FortiGuard Advisory (FGA-2005-02)

Summary:

A denial of service vulnerability affects Microsoft Windows GDI library 'gdi32.dll'. This issue is due to a failure of the application to securely copy data from malformed EMF image files.

Description:

Windows 2000 GDI32.DLL GetEnhMetaFilePaletteEntries() API does not process the EMF file properly, an application which calls this API will crash when it reads some specially crafted EMF files. You can see that GetEnhMetaFilePaletteEntries does not validate the input passed to it, so it may cause access violation when it uses the offset value ("end", "emreof", "palent") which reads from the EMF.

Affected Products:
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server

Impact:
The specific impact depends on the application using the API. Generally, if there is a non-zero value in EMRHEAD->nPalEntries, the application will call this API, and pass EMRHEAD->nPalEntries to the second parameter, a specially crafted EMF will crash the Application if the address it accesses to is not valid. <<< Explorer.exe >>> The explorer.exe (maybe a DLL called by explorer) always use 0x100 as the second parameter. And even if there is a zero value in EMRHEAD->nPalEntries, if the "end" value in the end of EMF file is larger than some value(0x14 ??? I'm not sure), it will also call this API to get the Palette entries.(strangely ?) When you open the explorer.exe to open the folder which has a crafted EMF file, if you click on the file in explorer's right client area, just click, the explorer.exe will display the EMF file in its left client area which will crash itself.

Workaround: Currently we are not aware of any vendor-supplied patches for this issue.

Acknowledgment: Hongzhen Zhou of Fortinet Security Research team found this vulnerability.

Reference:

• http://www.securityfocus.com/archive/1/393571
• http://www.securityfocus.com/bid/12834

Disclaimer:

Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.

About Fortinet ( www.fortinet.com ):

Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.