Microsoft Windows Metafile image format buffer overflow

win-wmf-bo (22877) The risk level is classified as HighHigh Risk

Description:

Microsoft Windows and Windows Server could allow a remote attacker to execute arbitrary code, caused by a buffer overflow in the rendering of Windows Metafile (WMF) image formats. A remote attacker could create a specially-crafted file containing an image to overflow a buffer and execute arbitrary code on the system, and possibly cause a denial of service attack. An attacker could exploit this vulnerability by sending the malicious image to a victim as an email attachment and tricking the victim into opening the attachment or by hosting it on a Web site and persuading the victim to visit the Web site. A local attacker could exploit this vulnerability to obtain elevated privileges.

Platforms Affected:

  • Microsoft, Windows 2000 SP4
  • Microsoft, Windows 2003
  • Microsoft, Windows 2003 Server x64
  • Microsoft, Windows 2003 Server Itanium
  • Microsoft, Windows 2003 Server SP1 Itanium
  • Microsoft, Windows 2003 Server SP1
  • Microsoft, Windows XP x64-Professional
  • Microsoft, Windows XP SP1
  • Microsoft, Windows XP SP2

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection platform:
WinMs05kb896424Update

For Virtual Patch:

Enable the following checks in the Dynamic ISS Protection platform:
Image_WMF_RecordSize_Overflow

For Manual Protection:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-053. See References.

Consequences:

Gain Access

References:

  • IBM Internet Security Systems X-Force Database, Microsoft Windows .wmf file code execution at http://xforce.iss.net/xforce/xfdb/23846.
  • Internet Security Systems Protection Alert, Additional Vectors for GDI32.DLL WMF Image Rendering Vulnerability at http://xforce.iss.net/xforce/alerts/id/212.
  • Internet Security Systems Protection Alert December 28, 2005, Microsoft Picture and Fax Viewer WMF Buffer Overflow at http://xforce.iss.net/xforce/alerts/id/211.
  • Microsoft Security Bulletin MS05-053, Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) at http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx.
  • BID-15356: Microsoft Windows Graphics Rendering Engine WMF Format Code Execution Vulnerability
  • CVE-2005-2124: Unspecified vulnerability in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1, related to An unchecked buffer and possibly buffer overflows, allows remote attackers to execute arbitrary code via a crafted Windows Metafile (WMF) format image, aka Windows Metafile Vulnerability.
  • FrSIRT/ADV-2005-2348: Microsoft Windows WMF/EMF File Handling Vulnerabilities (MS05-053)
  • SA17223: Nortel Centrex IP Client Manager Multiple Vulnerabilities
  • SA17461: Avaya Products Microsoft Windows WMF/EMF Multiple Vulnerabilities
  • SA17498: Microsoft Windows WMF/EMF File Rendering Arbitrary Code Execution
  • SECTRACK ID: 1015168: Microsoft Windows Buffer Overflows in Graphics Rendering Engine Lets Remote Users Execute Arbitrary Code
  • US-CERT VU#433341: Microsoft Windows vulnerable to buffer overflow via specially crafted WMF file

Reported:

Nov 08, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page