发布时间 :2006-06-13 14:02:00
修订时间 :2011-10-17 00:00:00

[原文]Integer overflow in the PolyPolygon function in Graphics Rendering Engine on Microsoft Windows 98 and Me allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) or EMF image with a sum of entries in the vertext counts array and number of polygons that triggers a heap-based buffer overflow.

[CNNVD]Microsoft Windows GDI WMF处理 堆溢出漏洞(CNNVD-200606-285)

        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows的图形渲染引擎处理Windows元文件(WMF)图形的方式存在堆溢出漏洞,成功利用这个漏洞的攻击者可以完全控制受影响系统。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-189 [数值错误]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_meMicrosoft Windows ME
cpe:/o:microsoft:windows_98::goldMicrosoft windows 98_gold
cpe:/o:microsoft:windows_98seMicrosoft windows 98_se

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  XF  win-gre-wmf-code-execution(26815)
(UNKNOWN)  BID  18322
(UNKNOWN)  BUGTRAQ  20060613 SYMSA-2006-004: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

- 漏洞信息

Microsoft Windows GDI WMF处理 堆溢出漏洞
高危 数字错误
2006-06-13 00:00:00 2007-08-13 00:00:00
        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows的图形渲染引擎处理Windows元文件(WMF)图形的方式存在堆溢出漏洞,成功利用这个漏洞的攻击者可以完全控制受影响系统。

- 公告与补丁

        MS06-026:Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (918547)
        * 配置Internet Explorer在运行活动脚本之前要求提示,或在Internet和本地Intranet安全区中禁用活动脚本。
        * 将Internet和本地Intranet安全区设置为"高"以在运行ActiveX控件和活动脚本之前要求提示。
        * 修改JScript.dll的访问控制列表,临时禁止在Internet Explorer中运行。
        MS06-023:Vulnerability in Microsoft JScript Could Allow Remote Code Execution (917344)

- 漏洞信息

Microsoft Windows Graphics Rendering Engine PolyPolygon Function Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Unknown Vendor Verified

- 漏洞描述

A remote overflow exists in Windows. The Graphics Rendering Engine fails to validate Windows Metafile images resulting in a heap overflow in the PolyPolygon function. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-06-13 Unknow
Unknow 2006-07-13

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows GDI WMF Handling Heap Overflow Vulnerability
Boundary Condition Error 18322
Yes No
2006-06-13 12:00:00 2006-07-13 11:38:00
Discovery is credited to Peter Ferrie of Symantec.

- 受影响的程序版本

Microsoft Windows ME
Microsoft Windows 98SE
Microsoft Windows 98

- 漏洞讨论

The Microsoft Windows GDI Graphics Rendering Engine is prone to a heap-overflow vulnerability. This issue is exposed when the component loads a specially crafted WMF (Windows Metafile) image.

If this issue is exploited, a malicious WMF or EMF file could potentially corrupt heap-based memory with attacker-supplied data. This could lead to the execution of arbitrary code and to a complete system compromise.

An attacker could exploit the issue by enticing the victim user to visit a malicious web page that contains the image or to open an email attachment that consists of the image.

This vulnerability is limited to Windows 98/98SE/ME systems.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at:

- 解决方案

Microsoft has released a security bulletin to address this issue. Fixes may be obtained through Windows Update.

- 相关参考