GDI+/JPG remote code execution threat

Hello all,

First, a heads-up re the defect (see www.microsoft.com/security), and a
question: why the chaotic nature of the patches?  Is it perhaps that
many different products have GDI+ statically linked, or is it
sufficiently difficult to use that the vulnerability might "spread into
the caller"?

Have a good one,

Bill


--
Wilhelm K. Schwab, Ph.D.
[hidden email]

Bill Schwab wrote:

> First, a heads-up re the defect (see www.microsoft.com/security), and a
> question: why the chaotic nature of the patches?  Is it perhaps that
> many different products have GDI+ statically linked, or is it
> sufficiently difficult to use that the vulnerability might "spread into
> the caller"?

The way I read it, it's /mostly/ that any application that /might have/
installed the DLL (not finding it already present) is on the list.  However see
the first FAQ entry of the note at:

    http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx

which mentions several apps (including OfficeXP naturally!) that install a
custom version of the DLL.

I've attached the advisory that was posted just now to Bugtraq, it may help.

    -- chris

=============== from BugTraq ==================

Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow
-----------------------------------------------------------------
Advisory: September 14, 2004
Reported: October 7, 2003

Systems affected based on testing:
Windows XP SP0,SP1,SP1a (Home & Pro)

Systems potentially affected based on Microsoft's DLL Help Database
(there may be others):

gdiplus.dll    5.2.3790.0
   Windows Server 2003 Data Center
   Windows Server 2003 Enterprise
   Windows Server 2003 Standard
   Windows Server 2003 Web Edition

gdiplus.dll    5.1.3100.0
   Microsoft Visual Studio .NET (2003) Enterprise Architect

gdiplus.dll    5.1.3097.0
   Microsoft Visual Studio .NET (2002) Enterprise Architect
   Microsoft Visual Studio .NET (2002) Enterprise Developer
   Microsoft Visual Studio .NET (2002) Professional
   Microsoft Visual Studio .NET (2003) Enterprise Architect
   Visual Basic .NET Standard 2002
   Visual C# .NET Standard 2002
   Visual C++ .NET Standard 2002
   Windows XP Home 2002
   Windows XP Professional 2002

gdiplus.dll    5.1.3079.3
   Microsoft Visual Studio .NET (2002) Enterprise Architect
   Visio 2002 Professional
   Visio 2002 Standard


Description
------------------------

The JPEG parsing engine included in GDIPlus.dll contains an
exploitable buffer overflow.  When a specially crafted JPEG image is
accessed through the Windows XP shell, a buffer overflow occurs
potentially allowing an attacker to run arbitrary code on the
affected system.  Due to the pervasiveness of the affected dll there
may be other vulnerable attack vectors.


Technical
------------------------

JPEG Comment sections (COM) allow for the embedding of comment data
into a JPEG image.  COM sections are marked beginning with 0xFFFE
followed by a 16 bit unsigned integer in network byte order giving
the total comment length + the 2 bytes for the length field; a
single JPEG COM section could therefore contain 65533 bytes of
invisible data (invisible in the sense that it's not rendered as
part of the image).  Because the JPEG COM field length variable is 2
bytes wide, and itself is included in the length value, the minimum
value for this field is 2, this implies an empty comment.  If the
comment length value is set to 1 or 0, a buffer overflow occurs
overwriting heap management structures.

The problem is GDIPlus normalizes the COM length prior to checking
it's value; a starting length of 0 becomes -2 after normalization
(0xFFFE unsigned), this value is converted to the 32 bit value
0xFFFFFFFE and is eventually passed on to memcpy which attempts to
copy ~4G bytes into heap memory.

eEye Digital Security analyzed the bug and found that heap
management structures are left in an inconsistent state with
execution eventually reaching heap unlink instructions within
RTLFreeHeap with EAX pointing to a pointer to data we control and we
have direct control of EDX.


Vendor Status
------------------------

Patch available MS04-028 (833987)
http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx


Detection
------------------------

Detection could be accomplished by examining the JPEG image for the
following byte sequence:

0xFF 0xFE 0x00 0x00 or 0xFF 0xFE 0x00 0x01


Credits
------------------------
Nick DeBaggis - Discovery, analysis, and advisory.

Special thanks to eEye Digital Security www.eeye.com - Detailed
vulnerability analysis, initial and ongoing vendor contact.

Also thanks to Networks Unlimited - Early bug testing.


Related Links
------------------------
Solar Designer, Openwall Project
Netscape Browser JPEG Vulnerability July 2000
http://www.openwall.com/advisories/OW-002-netscape-jpeg.txt

Chris,

> The way I read it, it's /mostly/ that any application that /might have/
> installed the DLL (not finding it already present) is on the list.  However see
> the first FAQ entry of the note at:
>
>     http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx

The cautions about errant installers causing other vulnerabilities are
understandable, but one has to wonder about Microsoft's installers.  One
would hope that there would be a DLL...


> which mentions several apps (including OfficeXP naturally!) that install a
> custom version of the DLL.

or two<g> that could be replaced with a newer/fixed version, and that
would be it, right?


> I've attached the advisory that was posted just now to Bugtraq, it may help.

Very interesting, thanks.


> =============== from BugTraq ==================
>
> Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow
> -----------------------------------------------------------------
> Advisory: September 14, 2004
> Reported: October 7, 2003

Yikes!!!!  Am I reading this correctly?  While I am most impressed by
Nick DeBaggis' work on this, it does not sound like an 11 month fix
(from Microsoft's standpoint) once somebody shows you the problem.
Fair?  If yes, what the DLL happened?

Have a good one,

Bill

--
Wilhelm K. Schwab, Ph.D.
[hidden email]

Bill,

I presume that the problem is that any application that uses GDIplus, and which
is installable on a version of Windows before XP (or whenever GDIplus became
standard) will, or may, have installed it.  Hence all those applications need
separate installable patches which can be applied on those platforms. That goes
for MS-supplied apps just as much as independent ones.

That it ends up being so complicated does point to a flaw in MS's installer
technology, or at least suggests that it has been misused.


I can see that it would take a fair time to identify all the apps that needed
patch installers, create the installers, test them, etc.   Nearly a year does
seem a little on the long side, though. <shrug/> MS, for you...

    -- chris