Re: MS jpeg vunerability

From: David Postill (david_at_postill.org.uk)
Date: 09/29/04 

Date: Wed, 29 Sep 2004 06:41:16 GMT

In article <th6kl0l3g0nidjtqbet166b5manab4beni@4ax.com>, on Tue, 28 Sep 2004 19:20:54 -0700, Bill
<bdwan@hotmail.com> wrote:

<snip />

| I'm lost here. Why does this problem exist with JPEG images and
| not GIFs or BMPs ?? Doesn't the header information in the image
| file determine what GDI functions get called with Header parameters
| being passed to the GDI functions ?

>From <http://www.us-cert.gov/cas/techalerts/TA04-260A.html>:

"Overview

Microsoft's Graphic Device Interface Plus (GDI+) contains a vulnerability
in the processing of JPEG images. This vulnerability may allow attackers to
remotely execute arbitrary code on the affected system. Exploitation may occur
as the result of viewing a malicious web site, reading an HTML-rendered email
message, or opening a crafted JPEG image in any vulnerable application.
The privileges gained by a remote attacker depend on the software component
being attacked."

| If someone could tell me the GDI funtions and JPEG headers
| involved that would help me.
|
| When it comes to laying down trojans using VBscript and
| ActiveX Components, I can somewhat understand that,
| but this is beyond me. What newfangled thing did they
| add to JPEG headers to allow for this ?? Is some "nut"
| trying to get JPEGs to be "Objects" which can/could
| include executable code ?

"I. Description

Microsoft Security Bulletin MS04-028 describes a remotely exploitable buffer
overflow vulnerability in Microsoft's Graphic Device Interface Plus (GDI+) JPEG
processing component."

So the answer to your last question is yes. You can pretty much do anything
with buffer overruns. Search for ""buffer overrun" tutorial" if you really want
to know more.

<davidp /> 

-- 
David Postill

Relevant Pages

  • Re: potential break or real break?
    ... It applies equally to image files, plain text files, ... Decoding enough to check if you have a valid header will be ... a jpeg for example, even if it is an OTP, and assuming the header is decoded ... recognise a file as a jpeg decodes correctly, if the rest of the data is not ...
    (sci.crypt)
  • Re: RAW vs. jpeg
    ... I took some inside shots with my Canon ... Digital Rebel set to capture both RAW and jpeg images at the same time ...
    (rec.photo.digital)
  • GDIplus issue
    ... I'm loading the main image which is a jpeg, ... text and shapes on that base image using Graphics class of GDI+, ... My problem is when I use GDI+, I loose some quality of the base image. ... EncoderParameter testParam= new ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: loading, Flipping and saving jpgs
    ... You're talking about milliseconds to flip an image, and 10,000 of them could be flipped in very short order. ... You will still need to use a third party library to convert flipped bitmap back into a jpeg, but there are many such libraries freely available that work well with VB6. ... when using such simple methods you really need to ensure that the system is running at full colour depth because loading a jpeg into a PictureBox or into a StdPicture object using the LoadPicture function or by setting a Picture property will degrade the colours when the code is run on a system running at 16 bit colour depth or less. ... You can actually load jpegs into a full colour DIBSection in VB6, even on machines that are running at 16 bits or less, and without using GDI+, but it takes quite a bit of work to do so. ...
    (microsoft.public.vb.general.discussion)
  • Re: Image quality: ImageFormat.Jpeg
    ... Find great Windows Forms articles in Windows Forms Tips and Tricks ... Answer those GDI+ questions with the GDI+ FAQ ... is there a way to set the output quality of a saved JPEG graphics? ...
    (microsoft.public.dotnet.framework.drawing)