[NT] Windows MIDI Decoder (QUARTZ.DLL) Heap Corruption

From: SecuriTeam (support_at_securiteam.com)
Date: 07/24/03

  • Next message: SecuriTeam: "[NT] Windows NT 4.0 with IBM JVM Denial of Service" 
    To: list@securiteam.com
Date: 24 Jul 2003 16:51:37 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Windows MIDI Decoder (QUARTZ.DLL) Heap Corruption
    ------------------------------------------------------------------------

    SUMMARY

    As we previously reported in:
    <http://www.securiteam.com/windowsntfocus/5HP0N15AKY.html> Unchecked
    Buffer in DirectX Could Enable System Compromise, a vulnerability in the
    Windows's DirectX allows remote attackers to cause the Windows Operating
    system to execute arbitrary code.

    The following should provide additional information on the issue.

    DETAILS

    Vulnerable systems:
     * Windows 98
     * Windows 98 SE
     * Windows Millennium Edition
     * Windows NT 4.0
     * Windows NT 4.0, Terminal Server Edition
     * Windows 2000
     * Windows XP
     * Windows Server 2003

    Microsoft provides a component called QUARTZ.DLL that allows Windows
    applications to play MIDI music through a common interface. Windows Media
    Player and Internet Explorer, for example, both use QUARTZ.DLL to play
    MIDI music files (.mid extension); in the case of Internet Explorer, MIDI
    files can be played automatically when a web page is visited through the
    use of a specific HTML tag.

    eEye Digital Security has discovered a pair of flaws in all versions of
    QUARTZ.DLL that would allow a specially-crafted MIDI file to cause the
    execution of arbitrary code when played. In the worst case, an attacker
    could construct a malicious .mid file and have it play automatically
    whenever a victim attempts to view certain HTML, such as an
    attacker-controlled website, resulting in the compromise of the victim's
    machine.

    The QUARTZ.DLL vulnerability discussed in this advisory is a heap buffer
    overrun resulting from an integer overflow. If a Text or Copyright string
    with a specified length of FFFFFFFFh is included in the MIDI file, QUARTZ
    will attempt to allocate a zero-byte heap block, then copy the text string
    -- and any data following it -- to the newly-allocated location in the
    heap. As a result, all contiguous pages of heap memory following the
    zero-byte block are overwritten until the source pointer reaches an
    invalid page boundary, the destination pointer reaches the end of heap
    memory, or another thread is dispatched and faults out trying to use
    corrupted heap memory.

    The reason this vulnerability exists is that QUARTZ increments the
    specified string length (in order to make room for a null terminator)
    without checking for a potential overflow condition. The incremented value
    (now 0) is passed to LocalAlloc(), which succeeds, while the original
    value
    (FFFFFFFFh) is given to memcpy() to copy the string data from the file
    image into the heap buffer.

    For the sake of brevity, we have unfortunately omitted the details of the
    MIDI file format from this advisory, and will instead skip straight to the
    following example of a malicious MIDI:

        4D 54 68 64 ; 'MThd' header chunk tag
        00 00 00 06 ; size of header chunk data (6)
        00 01 ; MIDI file version (1)
        00 01 ; number of tracks (1)
        65 49 ; pulses per quarter note (PPQN)

        4D 54 72 6B ; 'MTrk' track chunk tag
        00 00 00 10 ; size of track chunk data (16)
        00 ; delta-time for event (0)
           FF 02 ; non-MIDI event (Copyright)
        8F FF FF FF 7F ; VLQ for text length (FFFFFFFFh)
        65 45 79 65 32 30 30 33 ; (start of malicious data)

    There are many possible ways to exploit this overflow; the following is a
    sampling of instructions at which exceptions were observed in the
    aftermath of loading a malicious MIDI in Internet Explorer:

        CALL [EAX] ; we control EAX
        CALL [EAX+C4h] ; we control EAX
        CALL [ECX+0Ch] ; we control ECX
        JMP [EAX+28h] ; we control EAX
        MOV [ECX], EAX ; we control EAX, ECX
        MOV [ESI], ECX ; we control ECX, ESI

    Of particular interest are "unlink" sequences such as "MOV [ECX], EAX /
    MOV [EAX+4], ECX", which could be used to overwrite the unhandled
    exception filter in KERNEL32 during the first instruction, then cause an
    exception with the second (for instance, if EAX pointed somewhere into
    read-only memory, or if EAX was near a page boundary such that EAX+4..7
    landed in an invalid memory region).

    A second heap buffer overrun involving a 16-bit integer overflow and
    subsequent memory allocation was also discovered, but to save space we
    will only briefly mention it here. The number of tracks in the MThd chunk,
    a 16-bit field, is subjected to some arithmetic in order to determine the
    necessary size for an array of track data structures. In particular, the
    size of the block is calculated as:

        (number_of_tracks * 24h) + 9E0h

    However, the arithmetic is performed entirely in 16 bits, and as a result,
    setting the number of tracks to 1751 (6D7h) or greater will cause an
    insufficiently small heap block to be allocated. This vulnerability can be
    leveraged to overwrite DWORDs in the heap at specific intervals with
    arbitrary data. Note that Windows 2003 is not susceptible to this
    vulnerability, as it contained a check to ensure that the number of tracks
    is never greater than the exact highest value safe for the 16-bit
    arithmetic.

    Vendor Status:
    Microsoft was contacted on April 16, 2003, and has released a patch for
    this vulnerability. The patch is available at:
    <http://www.microsoft.com/technet/security/bulletin/MS03-030.asp>
    http://www.microsoft.com/technet/security/bulletin/MS03-030.asp

    This vulnerability has been assigned the CVE identifier CAN-2003-0346.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:dsoeder@eeye.com> Derek
    Soeder of eEye Digital Security.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Windows NT 4.0 with IBM JVM Denial of Service"

    Relevant Pages