[EXPL] Buffer Overrun in JPEG Processing Proof Of Concept (MS04-028)
From: SecuriTeam (support_at_securiteam.com)
Date: 09/21/04
- Previous message: SecuriTeam: "[UNIX] GNU Radius SNMP String Length Integer Overflow DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 21 Sep 2004 13:54:55 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Buffer Overrun in JPEG Processing Proof Of Concept (MS04-028)
------------------------------------------------------------------------
SUMMARY
In a previously featured article,
<http://www.securiteam.com/windowsntfocus/5VP0H1FE0W.html> Buffer Overrun
in JPEG Processing (GDI+) Allows Code Execution (MS04-028), a buffer
overrun in the GDI+ library was reported. Provided below is a proof of
concept example that will crash various applications attempting to open
the malicious JPEG image.
DETAILS
A proof of concept JPEG image that will crash an application attempting to
open/preview it on an affected platform can be downloaded from
<http://www.gulftech.org/?node=downloads>
http://www.gulftech.org/?node=downloads
The vulnerability in the comment parsing of the JPEG file is similar to a
previous vulnerability found almost two years ago regarding Netscape
handling of JPEG images. A more thorough analysis of the code and methods
of exploitation can be found at
<http://www.openwall.com/advisories/OW-002-netscape-jpeg/>
http://www.openwall.com/advisories/OW-002-netscape-jpeg/ .
Some antivirus software can detect the presence of such a malicious JPEG
image since the problem is specific in nature and a signature
identification can be made. McAfee's antivirus with virus definitions
version 4.0.4393 or greater can detect the problem.
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@gulftech.org>
GulfTech Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] GNU Radius SNMP String Length Integer Overflow DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [EXPL] phpBB Remote PHP Code Execution (viewtopic.php 2)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The following exploit code utilizes
a vulnerability in phpBB to cause ... This bulletin is sent to members of the SecuriTeam
mailing list. ... In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages. ... (Securiteam) - [EXPL] TinyWeb Server DoS Exploit
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The information in this
bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be
liable for any damages whatsoever including direct, indirect, incidental, consequential, loss
of business profits or special damages. ... (Securiteam) - [EXPL] 3Com FTP Server Buffer Overflow (CD)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... overflow in its parsing
of the 'CD' command. ... The information in this bulletin is provided "AS IS" without warranty
of any kind. ... In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages. ... (Securiteam) - [TOOL] Automagic SQL Injector
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The Automagic SQL Injector
is part of the Sec-1 Exploit Arsenal provided ... The information in this bulletin is provided
"AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam) - [REVS] Exploring Windows CE Shellcode
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Windows CE/ARM and goes
on to develop an exploit. ... The information in this bulletin is provided "AS IS" without
warranty of any kind. ... In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
