|
Brought to you by:
Suppliers of:
|
|
|
| |
Microsoft Windows Metafile Format (WMF) files are used to store both vector and bitmap-format graphical data in memory or in disk files. The vector data stored in WMF files is described as Microsoft Windows Graphics Device Interface (GDI) commands. In the Window environment these commands are interpreted and played back on an output device using the Windows API PlayMetaFile() function. Bitmap data stored in a WMF file may be stored in the form of a Microsoft Device Dependent Bitmap (DDB), or Device Independent Bitmap (DIB).
Crafted .WMF file cause Explorer.exe to use 100% of CPU and can cause the system to hang until the Explorer.exe process is killed. |
| |
Credit:
The information has been provided by liquid.
For more information about WMF files please visit the following site: http://www.whisqu.se/per/docs/wmf.htm.
|
| |
Vulnerable Systems:
* Microsoft Windows XP SP1 other versions may be vulnerable as well.
A bug in Explorer.exe and Internet Explorer allow crafted WMF file to hang the system and cause 100% of CPU usage.
Put the file in an arbitrary folder (be sure that the file has .wmf extension). Open that folder with Windows Explorer, and just move mouse over malformed file. CPU usage will rise to 100%, and stay that way. During this condition you can work with explorer, but it will be unstable. It doesn't help if you close all explorer's windows, you must restart Explorer.exe, only then CPU usage will get down to normal.
Mouseover and Double Click with the mouse will cause the same effect in Explorer.exe.
Proof of Concept:
00000000 :D7 CD C6 9A 00 00 00 00 - 00 00 A1 21 EC 29 EC 09
00000010 :00 00 00 00 B0 56 01 00 - 09 00 00 03 0E 00 00 00
00000020 :01 00 05 00 00 00 00 00 - 00 00 00 00 0B 02 00 00
00000030 :00 00
In order to use this hex dump, save the content into a file with .WMF extension and try to execute it using Explorer.exe.
|
|
|
|
|
