Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow (Detailed

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow (Detailed Analysis of MS04-028)
Date: 15 Sep 2004 10:28:07 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow (Detailed 
Analysis of MS04-028)
------------------------------------------------------------------------


SUMMARY

The JPEG parsing engine included in GDIPlus.dll library contains an 
exploitable buffer overflow. When a specially crafted JPEG image is 
accessed through the Windows XP shell, a buffer overflow occurs 
potentially allowing an attacker to run arbitrary code on the affected 
system.

DETAILS

Vulnerable Systems:
 * Microsoft Windows XP and Microsoft Windows XP Service Pack 1
 * Microsoft Windows XP 64-Bit Edition Service Pack 1
 * Microsoft Windows XP 64-Bit Edition Version 2003
 * Microsoft Windows Server 2003
 * Microsoft Windows Server 2003 64-Bit Edition
 * Microsoft Office XP Service Pack 3
 * Microsoft Office 2003
 * Microsoft Project 2002 Service Pack 1 (all versions)
 * Microsoft Project 2003 (all versions)
 * Microsoft Visio 2002 Service Pack 2 (all versions)
 * Microsoft Visio 2003 (all versions)
 * Microsoft Visual Studio .NET 2002
 * Microsoft Visual Studio .NET 2003
 * The Microsoft .NET Framework version 1.0 SDK Service Pack 2
 * Microsoft Picture It! 2002 (all versions)
 * Microsoft Greetings 2002
 * Microsoft Picture It! version 7.0 (all versions)
 * Microsoft Digital Image Pro version 7.0
 * Microsoft Picture It! version 9 (all versions, including Picture It! 
Library)
 * Microsoft Digital Image Pro version 9
 * Microsoft Digital Image Suite version 9
 * Microsoft Producer for Microsoft Office PowerPoint (all versions)

Immune Systems:
 * Microsoft Windows NT Server 4.0 Service Pack 6a
 * Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
 * Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Service 
Pack 4
 * Microsoft Windows XP Service Pack 2
 * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and 
Microsoft Windows Millennium Edition (Me)
 * Microsoft Office 2003 Service Pack 1
 * Microsoft Office 2000
 * Microsoft Visio 2003 Service Pack 1
 * Microsoft Visio 2000
 * Microsoft Project 2003 Service Pack 1
 * Microsoft Project 2000
 * Microsoft Digital Image Suite 10, Microsoft Digital Image Pro 10, 
Picture It! Premium 10

Affected Components:
 * Internet Explorer 6 Service Pack 1
 * The Microsoft .NET Framework version 1.0 Service Pack 2
 * The Microsoft .NET Framework version 1.1
 * gdiplus.dll library versions 5.2.3790.0, 5.1.3100.0, 5.1.3097.0 and 
5.1.3079.3

JPEG Comment sections (COM) allow for the embedding of comment data into a 
JPEG image. COM sections are marked beginning with 0xFFFE followed by a 16 
bit unsigned integer in network byte order, giving the total comment 
length plus the 2 bytes for the length field. A single JPEG COM section 
could therefore contain 65533 bytes of invisible data (invisible in the 
sense that it's not rendered as part of the image.)

Because the JPEG COM field length variable is 2 bytes wide and is itself 
included in the length value, the minimum value for this field is 2, this 
implies an empty comment. If the comment length value is set to 1 or 0, a 
buffer overflow occurs overwriting heap management structures.

The problem is that GDIPlus normalizes the COM length prior to checking 
it's value. a starting length of 0 becomes -2 after normalization (0xFFFE 
unsigned). This value is converted to the 32 bit value 0xFFFFFFFE and is 
eventually passed on to memcpy which attempts to copy ~4G bytes into heap 
memory.

eEye Digital Security analyzed the bug and found that heap management 
structures are left in an inconsistent state with execution eventually 
reaching heap unlink instructions within RTLFreeHeap with EAX pointing to 
a pointer to data we control and we have direct control of EDX.

In order to test whether a JPEG image is malicious, the following bytes 
can be searched for in the image:
0xFF 0xFE 0x00 0x00
or
0xFF 0xFE 0x00 0x01

Vendor Status:
Microsoft have already issued an advisory regarding the vulnerability and 
the corresponding updates to all affected software components. Users are 
highly advised to update their systems due to the amount of possible 
attack vectors.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:ndebaggis@verizon.net> Nick 
D.
The original Microsoft advirosy can be found at:  
<http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx> 
http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow (Detailed Analysis of MS04-028), SecuriTeam <=
Previous by Date:  [REVS] Real Life Vuln-Dev Process of a Win32 Stack Buffer Overflow, SecuriTeam
Next by Date:  [NT] WordPerfect Converter Vulnerability Allows Code Execution (MS04-027), SecuriTeam
Previous by Thread:  [REVS] Real Life Vuln-Dev Process of a Win32 Stack Buffer Overflow, SecuriTeam
Next by Thread:  [NT] WordPerfect Converter Vulnerability Allows Code Execution (MS04-027), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]