb)

++++++++++++++++++++++++++++++++++++++++++++


--
[ sean ]
[ pgp key id: 0x421C8CD9 ]
[ The advantage of a bad memory is that one enjoys several ]
[ times the same good things for the first time. ]

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close