|
Brought to you by:
Suppliers of:
|
|
|
| |
| The JPEG parsing engine included in GDIPlus.dll library contains an exploitable buffer overflow. When a specially crafted JPEG image is accessed through the Windows XP shell, a buffer overflow occurs potentially allowing an attacker to run arbitrary code on the affected system. |
| |
Credit:
The information has been provided by Nick D.
The original Microsoft advirosy can be found at: http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx
|
| |
Vulnerable Systems:
* Microsoft Windows XP and Microsoft Windows XP Service Pack 1
* Microsoft Windows XP 64-Bit Edition Service Pack 1
* Microsoft Windows XP 64-Bit Edition Version 2003
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 64-Bit Edition
* Microsoft Office XP Service Pack 3
* Microsoft Office 2003
* Microsoft Project 2002 Service Pack 1 (all versions)
* Microsoft Project 2003 (all versions)
* Microsoft Visio 2002 Service Pack 2 (all versions)
* Microsoft Visio 2003 (all versions)
* Microsoft Visual Studio .NET 2002
* Microsoft Visual Studio .NET 2003
* The Microsoft .NET Framework version 1.0 SDK Service Pack 2
* Microsoft Picture It! 2002 (all versions)
* Microsoft Greetings 2002
* Microsoft Picture It! version 7.0 (all versions)
* Microsoft Digital Image Pro version 7.0
* Microsoft Picture It! version 9 (all versions, including Picture It! Library)
* Microsoft Digital Image Pro version 9
* Microsoft Digital Image Suite version 9
* Microsoft Producer for Microsoft Office PowerPoint (all versions)
Immune Systems:
* Microsoft Windows NT Server 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
* Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP Service Pack 2
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Me)
* Microsoft Office 2003 Service Pack 1
* Microsoft Office 2000
* Microsoft Visio 2003 Service Pack 1
* Microsoft Visio 2000
* Microsoft Project 2003 Service Pack 1
* Microsoft Project 2000
* Microsoft Digital Image Suite 10, Microsoft Digital Image Pro 10, Picture It! Premium 10
Affected Components:
* Internet Explorer 6 Service Pack 1
* The Microsoft .NET Framework version 1.0 Service Pack 2
* The Microsoft .NET Framework version 1.1
* gdiplus.dll library versions 5.2.3790.0, 5.1.3100.0, 5.1.3097.0 and 5.1.3079.3
JPEG Comment sections (COM) allow for the embedding of comment data into a JPEG image. COM sections are marked beginning with 0xFFFE followed by a 16 bit unsigned integer in network byte order, giving the total comment length plus the 2 bytes for the length field. A single JPEG COM section could therefore contain 65533 bytes of invisible data (invisible in the sense that it's not rendered as part of the image.)
Because the JPEG COM field length variable is 2 bytes wide and is itself included in the length value, the minimum value for this field is 2, this implies an empty comment. If the comment length value is set to 1 or 0, a buffer overflow occurs overwriting heap management structures.
The problem is that GDIPlus normalizes the COM length prior to checking it's value. a starting length of 0 becomes -2 after normalization (0xFFFE unsigned). This value is converted to the 32 bit value 0xFFFFFFFE and is eventually passed on to memcpy which attempts to copy ~4G bytes into heap memory.
eEye Digital Security analyzed the bug and found that heap management structures are left in an inconsistent state with execution eventually reaching heap unlink instructions within RTLFreeHeap with EAX pointing to a pointer to data we control and we have direct control of EDX.
In order to test whether a JPEG image is malicious, the following bytes can be searched for in the image:
0xFF 0xFE 0x00 0x00
or
0xFF 0xFE 0x00 0x01
Vendor Status:
Microsoft have already issued an advisory regarding the vulnerability and the corresponding updates to all affected software components. Users are highly advised to update their systems due to the amount of possible attack vectors.
|
|
|
|
|
