CORE-2004-0819: MSN Messenger PNG Image Parsing Vulnerability

From: CORE Security Technologies Advisories (
Date: 02/08/05

  • Next message: "AppleFileServer Denial of Service."
    Date: Tue, 08 Feb 2005 16:56:39 -0300
    To: Bugtraq <>, Vulnwatch <>, NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

                       Core Security Technologies Advisory

                   MSN Messenger PNG Image Parsing Vulnerability

    Date Published: 2005-02-08

    Last Update: 2005-02-08

    Advisory ID: CORE-2004-0819

    Bugtraq ID: None currently assigned.

    CVE Name: CAN-2004-0597

    Title: MSN Messenger PNG Image Parsing Vulnerability

    Class: Boundary Error Condition (Stack Buffer Overflow)

    Remotely Exploitable: Yes

    Locally Exploitable: Yes

    Advisory URL:

    Vendors contacted:
    - Microsoft
      2004-08-23: Notification to vendor
      2004-08-23: Notification acknowledgment received from vendor
      2005-02-08: Publication of fixes and advisories


    *Vulnerability Description:*

     MSN Messenger is a fully featured Instant Messaging (IM) program,
     that allows users to exchange pictures using the PNG image format and
     display them during conversations.

     A vulnerability found in the parsing of PNG images could allow an
     attacker to execute arbitrary code in the chat partner's machine and
     gain access to the system with the privileges of the user running the
     MSN Messenger client program.

     This vulnerability can be exploited on Windows 2000 (all service
     packs) and Windows XP (all service packs) that run vulnerable
     clients of MSN Messenger.

     Due to the particular characteristics of the MSN Messenger
     communications protocol, exploitation of the vulnerability is likely
     to pass unnoticed to network Intrusion Detection Systems (IDS),
     Intrusion Prevention Systems (IPS) and firewalls that do not
     implement decoding and normalization of the MSN Messenger protocol
     encapsulated within HTTP. Furthermore, its is possible to craft
     exploit code to compromise vulnerable systems without crashing or
     disrupting the normal functioning of the MSN Messenger client
     application and thus passing unnoticed to the end-user as well.

    *Vulnerable Packages:*

     The vulnerability was discovered and researched on the following

    . MSN Messenger 6.1 on Windows 2000 and Windows XP
    . MSN Messenger 6.2 on Windows 2000 and Windows XP

     The vendor reported the following packages as vulnerable:

    . MSN Messenger 6.1
    . MSN Messenger 6.2
    . Windows Messenger 4.7.2009
    . Windows Messenger 4.7.3000
    . Windows Messenger 5.0
    . Windows Media Player 9 series (CVE CAN-2004-1244)

    *Solution/Vendor Information/Workaround:*

     Microsoft Security Bulletin MS05-009 provides details and fix
     packages or vulnerable applications. It can be found at:

     The vendor reported that following packages/versions are NOT

    . Windows Media Player 6.4
    . Windows Media Player 7.1
    . Windows Media Player for Windows XP (8.0)
    . Windows Media Player 9 Series for Windows XP Service Pack 2
    . Windows Media Player 10
    . MSN Messenger for Mac

     Additionally, mitigating actions to reduce exposure to the
     vulnerability are provided below, but note that these actions might
     not suffice to close ALL attack vectors for ALL vulnerable packages:

    . MSN Messenger users should not accept unsolicited chat session
      requests from chat partners not in their contacts list.
    . MSN Messenger users should disable the custom emoticons feature of
      MSN Messenger, to do so go to Tools->Options->Messages.
    . Deny execution of MSN Messenger client application using ACLs or
      Host-based security controls.
    . Block MSN Messenger communications at the network perimeter.
    . Filter transmission of malformed PNG images using an
      application-layer proxy that supports MSN Messenger protocol.

     Disabling the "Display Picture" feature in MSN Messenger DOES NOT
     prevent exploitation.

     Core Security Technologies has made available a sample malformed
     PNG file that can be used to check if an MSN Messenger client is

     The ZIP-compressed image is available at

     After downloading it, uncompress and save it to a work folder, open
     MSN Messenger and select the image as your display picture in
     "Tools->Change Display Picture".

