Re: about zlib vulnerability - Microsoft products

From: Forrest J Cavalier III (forrest@mibsoftware.com)
Date: 03/16/02 

From: "Forrest J Cavalier III" <forrest@mibsoftware.com>
To: bugtraq@securityfocus.com
Date: Fri, 15 Mar 2002 23:16:30 -0500

> Microsoft is also using zlib in a couple of products. MS Office, IE, Front
> Page, DirectX (dunno what versions yet), MSN Messenger, and the next gen GDI
> on XP. Vulnerability? : "Microsoft representatives said that the software
> giant's security response team is investigating the zlib flaw and that some
> Microsoft applications use code from that compression library. However, the
> team hasn't yet determined which applications use the library and whether
> those applications are vulnerable." (From Cnet's News.Com article -
> http://news.com.com/2100-1001-860328.html )
>

The following C program scans files for the cplens table (used for
inflate.)

I expect the code below is portable. It was tested on Windows.

It might run faster than the perl script posted earlier. (I
suppose it risks more false positives too.)

Caveats:
-------
The appearance of the pattern is not proof of zlib
and even if it is zlib, the malloc implementation
may prevent exploits.

Preliminary Results on Windows
------------------------------
When run on Windows SYSTEMDIR programs and DLLs on my
machine, it reports a match in a number of items I expected
(installers, uninstallers, png DLLs,) and some I did not
expect (like URLMON.DLL, version.dll)

QuickTime.qts also reports a match. (Makes sense there
is an inflation routine in QuickTime) The file extension
indicates that searching only .dll and .exe may not be
adequate.

Forrest Cavalier
Mib Software

/* NO WARRANTY. Forrest Cavalier is the original author. (c) 2002
   Permission granted for copying, modification, and use,
   with or without fee, provided that this notice is preserved.
 */
#include <stdio.h>
#include <memory.h>

/* This table appears in zlib/inftrees.c, we search for
    just the pattern 17, 19, 23. Code below should work for
    big and little endian platforms 16, 32, and 64 bit
    integer sizes.
 */
const int cplens[31] = { /* Copy lengths for literal codes 257..285 */
        3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31,
        35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258, 0, 0};

int main(int argc, char **argv)
{
#define CBPATTERN 64
  FILE *f;
  char buf[8192+CBPATTERN];
  int cnt;
  const char *ptr;
  int ind;
  int wsize;

  if (argc != 2) {
      exit(1);
  }

  f = fopen(argv[1],"rb");
  if (!f) {
      exit(1);
  }

  while(1) {
      cnt = fread(buf+CBPATTERN,1,sizeof(buf)-CBPATTERN,f);
      if (cnt <= 0) {
          break;
      }
      ptr = buf;
      while(1) {
          ptr = memchr(ptr,'\x11',buf+cnt+CBPATTERN-ptr);
          if (!ptr || (ptr+CBPATTERN > buf+cnt+CBPATTERN)) {
              /* Not found, or tests will pass end of buffer */
              break;
          }
          /* Look for pattern from middle of table */
          for(wsize = 2;wsize <= 8;wsize *= 2) {
            if (ptr &&
                (ptr[wsize] == '\x13')&&
                (ptr[wsize*2] == '\x17')&&
                (ptr[wsize*3] == '\x1b')) {
                break;
            }
          }
          if (wsize <= 8) {
              ind = 1;
              while(ind < wsize) { /* Ensure intervening bytes are zero */
                  if (ptr[ind]||
                      ptr[wsize+ind]||
                      ptr[wsize*2+ind]||
                      ptr[wsize*3+ind]) {
                      break; /* Non-zero. */
                  }
                  ind++;
              }
              if (ind == wsize) {
                  printf("Found cplens pattern in %s\n",argv[1]);
              }
          }
          ptr++;
      }
      /* Copy end of buffer down, to catch patterns which
         go over a read boundary
       */
      memmove(buf,buf+cnt,CBPATTERN);
  }
  fclose(f);
  return 0;
}

Relevant Pages

  • Re: Tcl_GetIndexFromObjStruct and Comconnosance
    ... for GIF and PNG files, ... also want compressed data/stream handling in Tcl. ... I think one of the plans to patch zlib for integration, ... int; ...
    (comp.lang.tcl)
  • Re: [PATCH] Remove -static from Documentation/lguest/Makefile
    ... most distros only provides shared library form of zlib in their default installation. ... And shared linking also provides litte tiny security for hypotetical security problems will be introduced by zlib:). ... where shared libraries want to go. ... static int waker_fd; ...
    (Linux-Kernel)
  • Re: about zlib vulnerability - Microsoft products
    ... Microsoft is also using zlib in a couple of products. ... Microsoft applications use code from that compression library. ... Subject: about zlib vulnerability ...
    (Bugtraq)
  • Re: OpenMP API/libs?
    ... If you havn't libs, dlls etc how you will use it? ... OpenMP api is way way more complicated than zlib! ...
    (microsoft.public.vstudio.general)
  • Re: Problem reading zipped XML document
    ... int, int) is /not/ guaranteed to read as many bytes as you asked for, it may ... one gulp is somehow sensitive to the buffering between it and zlib. ...
    (comp.lang.java.programmer)
Quantcast