LibWMF WMF文件处理整数溢出漏洞

发布日期：2006-06-30
更新日期：2006-07-03

受影响系统：

wvWare libwmf 0.2.8.4

描述：

---

BUGTRAQ ID: 18751

libwmf是用于读取和显示微软的WMF图形的函数库。

libwmf在内存分配中的整数溢出可能会导致堆溢出，成功诱骗用户打开了特制WMF文件的攻击者可以远程执行任意指令。

漏洞相关的代码如下：

-------------------------------------------------------------------------------
file: src/meta.c 117
-------------------------------------------------------------------------------


wmf_error_t wmf_header_read (wmfAPI* API)
{ U16 u16a;
U16 u16b;

...snip...


if (API->File->wmfheader->HeaderSize == 9)
{ API->File->wmfheader->Version = wmf_read_16 (API);
API->File->wmfheader->FileSize = wmf_read_32 (API,0,0);
API->File->wmfheader->NumOfObjects = wmf_read_16 (API);
1] API->File->wmfheader->MaxRecordSize = wmf_read_32 (API,0,0);
API->File->wmfheader->NumOfParams = wmf_read_16 (API);


1) 没有进行任何过滤便直接从wmf文件中获取了这个值并用于分配内存。

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
file: src/player.c 86
-------------------------------------------------------------------------------


wmf_error_t wmf_scan (wmfAPI* API,unsigned long flags,wmfD_Rect* d_r)
{ wmfPlayer_t* P = (wmfPlayer_t*) API->player_data;


...snip...

wmf_header_read (API);

...snip...

1]

/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE
(API)-3) * 2 * sizeof (unsigned char)); */ P->Parameters = (unsigned
char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned
char)); /* HOLE */


WmfPlayMetaFile (API);



1) Overflow the calculation.


**************************


static wmf_error_t WmfPlayMetaFile (wmfAPI* API)
{ int i;
int byte;
int changed;

unsigned char* Par;


...snip...


1] Par = P->Parameters;


...snip...

number = 0;
do
{ if ( number < API->store.count)
{ atts = API->store.attrlist number;
}
else
{ atts = &attrlist;
wmf_attr_clear (API, atts);
}

2] Size = wmf_read_32 (API,0,0);
Function = wmf_read_16 (API);

if ((Size == 3) && (Function == 0))
{ if (SCAN (API)) wmf_write (API, Size, Function,
"empty", atts->atts, 0, 0);
break; /* Probably final record ?? */
}

/* if ((Size > MAX_REC_SIZE (API)) || (Size < 3))
*/ if (((Size - 3) > MAX_REC_SIZE (API)) || (Size < 3))
{ WMF_ERROR (API,"libwmf: wmf with bizarre record size;
bailing..."); WMF_ERROR (API," please send it to us at
http://www.wvware.com/"); wmf_printf (API,"maximum record size = %u\n",
(unsigned) MAX_REC_SIZE (API)); wmf_printf (API,"record size = %u\n",(unsigned)
Size); API->err = wmf_E_BadFormat;
break;
}

pos_params = WMF_TELL (API);

if (pos_params < 0)
{ WMF_ERROR (API,"API's tell() failed on input stream!");
API->err = wmf_E_BadFile;
break;
}

3] for (i = 0; i < ((Size - 3) * 2); i )
{ byte = WMF_READ (API);
if (byte == (-1))
{ WMF_ERROR (API,"Unexpected EOF!");
API->err = wmf_E_EOF;
break;
}
Par[i] = (unsigned char) byte; /* VECTOR */
}


1) 执行上面所分配的内存。

2) 控制写入缓冲区的字节数。

3) 溢出任意数量的缓冲区。

-------------------------------------------------------------------------------

<*来源：sean （infamous41md@hotpop.com）

链接：http://marc.theaimsgroup.com/?l=bugtraq&m=115168988013864&w=2

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有