     Vulnerable clients will either crash or display popup dialog with the
     following text: "Your MSN Messenger client is vulnerable"


     This vulnerability was found by Juliano Rizzo from Core Security

     Chris Evans discovered previous problems related to PNG images in
     the libPNG open source library [1][2].

    *Technical Description - Exploit/Concept Code:*

     This vulnerability was found in MSN Messenger 6.2.0137, all technical
     details apply to that package and version but may be applicable to
     other vulnerable versions as well.

     The MSN Messenger protocol supports transmission of several types of
     images between users that are displayed during conversations.
     These include:

     . The display picture, which usually is a picture of the user.
     . Custom icons that are small images shown in the message line.
     . Thumbnails of images being transferred.
     . Background images.

     The image format used is PNG [3]. When a user selects a picture to be
     displayed as avatar, Messenger converts it to PNG format with a fixed
     size and encoding characteristics. When a conversation is initiated
     with a contact, the image is transmitted over the same communication
     channel used to exchange text messages.
     By sending a specially crafted PNG image an attacker can trigger a
     buffer overflow and execute arbitrary code on the chat partner's

     The PNG file format structure is based on chunks as described in [3].
     The vulnerability is present in processing intentionally malformed
     image chunks with specially crafted values for some fields in the
     IHDR and tRNS chunk types.
     The IHDR chunk has a "color type" field: a single-byte integer that
     describes the interpretation of the image data. To trigger the bug,
     the flags "color used" and "palette used" have to be set in the color
     type field, whereas the "alpha channel used" flag must not be set.
     Thus, the color type value has to be set to 0x03. There must also
     exist a tRNS chunk with enough data length (>256) to overflow a
     buffer and reach a function pointer address. A PLTE chunk could exist
     in the file, but it has to be after the tRNS chunk.

    [MSN Messenger clients compiled with the /GS stack-overflow protection

     Although the MSN Messenger client is compiled with the /GS compiler
     switch that provides protection against stack-based overflows as
     described in [4], exploitation is not prevented in this case.

     The following excerpt from MSDN describes the functionality of the
     /GS switch:

     "...The /GS switch provides a "speed bump" or cookie, between the
     buffer and the return address. If an overflow writes over the return
     address, it will have to overwrite the cookie put in between it and
     the buffer, resulting in a new stack layout..."

     The protection mechanism verifies the integrity of a called
     function's return address. By building a longer buffer, data beyond
     the return address can be overwritten, including: function
     parameters, local variables and Structured Exception Handling records
     [5]. Due to the way errors are handled in the MSN Messenger client,
     an exception is raised after the overflow occurs but before any
     stack integrity verification is done. To process that exception the
     first SEH record in the exception handlers chain is used and, since
     this is located in the stack and near the overflowed buffer, the
     most obvious method to execute arbitrary code bypassing the
     protection seems to be overwriting the function pointer contained in
     that SEH record.

     To be precise, the exception is raised when the program tries to
     check the chunk's CRC32 and the exception code is 0xE06D7363.

     The tRNS chunk to accomplish the above strategy would look like the

      | chunk type |space for code|(1) SEH record | CRC32 |
      ["tRNS" 4 bytes][256+168 bytes ][next/eip: 8 bytes]

     The chunk type and crc32 fields are not copied into the stack.

     After taking control of the execution flow, [ESP+8] points to (1), so
     a possible structure for the fake SEH record could be:

     EB F9 ?? ?? XX XX XX XX

     Where EB F9 is the opcode for a jump to 5 bytes back, the next two
     bytes (?? ??) can have any value and the next 4 bytes are the address
     of a "jmp [esp+8]". In this way only a small portion of the program
     stack is modified and execution of arbitrary code is obtained.

    [Attack vectors]

     The vulnerability may be used to infect image files. This means that
     a valid PNG file could be modified to exploit vulnerable programs
     and still look as a harmless picture to other applications.

     There are 4 known attack vectors to trigger the vulnerability in
     the PNG image processing code:
     - Delivery of a malformed PNG image as display picture
     - Delivery of a malformed PNG image as a thumbnail
     - Delivery of a malformed PNG image as an icon
     - Delivery of a malformed PNG image as a regular file transfer

    [Detection of an attack]

     An important success factor for attacks targeting end-user
     applications is being unnoticeable by the user. Error messages,
     crashes and hangs are not desirable when attacking a server, but tend
     to be catastrophic to an attack whenever a user on the other side is
     interacting with the program being attacked.

