[BoNzO]

Microsoft Security Bulletin MS04-028
Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)

Issued: September 14, 2004
Version: 1.0

Summary
Who should read this document: Customers who use any of the affected operating systems, affected software programs, or affected components.

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.

Security Update Replacement: None


JPEG Vulnerability - CAN-2004-0200:

A buffer overrun vulnerability exists in the processing of JPEG image formats that could allow remote code execution on an affected system. Any program that processes JPEG images on the affected systems could be vulnerable to this attack, and any system that uses the affected programs or components could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

FAQ for JPEG Vulnerability - CAN-2004-0200:

What is the scope of the vulnerability?
This is a buffer overrun vulnerability. If a user is logged on with administrator privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

What causes the vulnerability?
An unchecked buffer in the processing of JPEG images.

What are JPEG images?
JPEG is a platform-independent image format that supports a high level of compression. JPEG is a widely supported Internet standard developed by the Joint Photographic Experts Group.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

How could an attacker exploit this vulnerability?
Any program that processes JPEG images could be vulnerable to this attack. Here are some examples:

� An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer 6 and then persuade a user to view the Web site.

� An attacker could also create an HTML e-mail message that has a specially crafted image attached. The specially crafted image could be designed to exploit this vulnerability through Outlook 2002 or Outlook Express 6. An attacker could persuade the user to view or preview the HTML e-mail message.

� An attacker could embed a specially crafted image in an Office document and then persuade the user to view the document.

� An attacker could add a specially crafted image to the local file system or onto a network share and then persuade the user to preview the directory by using Windows Explorer.

;)

[FiNaLBeTa]

nice. sploit.
This will couse for alot of trouble the next few months.

[BuzzDee]

hey i just took a really funny picture! who wants to view it? :D

damn... :ph34r:

[Dennis]

omg...anybody has the exploit yet :lol:

FLX

[Mr CooL]

seems nice, wating for the exploit hehe :]

[knull]

ok, where find this exploit?

[knull]

this is interest link:
http://www.openwall....tscape-jpeg.txt

[DarkieD]

Yeah just saw it on bugtraq , pretty sick shit

Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow 
----------------------------------------------------------------- 
Advisory: September 14, 2004 
Reported: October 7, 2003 


Systems affected based on testing: 
Windows XP SP0,SP1,SP1a (Home & Pro) 


Systems potentially affected based on Microsoft's DLL Help Database 
(there may be others): 


gdiplus.dll 5.2.3790.0 
   Windows Server 2003 Data Center 
   Windows Server 2003 Enterprise 
   Windows Server 2003 Standard 
   Windows Server 2003 Web Edition 


gdiplus.dll 5.1.3100.0 
   Microsoft Visual Studio .NET (2003) Enterprise Architect 


gdiplus.dll 5.1.3097.0 
   Microsoft Visual Studio .NET (2002) Enterprise Architect 
   Microsoft Visual Studio .NET (2002) Enterprise Developer 
   Microsoft Visual Studio .NET (2002) Professional 
   Microsoft Visual Studio .NET (2003) Enterprise Architect 
   Visual Basic .NET Standard 2002 
   Visual C# .NET Standard 2002 
   Visual C++ .NET Standard 2002 
   Windows XP Home 2002 
   Windows XP Professional 2002 


gdiplus.dll 5.1.3079.3 
   Microsoft Visual Studio .NET (2002) Enterprise Architect 
   Visio 2002 Professional 
   Visio 2002 Standard 



Description 
------------------------ 


The JPEG parsing engine included in GDIPlus.dll contains an 
exploitable buffer overflow. When a specially crafted JPEG image is 
accessed through the Windows XP shell, a buffer overflow occurs 
potentially allowing an attacker to run arbitrary code on the 
affected system. Due to the pervasiveness of the affected dll there 
may be other vulnerable attack vectors. 



Technical 
------------------------ 


JPEG Comment sections (COM) allow for the embedding of comment data 
into a JPEG image. COM sections are marked beginning with 0xFFFE 
followed by a 16 bit unsigned integer in network byte order giving 
the total comment length + the 2 bytes for the length field; a 
single JPEG COM section could therefore contain 65533 bytes of 
invisible data (invisible in the sense that it's not rendered as 
part of the image). Because the JPEG COM field length variable is 2 
bytes wide, and itself is included in the length value, the minimum 
value for this field is 2, this implies an empty comment. If the 
comment length value is set to 1 or 0, a buffer overflow occurs 
overwriting heap management structures. 


The problem is GDIPlus normalizes the COM length prior to checking 
it's value; a starting length of 0 becomes -2 after normalization 
(0xFFFE unsigned), this value is converted to the 32 bit value 
0xFFFFFFFE and is eventually passed on to memcpy which attempts to 
copy ~4G bytes into heap memory. 


eEye Digital Security analyzed the bug and found that heap 
management structures are left in an inconsistent state with 
execution eventually reaching heap unlink instructions within 
RTLFreeHeap with EAX pointing to a pointer to data we control and we 
have direct control of EDX. 



Vendor Status 
------------------------ 


Patch available MS04-028 (833987) 
http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx 



Detection 
------------------------ 


Detection could be accomplished by examining the JPEG image for the 
following byte sequence: 


0xFF 0xFE 0x00 0x00 or 0xFF 0xFE 0x00 0x01 



Credits 
------------------------ 
Nick DeBaggis - Discovery, analysis, and advisory. 


Special thanks to eEye Digital Security www.eeye.com - Detailed 
vulnerability analysis, initial and ongoing vendor contact. 


Also thanks to Networks Unlimited - Early bug testing. 



Related Links 
------------------------ 
Solar Designer, Openwall Project 
Netscape Browser JPEG Vulnerability July 2000 
http://www.openwall.com/advisories/OW-002-netscape-jpeg.txt

[mrBob]

nice to see there's a fix already
those jpeg exploits are too dangerous if no patch available :ph34r:

[BoNzO]

mrBob, on Sep 15 2004, 01:10 PM, said:

nice to see there's a fix already
those jpeg exploits are too dangerous if no patch available :ph34r:

If you have installed any of the affected programs or affected components listed in the bulletin, you should install the required security update for each of the affected programs or affected components.

->http://www.microsoft...n/ms04-028.mspx

[Nick W]

From my other thread: (Originally in Exploit R&D)

Quote

Have things gotten so bad the exploit for this isn't out? Microsoft just released a patch here:
http://www.microsoft...n/ms04-028.mspx

CAN-2004-0200?

http://cve.mitre.org...e=CAN-2004-0200

Anyone know anymore about this?

If I move this thread to exploit R&D then can people still post to it?

[Nick W]

http://sec.gravito.com/crash/CRASH.JPG

Does it crash anyone without the patch?

Only affects me if I right-click and save as and then open it locally.

[alibaba]

Yes same here.When I viewed it locally after saving the pic, it crashed my ie.But viewing it online did not effect ie.

[passi]

Quote

Systems affected based on testing:
Windows XP SP0,SP1,SP1a (Home & Pro)

Seems like Windows XP SP2 useres are sure :)

cewl :lol: