Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow

from [Nick D.] Network Security [Permanent Link]
Subject: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow
Date: Thu, 16 Sep 2004 00:19:47 -0400 
Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow
-----------------------------------------------------------------
Advisory: September 14, 2004
Reported: October 7, 2003

Systems affected based on testing:
Windows XP SP0,SP1,SP1a (Home & Pro)

Systems potentially affected based on Microsoft's DLL Help Database
(there may be others):

gdiplus.dll    5.2.3790.0
  Windows Server 2003 Data Center
  Windows Server 2003 Enterprise
  Windows Server 2003 Standard
  Windows Server 2003 Web Edition

gdiplus.dll    5.1.3100.0
  Microsoft Visual Studio .NET (2003) Enterprise Architect

gdiplus.dll    5.1.3097.0
  Microsoft Visual Studio .NET (2002) Enterprise Architect
  Microsoft Visual Studio .NET (2002) Enterprise Developer
  Microsoft Visual Studio .NET (2002) Professional
  Microsoft Visual Studio .NET (2003) Enterprise Architect
  Visual Basic .NET Standard 2002
  Visual C# .NET Standard 2002
  Visual C++ .NET Standard 2002
  Windows XP Home 2002
  Windows XP Professional 2002

gdiplus.dll    5.1.3079.3
  Microsoft Visual Studio .NET (2002) Enterprise Architect
  Visio 2002 Professional
  Visio 2002 Standard


Description
------------------------

The JPEG parsing engine included in GDIPlus.dll contains an
exploitable buffer overflow.  When a specially crafted JPEG image is
accessed through the Windows XP shell, a buffer overflow occurs
potentially allowing an attacker to run arbitrary code on the
affected system.  Due to the pervasiveness of the affected dll there
may be other vulnerable attack vectors.


Technical
------------------------

JPEG Comment sections (COM) allow for the embedding of comment data
into a JPEG image.  COM sections are marked beginning with 0xFFFE
followed by a 16 bit unsigned integer in network byte order giving
the total comment length + the 2 bytes for the length field; a
single JPEG COM section could therefore contain 65533 bytes of
invisible data (invisible in the sense that it's not rendered as
part of the image).  Because the JPEG COM field length variable is 2
bytes wide, and itself is included in the length value, the minimum
value for this field is 2, this implies an empty comment.  If the
comment length value is set to 1 or 0, a buffer overflow occurs
overwriting heap management structures.

The problem is GDIPlus normalizes the COM length prior to checking
it's value; a starting length of 0 becomes -2 after normalization
(0xFFFE unsigned), this value is converted to the 32 bit value
0xFFFFFFFE and is eventually passed on to memcpy which attempts to
copy ~4G bytes into heap memory.

eEye Digital Security analyzed the bug and found that heap
management structures are left in an inconsistent state with
execution eventually reaching heap unlink instructions within
RTLFreeHeap with EAX pointing to a pointer to data we control and we
have direct control of EDX.


Vendor Status
------------------------

Patch available MS04-028 (833987)
http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx


Detection
------------------------

Detection could be accomplished by examining the JPEG image for the
following byte sequence:

0xFF 0xFE 0x00 0x00 or 0xFF 0xFE 0x00 0x01


Credits
------------------------
Nick DeBaggis - Discovery, analysis, and advisory.

Special thanks to eEye Digital Security www.eeye.com - Detailed
vulnerability analysis, initial and ongoing vendor contact.

Also thanks to Networks Unlimited - Early bug testing.


Related Links
------------------------
Solar Designer, Openwall Project
Netscape Browser JPEG Vulnerability July 2000
http://www.openwall.com/advisories/OW-002-netscape-jpeg.txt

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such 
that just hitting reply is going to result in the message coming to the list, 
not to the individual who sent the message. This was done to help reduce the 
number of Out of Office messages posters received. So if you want to send a 
reply just to the poster, you'll have to copy their email address out of the 
message and place it in your TO: field.
-----

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Office update -- did it work, Clayton, David
Next by Date:  Re: Alert: Microsoft Security Bulletin MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987), Dave English
Previous by Thread:  RE: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow, Polazzo Justin
Next by Thread:  Buffer overflow in battlefield 1942 EA.Help.lnk, PBS
Indexes:  [Date] [Thread] [Top] [All Lists]