Microsoft Windows Metafile image format buffer overflow
| win-wmf-bo (22877) |  High Risk |
Description:
Microsoft Windows and Windows Server could allow a remote attacker to execute arbitrary code, caused by a buffer overflow in the rendering of Windows Metafile (WMF) image formats. A remote attacker could create a specially-crafted file containing an image to overflow a buffer and execute arbitrary code on the system, and possibly cause a denial of service attack. An attacker could exploit this vulnerability by sending the malicious image to a victim as an email attachment and tricking the victim into opening the attachment or by hosting it on a Web site and persuading the victim to visit the Web site. A local attacker could exploit this vulnerability to obtain elevated privileges.
Consequences:
Gain Access
Remedy:
For vulnerability detection:
Enable the following checks in the ISS Protection platform:
WinMs05kb896424Update
Enable the following checks in the Dynamic ISS Protection platform:
Image_WMF_RecordSize_Overflow
For Manual Protection:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-053. See References.
References:
- IBM Internet Security Systems X-Force Database: Microsoft Windows .wmf file code execution.
- Internet Security Systems Protection Alert: Additional Vectors for GDI32.DLL WMF Image Rendering Vulnerability.
- Internet Security Systems Protection Alert December 28, 2005: Microsoft Picture and Fax Viewer WMF Buffer Overflow.
- Microsoft Security Bulletin MS05-053: Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424).
- BID-15356: Microsoft Windows Graphics Rendering Engine WMF Format Code Execution Vulnerability
- CVE-2005-2124: Unspecified vulnerability in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1, related to An unchecked buffer and possibly buffer overflows, allows remote attackers to execute arbitrary code via a crafted Windows Metafile (WMF) format image, aka Windows Metafile Vulnerability.
- SA17223: Nortel Centrex IP Client Manager Multiple Vulnerabilities
- SA17461: Avaya Products Microsoft Windows WMF/EMF Multiple Vulnerabilities
- SA17498: Microsoft Windows WMF/EMF File Rendering Arbitrary Code Execution
- SECTRACK ID: 1015168: Microsoft Windows Buffer Overflows in Graphics Rendering Engine Lets Remote Users Execute Arbitrary Code
- US-CERT VU#433341: Microsoft Windows vulnerable to buffer overflow via specially crafted WMF file
- VUPEN/ADV-2005-2348: Microsoft Windows WMF/EMF File Handling Vulnerabilities (MS05-053)
Platforms Affected:
- Microsoft Windows 2000 SP4
- Microsoft Windows 2003
- Microsoft Windows 2003 Server SP1 Itanium
- Microsoft Windows 2003 Server x64
- Microsoft Windows 2003 Server Itanium
- Microsoft Windows 2003 Server SP1
- Microsoft Windows XP x64 Professional
- Microsoft Windows XP SP1
- Microsoft Windows XP SP2
Reported:
Nov 08, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net