[NT] Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow (Detailed Analysis of MS04-028)

From: SecuriTeam (support_at_securiteam.com)
Date: 09/15/04

  • Next message: SecuriTeam: "[NT] WordPerfect Converter Vulnerability Allows Code Execution (MS04-027)" 
    To: list@securiteam.com
Date: 15 Sep 2004 10:28:07 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow (Detailed
    Analysis of MS04-028)
    ------------------------------------------------------------------------

    SUMMARY

    The JPEG parsing engine included in GDIPlus.dll library contains an
    exploitable buffer overflow. When a specially crafted JPEG image is
    accessed through the Windows XP shell, a buffer overflow occurs
    potentially allowing an attacker to run arbitrary code on the affected
    system.

    DETAILS

    Vulnerable Systems:
     * Microsoft Windows XP and Microsoft Windows XP Service Pack 1
     * Microsoft Windows XP 64-Bit Edition Service Pack 1
     * Microsoft Windows XP 64-Bit Edition Version 2003
     * Microsoft Windows Server 2003
     * Microsoft Windows Server 2003 64-Bit Edition
     * Microsoft Office XP Service Pack 3
     * Microsoft Office 2003
     * Microsoft Project 2002 Service Pack 1 (all versions)
     * Microsoft Project 2003 (all versions)
     * Microsoft Visio 2002 Service Pack 2 (all versions)
     * Microsoft Visio 2003 (all versions)
     * Microsoft Visual Studio .NET 2002
     * Microsoft Visual Studio .NET 2003
     * The Microsoft .NET Framework version 1.0 SDK Service Pack 2
     * Microsoft Picture It! 2002 (all versions)
     * Microsoft Greetings 2002
     * Microsoft Picture It! version 7.0 (all versions)
     * Microsoft Digital Image Pro version 7.0
     * Microsoft Picture It! version 9 (all versions, including Picture It!
    Library)
     * Microsoft Digital Image Pro version 9
     * Microsoft Digital Image Suite version 9
     * Microsoft Producer for Microsoft Office PowerPoint (all versions)

    Immune Systems:
     * Microsoft Windows NT Server 4.0 Service Pack 6a
     * Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
     * Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Service
    Pack 4
     * Microsoft Windows XP Service Pack 2
     * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
    Microsoft Windows Millennium Edition (Me)
     * Microsoft Office 2003 Service Pack 1
     * Microsoft Office 2000
     * Microsoft Visio 2003 Service Pack 1
     * Microsoft Visio 2000
     * Microsoft Project 2003 Service Pack 1
     * Microsoft Project 2000
     * Microsoft Digital Image Suite 10, Microsoft Digital Image Pro 10,
    Picture It! Premium 10

    Affected Components:
     * Internet Explorer 6 Service Pack 1
     * The Microsoft .NET Framework version 1.0 Service Pack 2
     * The Microsoft .NET Framework version 1.1
     * gdiplus.dll library versions 5.2.3790.0, 5.1.3100.0, 5.1.3097.0 and
    5.1.3079.3

    JPEG Comment sections (COM) allow for the embedding of comment data into a
    JPEG image. COM sections are marked beginning with 0xFFFE followed by a 16
    bit unsigned integer in network byte order, giving the total comment
    length plus the 2 bytes for the length field. A single JPEG COM section
    could therefore contain 65533 bytes of invisible data (invisible in the
    sense that it's not rendered as part of the image.)

    Because the JPEG COM field length variable is 2 bytes wide and is itself
    included in the length value, the minimum value for this field is 2, this
    implies an empty comment. If the comment length value is set to 1 or 0, a
    buffer overflow occurs overwriting heap management structures.

    The problem is that GDIPlus normalizes the COM length prior to checking
    it's value. a starting length of 0 becomes -2 after normalization (0xFFFE
    unsigned). This value is converted to the 32 bit value 0xFFFFFFFE and is
    eventually passed on to memcpy which attempts to copy ~4G bytes into heap
    memory.

    eEye Digital Security analyzed the bug and found that heap management
    structures are left in an inconsistent state with execution eventually
    reaching heap unlink instructions within RTLFreeHeap with EAX pointing to
    a pointer to data we control and we have direct control of EDX.

    In order to test whether a JPEG image is malicious, the following bytes
    can be searched for in the image:
    0xFF 0xFE 0x00 0x00
    or
    0xFF 0xFE 0x00 0x01

    Vendor Status:
    Microsoft have already issued an advisory regarding the vulnerability and
    the corresponding updates to all affected software components. Users are
    highly advised to update their systems due to the amount of possible
    attack vectors.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:ndebaggis@verizon.net> Nick
    D.
    The original Microsoft advirosy can be found at:
    <http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx>
    http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] WordPerfect Converter Vulnerability Allows Code Execution (MS04-027)"

    Relevant Pages