Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow

From: Nick D. (ndebaggis_at_VERIZON.NET)
Date: 09/16/04

  • Next message: Dave English: "Re: Alert: Microsoft Security Bulletin MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)"
    Date:         Thu, 16 Sep 2004 00:19:47 -0400

    Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow
    Advisory: September 14, 2004
    Reported: October 7, 2003

    Systems affected based on testing:
    Windows XP SP0,SP1,SP1a (Home & Pro)

    Systems potentially affected based on Microsoft's DLL Help Database
    (there may be others):

    gdiplus.dll 5.2.3790.0
       Windows Server 2003 Data Center
       Windows Server 2003 Enterprise
       Windows Server 2003 Standard
       Windows Server 2003 Web Edition

    gdiplus.dll 5.1.3100.0
       Microsoft Visual Studio .NET (2003) Enterprise Architect

    gdiplus.dll 5.1.3097.0
       Microsoft Visual Studio .NET (2002) Enterprise Architect
       Microsoft Visual Studio .NET (2002) Enterprise Developer
       Microsoft Visual Studio .NET (2002) Professional
       Microsoft Visual Studio .NET (2003) Enterprise Architect
       Visual Basic .NET Standard 2002
       Visual C# .NET Standard 2002
       Visual C++ .NET Standard 2002
       Windows XP Home 2002
       Windows XP Professional 2002

    gdiplus.dll 5.1.3079.3
       Microsoft Visual Studio .NET (2002) Enterprise Architect
       Visio 2002 Professional
       Visio 2002 Standard


    The JPEG parsing engine included in GDIPlus.dll contains an
    exploitable buffer overflow. When a specially crafted JPEG image is
    accessed through the Windows XP shell, a buffer overflow occurs
    potentially allowing an attacker to run arbitrary code on the
    affected system. Due to the pervasiveness of the affected dll there
    may be other vulnerable attack vectors.


    JPEG Comment sections (COM) allow for the embedding of comment data
    into a JPEG image. COM sections are marked beginning with 0xFFFE
    followed by a 16 bit unsigned integer in network byte order giving
    the total comment length + the 2 bytes for the length field; a
    single JPEG COM section could therefore contain 65533 bytes of
    invisible data (invisible in the sense that it's not rendered as
    part of the image). Because the JPEG COM field length variable is 2
    bytes wide, and itself is included in the length value, the minimum
    value for this field is 2, this implies an empty comment. If the
    comment length value is set to 1 or 0, a buffer overflow occurs
    overwriting heap management structures.

    The problem is GDIPlus normalizes the COM length prior to checking
    it's value; a starting length of 0 becomes -2 after normalization
    (0xFFFE unsigned), this value is converted to the 32 bit value
    0xFFFFFFFE and is eventually passed on to memcpy which attempts to
    copy ~4G bytes into heap memory.

    eEye Digital Security analyzed the bug and found that heap
    management structures are left in an inconsistent state with
    execution eventually reaching heap unlink instructions within
    RTLFreeHeap with EAX pointing to a pointer to data we control and we
    have direct control of EDX.

    Vendor Status

    Patch available MS04-028 (833987)


    Detection could be accomplished by examining the JPEG image for the
    following byte sequence:

    0xFF 0xFE 0x00 0x00 or 0xFF 0xFE 0x00 0x01

    Nick DeBaggis - Discovery, analysis, and advisory.

    Special thanks to eEye Digital Security - Detailed
    vulnerability analysis, initial and ongoing vendor contact.

    Also thanks to Networks Unlimited - Early bug testing.

    Related Links
    Solar Designer, Openwall Project
    Netscape Browser JPEG Vulnerability July 2000

    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.

  • Next message: Dave English: "Re: Alert: Microsoft Security Bulletin MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)"

    Relevant Pages