     Some characteristics of this vulnerability and program design make
     the perpetration of stealth attacks easier. This means that it's
     possible to exploit the vulnerability, executing code while keeping
     the application running normally. There are several ways to achieve

     The basic idea is to return the execution flow to the application
     after creating a new thread or process. In the exploitation scheme
     described above, the code executed by the attacker may act as a
     legitimate exception handler by behaving in the following manner:

     1. moves stack pointer to a lower address and saves registers.
     2. performs the desired operations, i.e. creates a new thread.
     3. reconstructs the overwritten SEH record.
     4. recover saved register values, including the stack pointer.
     5. returns a valid filter expression value (-1, 0 or 1) [5].

     Since delivery of an attack does not rely on any noticeable or
     suspicious network traffic outside of the normal behavior for the
     application's protocol, the only suitable way of detection from a
     network point of view is with the use of a proxy, IPS or firewall
     system with the capability of interpreting and normalizing the MSN
     Messenger protocol. In lieu of a patched client, attack detection
     should be based on the identification of malformed PNG images in
     MSN Messenger protocol traffic.

     The known attack vectors can be used to deliver successful attacks
     that are unnoticeable to the end user, not disrupting the execution
     of the MSN Messenger client running on the victim's computer and
     using it as a vantage point to compromise other clients by 'infecting'
     the victim's display picture.
     In this manner the vulnerability can be used to launch massive
     attacks using the application's underlying communications protocol as
     a delivery vector.
     Therefore, understanding the technical attributes for exploitation
     is also highly relevant to detect and prevent attacks.

    [Plausible exploit implementations]

     The code to exploit a server vulnerability usually involves
     implementing a limited portion of a network protocol that are in
     general, standard and well documented. Knowledge about encodings,
     languages and file formats are also needed to exploit browser or mail
     client flaws. However, even in those cases, the implementation
     complexity is low.

     In this case, crafting the malformed PNG image file seems simple but
     delivering the image to the victim through the Messenger protocol is
     somewhat a more difficult task.

     Alternatives to implementing an entire messenger client are:

        1) using the standard client application to send the image.
        2) using an open source third party client.
        3) using a messenger protocol proxy.

     1. In order to send the image using the standard client, it must be
     previously patched and modified to accept the infected image file as
     a display picture, emoticon or any other desired image type.

     2. The difference with the previous option is that the modifications
     can be made easily.

     3. The idea behind using a proxy is to avoid modifying a client, and
     being able to synchronize the other stages of an attack, as well as
     the possibility of using the same communication channel to control
     the victim's computer.
     A messenger protocol proxy can be used both to inject malformed PNG
     images to deliver an attack, or to sanitize outgoing traffic to
     prevent exploitation of third parties system.

    [Proof of Concept exploit code]

     To check if a MSN Messenger client is vulnerable, users can
     download the PNG image provided in the following URL

     The PNG image was built to work with MSN Messenger 6.2.0137.
     Once downloaded and uncompressed, open MSN Messenger, go to
     Tools->"Change display picture..." and select the file.

     On vulnerable clients either a message box will be shown or
     MSN Messenger will crash.


     [1] libPNG 1.2.5 stack-based buffer overflow and other code concerns

     [2] Multiple buffer overflows in libpng 1.2.5

     [3] Portable Network Graphics (PNG) Specification and Extensions

     [4] MSDN Compiler Security Checks In Depth

     [5] Structured Exception Handling

     [6] MSN Messenger protocol - display pictures

    *About Core Security Technologies*

     Core Security Technologies develops strategic security solutions for
     Fortune 1000 corporations, government agencies and military
     organizations. The company offers information security software and
     services designed to assess risk and protect and manage information
     assets. Headquartered in Boston, MA, Core Security Technologies can
     be reached at 617-399-6980 or on the Web at

     To learn more about CORE IMPACT, the first comprehensive penetration
     testing product, visit:


     The contents of this advisory are copyright (c) 2005 CORE Security
     Technologies and may be distributed freely provided that no fee is
     charged for this distribution and proper credit is given.

    $Id: msn-png-advisory.txt,v 1.19 2005/02/08 19:14:02 iarce Exp $

  • Next message: "AppleFileServer Denial of Service."

    Relevant Pages