[NT] Windows MIDI Decoder (QUARTZ.DLL) Heap Corruption

• Previous message: SecuriTeam: "[NT] Flaw in Windows Function Could Allow Denial of Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 24 Jul 2003 16:51:37 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Windows MIDI Decoder (QUARTZ.DLL) Heap Corruption
------------------------------------------------------------------------

SUMMARY

As we previously reported in:
<http://www.securiteam.com/windowsntfocus/5HP0N15AKY.html> Unchecked
Buffer in DirectX Could Enable System Compromise, a vulnerability in the
Windows's DirectX allows remote attackers to cause the Windows Operating
system to execute arbitrary code.

The following should provide additional information on the issue.

DETAILS

Vulnerable systems:
 * Windows 98
 * Windows 98 SE
 * Windows Millennium Edition
 * Windows NT 4.0
 * Windows NT 4.0, Terminal Server Edition
 * Windows 2000
 * Windows XP
 * Windows Server 2003

Microsoft provides a component called QUARTZ.DLL that allows Windows
applications to play MIDI music through a common interface. Windows Media
Player and Internet Explorer, for example, both use QUARTZ.DLL to play
MIDI music files (.mid extension); in the case of Internet Explorer, MIDI
files can be played automatically when a web page is visited through the
use of a specific HTML tag.

eEye Digital Security has discovered a pair of flaws in all versions of
QUARTZ.DLL that would allow a specially-crafted MIDI file to cause the
execution of arbitrary code when played. In the worst case, an attacker
could construct a malicious .mid file and have it play automatically
whenever a victim attempts to view certain HTML, such as an
attacker-controlled website, resulting in the compromise of the victim's
machine.

The QUARTZ.DLL vulnerability discussed in this advisory is a heap buffer
overrun resulting from an integer overflow. If a Text or Copyright string
with a specified length of FFFFFFFFh is included in the MIDI file, QUARTZ
will attempt to allocate a zero-byte heap block, then copy the text string
-- and any data following it -- to the newly-allocated location in the
heap. As a result, all contiguous pages of heap memory following the
zero-byte block are overwritten until the source pointer reaches an
invalid page boundary, the destination pointer reaches the end of heap
memory, or another thread is dispatched and faults out trying to use
corrupted heap memory.

The reason this vulnerability exists is that QUARTZ increments the
specified string length (in order to make room for a null terminator)
without checking for a potential overflow condition. The incremented value
(now 0) is passed to LocalAlloc(), which succeeds, while the original
value
(FFFFFFFFh) is given to memcpy() to copy the string data from the file
image into the heap buffer.

For the sake of brevity, we have unfortunately omitted the details of the
MIDI file format from this advisory, and will instead skip straight to the
following example of a malicious MIDI:

    4D 54 68 64 ; 'MThd' header chunk tag
    00 00 00 06 ; size of header chunk data (6)
    00 01 ; MIDI file version (1)
    00 01 ; number of tracks (1)
    65 49 ; pulses per quarter note (PPQN)

    4D 54 72 6B ; 'MTrk' track chunk tag
    00 00 00 10 ; size of track chunk data (16)
    00 ; delta-time for event (0)
       FF 02 ; non-MIDI event (Copyright)
    8F FF FF FF 7F ; VLQ for text length (FFFFFFFFh)
    65 45 79 65 32 30 30 33 ; (start of malicious data)

There are many possible ways to exploit this overflow; the following is a
sampling of instructions at which exceptions were observed in the
aftermath of loading a malicious MIDI in Internet Explorer:

    CALL [EAX] ; we control EAX
    CALL [EAX+C4h] ; we control EAX
    CALL [ECX+0Ch] ; we control ECX
    JMP [EAX+28h] ; we control EAX
    MOV [ECX], EAX ; we control EAX, ECX
    MOV [ESI], ECX ; we control ECX, ESI

Of particular interest are "unlink" sequences such as "MOV [ECX], EAX /
MOV [EAX+4], ECX", which could be used to overwrite the unhandled
exception filter in KERNEL32 during the first instruction, then cause an
exception with the second (for instance, if EAX pointed somewhere into
read-only memory, or if EAX was near a page boundary such that EAX+4..7
landed in an invalid memory region).

A second heap buffer overrun involving a 16-bit integer overflow and
subsequent memory allocation was also discovered, but to save space we
will only briefly mention it here. The number of tracks in the MThd chunk,
a 16-bit field, is subjected to some arithmetic in order to determine the
necessary size for an array of track data structures. In particular, the
size of the block is calculated as:

    (number_of_tracks * 24h) + 9E0h

However, the arithmetic is performed entirely in 16 bits, and as a result,
setting the number of tracks to 1751 (6D7h) or greater will cause an
insufficiently small heap block to be allocated. This vulnerability can be
leveraged to overwrite DWORDs in the heap at specific intervals with
arbitrary data. Note that Windows 2003 is not susceptible to this
vulnerability, as it contained a check to ensure that the number of tracks
is never greater than the exact highest value safe for the 16-bit
arithmetic.

Vendor Status:
Microsoft was contacted on April 16, 2003, and has released a patch for
this vulnerability. The patch is available at:
<http://www.microsoft.com/technet/security/bulletin/MS03-030.asp>
http://www.microsoft.com/technet/security/bulletin/MS03-030.asp

This vulnerability has been assigned the CVE identifier CAN-2003-0346.

ADDITIONAL INFORMATION

The information has been provided by <mailto:dsoeder@eeye.com> Derek
Soeder of eEye Digital Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Flaw in Windows Function Could Allow Denial of Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]