• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Microsoft Buffer Overrun in JPEG Processing

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
Ipsec Espah
Just Arrived
Just Arrived


Joined: 16 Mar 2003
Posts: 4


Offline

PostPosted: Wed Sep 15, 2004 5:32 am    Post subject: Microsoft Buffer Overrun in JPEG Processing Reply with quote

http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx


Executive Summary:
This update resolves a newly-discovered, privately reported vulnerability. A buffer overrun vulnerability exists in the processing of JPEG image formats that could allow remote code execution on an affected system. The vulnerability is documented in this bulletin in its own section.

If a user is logged on with administrator privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

Microsoft recommends that customers apply the update immediately.

JPEG Vulnerability - CAN-2004-0200:
A buffer overrun vulnerability exists in the processing of JPEG image formats that could allow remote code execution on an affected system. Any program that processes JPEG images on the affected systems could be vulnerable to this attack, and any system that uses the affected programs or components could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

FAQ for JPEG Vulnerability - CAN-2004-0200:
What is the scope of the vulnerability?
This is a buffer overrun vulnerability. If a user is logged on with administrator privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

What causes the vulnerability?
An unchecked buffer in the processing of JPEG images.

What are JPEG images?
JPEG is a platform-independent image format that supports a high level of compression. JPEG is a widely supported Internet standard developed by the Joint Photographic Experts Group.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

How could an attacker exploit this vulnerability?
Any program that processes JPEG images could be vulnerable to this attack. Here are some examples:

An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer 6 and then persuade a user to view the Web site.

An attacker could also create an HTML e-mail message that has a specially crafted image attached. The specially crafted image could be designed to exploit this vulnerability through Outlook 2002 or Outlook Express 6. An attacker could persuade the user to view or preview the HTML e-mail message.

An attacker could embed a specially crafted image in an Office document and then persuade the user to view the document.

An attacker could add a specially crafted image to the local file system or onto a network share and then persuade the user to preview the directory by using Windows Explorer.

What systems are primarily at risk from the vulnerability?
The vulnerability could only be exploited on the affected systems by an attacker who persuaded a user to open a specially crafted file or view a directory that contains the specially crafted image. There is no way for an attacker to force a user to open a malicious file.

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

Windows XP, Windows XP Service Pack 1, and Windows Server 2003 are vulnerable by default. Windows XP Service Pack 2, Windows 98, Windows 98 SE, Windows Me, Windows NT 4.0, and Windows 2000 are not vulnerable by default. However, the vulnerable component could be installed by any of the products listed in the affected software section on these operating systems. Third-party applications that perform JPEG processing; third-party applications that were developed using Visual Studio .NET 2002, Visual Studio .NET 2003, or the Microsoft .NET Framework version 1.0 SDK Service Pack 2; and third-party applications that distribute their own copy of the vulnerable component may be also vulnerable.

What does the update do?
The update removes the vulnerability by modifying the way that Windows validates the affected image types.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information indicating that this vulnerability had been publicly disclosed when this security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Damn. Has a vulnerability like this ever been found before? I didn't think this was possible...
Back to top
View user's profile Send private message
sim0n
Just Arrived
Just Arrived


Joined: 10 Jul 2003
Posts: 3


Offline

PostPosted: Wed Sep 15, 2004 6:01 am    Post subject: Reply with quote

That's why it's always good to use an image viewer/commander (i.e. Irfanview, Total Commander, etc.)
Back to top
View user's profile Send private message
RoboGeek
SF Mod
SF Mod


Joined: 13 Jun 2003
Posts: 16777166
Location: LeRoy, IL

Offline

PostPosted: Tue Sep 21, 2004 5:11 pm    Post subject: Reply with quote

If anybody wants to play around with this, there is a POC here:

http://www.gulftech.org/?node=downloads

use at your own risk!
Back to top
View user's profile Send private message Visit poster's website
Tedob1
Just Arrived
Just Arrived


Joined: 24 Aug 2004
Posts: 0


Offline

PostPosted: Fri Sep 24, 2004 6:33 am    Post subject: Reply with quote

using the source code from k-otik to produce an image type file with shell code, my symantec picked it up right away as 'bloodhound.exploit', rather generic, but it stopped it just the same with its heuristic scan. it did not catch the crafted image without the shell code but ive heard that the av folks are including the crafted headers sig in the new def updates. so even if someone went out of their way to create brand new and shiney, never seen before shell code the header will still give it away. the header has to be 'as is' for the exploit to work but almost any shell code will work. it can carry a payload of near 2kb

just make sure everyone you know keeps their patchs and AV up to date and they should be alright.

i really gotta feel sorry for the poor schmuks that get hit with every thing that comes out. they really dont have any clue why its happening....'dammed internet!'.
Back to top
View user's profile Send private message
Tedob1
Just Arrived
Just Arrived


Joined: 24 Aug 2004
Posts: 0


Offline

PostPosted: Fri Sep 24, 2004 11:26 am    Post subject: Reply with quote

™trocious

the av i use is NAV as i said before. i would imagine this will hold true for most.

i didn't need to scan the jpeg itself to get an alert just bring it into the computers focus by opening the directory it is in or by downloading it. every thing you download, wether if be graphics for web page your viewing or apps, is being scanned by your AV already. you dont have to worry as long as your defs are current
Back to top
View user's profile Send private message
johnroshi
Just Arrived
Just Arrived


Joined: 03 May 2004
Posts: 0


Offline

PostPosted: Sat Sep 25, 2004 1:52 am    Post subject: jpg vulnerability Reply with quote

Will a jpg that has been altered to exploit this vulnerability still be rendered as a viewable image? Or will the bad code inserted into the jpg cause the image to be corrupted?

In other words, if I view a hacked jpg file on some hackers website, will the image still appear normally in my browser or will there be some visual cue that something about this jpg is corrupted?
Back to top
View user's profile Send private message
feagle814
Just Arrived
Just Arrived


Joined: 26 Jul 2004
Posts: 0


Offline

PostPosted: Sat Sep 25, 2004 3:27 am    Post subject: Reply with quote

I've got IE 6 SP2 - and the proof-of-concept JPEGs crash it. Though the one with shellcode is caught. Both crash the browser still, which would be a bummer if I used IE at all.
Back to top
View user's profile Send private message
ReNu
Just Arrived
Just Arrived


Joined: 20 Aug 2004
Posts: 0


Offline

PostPosted: Tue Sep 28, 2004 11:07 pm    Post subject: Reply with quote

RoboGeek wrote:
If anybody wants to play around with this, there is a POC here:

http://www.gulftech.org/?node=downloads

use at your own risk!



do not download ! any file from the sire trojen, with the download files!!!!!!
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register