首页 -> 安全研究
安全研究
安全漏洞
LibWMF WMF文件处理整数溢出漏洞
发布日期:2006-06-30
更新日期:2006-07-03
受影响系统:
wvWare libwmf 0.2.8.4描述:
BUGTRAQ ID: 18751
libwmf是用于读取和显示微软的WMF图形的函数库。
libwmf在内存分配中的整数溢出可能会导致堆溢出,成功诱骗用户打开了特制WMF文件的攻击者可以远程执行任意指令。
漏洞相关的代码如下:
-------------------------------------------------------------------------------
file: src/meta.c +117
-------------------------------------------------------------------------------
wmf_error_t wmf_header_read (wmfAPI* API)
{ U16 u16a;
U16 u16b;
...snip...
if (API->File->wmfheader->HeaderSize == 9)
{ API->File->wmfheader->Version = wmf_read_16 (API);
API->File->wmfheader->FileSize = wmf_read_32 (API,0,0);
API->File->wmfheader->NumOfObjects = wmf_read_16 (API);
1] API->File->wmfheader->MaxRecordSize = wmf_read_32 (API,0,0);
API->File->wmfheader->NumOfParams = wmf_read_16 (API);
1) 没有进行任何过滤便直接从wmf文件中获取了这个值并用于分配内存。
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
file: src/player.c +86
-------------------------------------------------------------------------------
wmf_error_t wmf_scan (wmfAPI* API,unsigned long flags,wmfD_Rect* d_r)
{ wmfPlayer_t* P = (wmfPlayer_t*) API->player_data;
...snip...
wmf_header_read (API);
...snip...
1]
/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE
(API)-3) * 2 * sizeof (unsigned char)); */ P->Parameters = (unsigned
char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned
char)); /* HOLE */
WmfPlayMetaFile (API);
1) Overflow the calculation.
**************************
static wmf_error_t WmfPlayMetaFile (wmfAPI* API)
{ int i;
int byte;
int changed;
unsigned char* Par;
...snip...
1] Par = P->Parameters;
...snip...
number = 0;
do
{ if (++number < API->store.count)
{ atts = API->store.attrlist + number;
}
else
{ atts = &attrlist;
wmf_attr_clear (API, atts);
}
2] Size = wmf_read_32 (API,0,0);
Function = wmf_read_16 (API);
if ((Size == 3) && (Function == 0))
{ if (SCAN (API)) wmf_write (API, Size, Function,
"empty", atts->atts, 0, 0);
break; /* Probably final record ?? */
}
/* if ((Size > MAX_REC_SIZE (API)) || (Size < 3))
*/ if (((Size - 3) > MAX_REC_SIZE (API)) || (Size < 3))
{ WMF_ERROR (API,"libwmf: wmf with bizarre record size;
bailing..."); WMF_ERROR (API," please send it to us at
http://www.wvware.com/"); wmf_printf (API,"maximum record size = %u\n",
(unsigned) MAX_REC_SIZE (API)); wmf_printf (API,"record size = %u\n",(unsigned)
Size); API->err = wmf_E_BadFormat;
break;
}
pos_params = WMF_TELL (API);
if (pos_params < 0)
{ WMF_ERROR (API,"API's tell() failed on input stream!");
API->err = wmf_E_BadFile;
break;
}
3] for (i = 0; i < ((Size - 3) * 2); i++)
{ byte = WMF_READ (API);
if (byte == (-1))
{ WMF_ERROR (API,"Unexpected EOF!");
API->err = wmf_E_EOF;
break;
}
Par[i] = (unsigned char) byte; /* VECTOR */
}
1) 执行上面所分配的内存。
2) 控制写入缓冲区的字节数。
3) 溢出任意数量的缓冲区。
-------------------------------------------------------------------------------
<*来源:sean (infamous41md@hotpop.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=115168988013864&w=2
*>
建议:
临时解决方法:
* 不要打开不可信任的WMF文件。
厂商补丁:
wvWare
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://wvware.sourceforge.net/
浏览次数:3024
严重程度:0(网友投票)
绿盟科技给您安全的保障