[Full-disclosure] Steve Gibson smokes crack?
pferrie at symantec.com
Fri Jan 13 23:15:40 GMT 2006
>does any know the circumstances, in all cases, where the bug is
>triggered or is there only speculation based upon exploit code
>"working" against a given vulnerable implementation of the API?
The triggering mechanism is well-understood: this incorrect record
length requirement is simply wrong. There is no "magic key".
It is possible to create entirely well-formed files that will
execute. I don't know why Steve couldn't get it working properly,
and I'd like to know just how he managed to get it working at all
on Windows 2000 (see below). So, what we have is this:
The file must not begin with the placeable (aka Aldus) meta file
header. If it does begin with that, then the function is ignored,
and Windows continues to parse the file.
This is why Windows 9x, NT, and 2000, do not execute anything from
within Internet Explorer, for example - they do not support WMF
files without the Aldus header.
The record must be reachable. It will not execute if the EOF
record (function number 00) is seen first.
That's all. To clarify some other things:
The record length can be any value at all, as long as it remains
within the bounds of the file. Before executing any record,
Windows checks that the next record is accessible.
The file does not have to end with the EOF record, but there must
be one in the file.
The smallest metafile is 18 bytes. That's the header only.
The smallest parsable metafile is 24 bytes (EOF record only).
The smallest SetAbortProc file for Windows XP is 62 bytes.
Full-Disclosure is hosted and sponsored by Secunia.