This application requires Javascript for optimal performance.

A Vulnerability in Windows 2000 GDI32.DLL GetEnhMetaFilePaletteEntries()

Summary:

A denial of service vulnerability affects Microsoft Windows GDI library 'gdi32.dll'. This issue is due to a failure of the application to securely copy data from malformed EMF image files.

Description:

Windows 2000 GDI32.DLL GetEnhMetaFilePaletteEntries() API does not process the EMF file properly, an application which calls this API will crash when it reads some specially crafted EMF files. You can see that GetEnhMetaFilePaletteEntries does not validate the input passed to it, so it may cause access violation when it uses the offset value ("end", "emreof", "palent") which reads from the EMF.

Affected Products:
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server

Impact:
The specific impact depends on the application using the API. Generally, if there is a non-zero value in EMRHEAD->nPalEntries, the application will call this API, and pass EMRHEAD->nPalEntries to the second parameter, a specially crafted EMF will crash the Application if the address it accesses to is not valid. <<< Explorer.exe >>> The explorer.exe (maybe a DLL called by explorer) always use 0x100 as the second parameter. And even if there is a zero value in EMRHEAD->nPalEntries, if the "end" value in the end of EMF file is larger than some value(0x14 ??? I'm not sure), it will also call this API to get the Palette entries.(strangely ?) When you open the explorer.exe to open the folder which has a crafted EMF file, if you click on the file in explorer's right client area, just click, the explorer.exe will display the EMF file in its left client area which will crash itself.

Workaround: Currently we are not aware of any vendor-supplied patches for this issue.

Acknowledgment: Hongzhen Zhou of Fortinet Security Research team found this vulnerability.

Reference: