Microsoft Metafile Heap Overflow Vulnerability (MS04-011)
Vulnerable
Systems:
Microsoft Windows 2000 Base & SP1-SP4 Microsoft Windows NT Enterprise Server 4.0 Base & SP1-SP 6a Microsoft Windows XP 64-bit Edition SP1 Microsoft Windows XP 64-bit Edition Microsoft Windows XP 64-bit Edition Version 2003 SP1 Microsoft Windows XP 64-bit Edition Version 2003 Microsoft Windows XP Embedded Base & SP1 Microsoft Windows XP Home Base & SP1 Microsoft Windows XP Media Centre Edition Microsoft Windows XP Professional Base & SP1
A heap overflow vulnerability exists in the Microsoft Metafile GDI rendering engine that can be triggered during the processing of a Metafile formatted file. If exploited, this vulnerability could allow a malicious user to execute a malicious code on an affected system and gain administrator privileges.
Severity:
Details:
The vulnerability has been discovered in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats that could allow remote code execution on an affected system. Any program that renders WMF or EMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of a vulnerable system.
Metafiles consist of a sequence of records that contain an integer identifying a specific GDI function and the parameters to that function. To render WMF or EMF files, the GDI library calls each function specified in these records and passes the associated parameters to the function. A vulnerability exists in the way the GDI library allocates memory for a buffer for these functions. A buffer is created on the heap for temporary storage of data that will be passed to the GDI function. When the amount of data that is copied to the buffer is larger than the allocated heap buffer, a heap overflow will occur, potentially allowing remote code execution on the affected system.
Attack
Detection:
Use SmartView Tracker to identify attempts to receive SMTP and HTTP traffic that contains attachments with .wmf and .emf extensions. VPN-1/FireWall-1 will generate the log entry "reason: Forbidden MIME attachment stripped" for SMTP and the "reason: Content Security - access denied" log entry for HTTP.
Solution:
Users of SmartDefense NG FP3 and above should define SMTP Security Server (SMTP Resource) and HTTP Security Server (URI Resource) to strip the potentially affected file extensions from email messages and web traffic.
To define the SMTP Security Server:
Create a new SMTP Resource (Manage > Resources) and give it a name.
In the Action2 tab, enter the following:
In the Strip MIME of type field enter message/partial
In the Strip file by name field enter {*.emf, *.wmf }
Place the SMTP Resource in a rule with the following entries: Source Any; Destination Incoming SMTP Server; ServiceResourced SMTP; Action accept.
Right click in the Service column of the rule, and select Add with Resource. In the Service with Resource window, select the service and then select the Resource that will operate on the service. Click OK.
To define the HTTP Security Server:
Create a new URI Resource and give it a name.
Select the Match tab and enter {*.emf, *.wmf } in the Path field. (see below, make sure to select the http box)
Place the URI Resource in a rule with the following entries: Source Internal Network; DestinationAny; ServiceURI Resource over HTTP; Action reject.
Right click in the Service column of the rule, and select Add with Resource.
In the Service with Resource window, select the service and then select the Resource that will operate on the service. Click OK.
