2 edits
1 recommendation |
JPEG Exploit Proof of Concept?. At Link Removed --WCB! under an entry dated 9-15-04 there is an item MS04-028 PoC linking to CRASH-TEST.zip. I am wondering if this is a working Proof of Concept of the Microsoft GDIPLUS.DLL vulnerability announced this week at » www.microsoft.com/techne ··· 028.mspx. Has anyone investigated this yet? If its a working PoC, malware exploiting it might not be far off. I would be interested in the experts opinions. |
|
IGGY9No Guru Just Here To Help Premium Member join:2001-03-30 Chatham, IL 1 edit |
IGGY9
Premium Member
2004-Sep-17 6:09 pm
I just downloaded it - it open the zip folder - nothing happened. I took the zip out of my temporary internet files folder - dropped it on the desktop - scanned with KAV 5.0 - no alert etc.
So unless I missed something. It didn't seem to do anything. I'm running XP Pro with SP2.
Opened in XP picture viewer - big red box was shown for a few seconds then it went to failed to draw. |
|
|
Schouw Premium Member join:2003-05-29 Netherlands
1 recommendation |
Schouw
Premium Member
2004-Sep-17 6:17 pm
XP/SP2 isn't vulnerable itself. Just tested with xp/sp0 and explorer.exe crashes on the file. Perhaps something for new heuristics recod. |
|
IGGY9No Guru Just Here To Help Premium Member join:2001-03-30 Chatham, IL 2 edits |
IGGY9
Premium Member
2004-Sep-17 6:24 pm
Just confirmed that looking at the Microsoft link and here » www.theinquirer.net/?art ··· le=18510"HACKERS ARE swapping information online about the latest hole in Windows in the hope of getting a good exploit onto other people's computers before they install SP2." So again it would seem. As long as your running a properly patched machine. You have no need to worry. Interesting how that works.:) Although the article at the end does state this. "Although SP2 users might feel safe that they are fairly safe from the bug, they might still have a problem because other applications in their systems are not, Symantec said." » www.desktoppipeline.com/47212215 |
|
psloss Premium Member join:2002-02-24 |
to ConfuciusIam
The link is from the Security.Nnov (Russia) website; attached screenshot shows what look like attempts to me. (The repeated 0x78 bytes in the lower pane and there was another "thing" on the website itself, in which the screenshot is just showing the comment) ...not sure this means much of anything. I'd be more surprised if people weren't trying to do this. Philip Sloss |
|
ecb12 join:2004-03-11 Columbia, MO |
to ConfuciusIam
the exploit affects all the windows family (outlook, office, things like that) as well as the older versions of windows so even if you have sp2 you still should go do the windows update and/or the windows family (office) update. |
|
2 edits |
to Schouw
said by Schouw: XP/SP2 isn't vulnerable itself. Just tested with xp/sp0 and explorer.exe crashes on the file.
Perhaps something for new heuristics recod.
Based on your testing with XP/SP0, the JPEG in CRASH-TEST.zip may be using the comment field buffer overflow to crash explorer.exe. It seems that this might be a valid proof of concept, although a very basic one. (A more advanced PoC might do something beyond crashing explorer.exe such as displaying a message or creating a new file such as "infectedbygdiplus.txt".) Considering that infection may possibly occur when an infected jpeg is viewed in IE or previewed in Outlook, I'm wondering what impact this vulnerability will have on the millions of unpatched PCs? |
|
IGGY9No Guru Just Here To Help Premium Member join:2001-03-30 Chatham, IL 1 edit |
IGGY9
Premium Member
2004-Sep-18 11:31 pm
"Two years ago anti-virus company McAfee got into trouble for claiming that the W32/Perrun virus could infect image files, when in fact it required a separate piece of viral code in order to spread. But now Microsoft has released details of a major problem the GDI+ graphics system which has turned the story into a rather unpleasant reality. As a result, millions of net users could find their machines compromised just because they visit the wrong website or look at the wrong e-mail, since a carefully constructed Jpeg image file could be carrying a virus which will infect them." » news.bbc.co.uk/1/hi/tech ··· 6702.stm» Taking computer insecurity seriouslyNewest Microsoft Hole Ripe for Attack: Patch Now! » blogs.pcworld.com/staffb ··· 221.html |
|
|
Anon users
Anon
2004-Sep-19 8:23 am
I just read from » blogs.pcworld.com/staffb ··· 221.html that Photoshop, ACDsee and RSS reader are also vulnerable?! Is that true? I checked their official forums, nothing was mentioned...Anybody Thx. |
|
|
to Schouw
Look what the cat dragged in Clicked on the CRASH-TEST.zip file and the pig squeal came out right away. KAV 4.5, x-bases. |
|
|
to ConfuciusIam
If this is a buffer overflow vunerability, does that mean a system running NX (a64 + sp2) is safe? |
|
2 edits |
said by Cho Baka: If this is a buffer overflow vunerability, does that mean a system running NX (a64 + sp2) is safe?
Thats a good question. XP/SP2 itself should not be vulnerable for two reasons: first SP2 contains an updated gdiplus.dll that is not vulnerable, and secondly, at least in theory, NX plus DEP in SP2 should protect against buffer overflows. However, XP/SP2 running unpatched versions of Office XP and Office 2003 as well as Microsoft developer and home productivity tools is potentially vulnerable if the unpatched apps are used to access an infected JPEG. However, at least in theory, NX plus SP2 should provide protection in this situation also as long as DEP has not been disabled for the vulnerable apps. Is there anyone on this forum running an unpatched Microsoft app on Athlon 64 with SP2 who could test this for us? Also, below is some detail on the technical nature of the vulnerability from » lists.seifried.org/piper ··· 765.htmlJPEG Comment sections (COM) allow for the embedding of comment data into a JPEG image. COM sections are marked beginning with 0xFFFE followed by a 16 bit unsigned integer in network byte order giving the total comment length + the 2 bytes for the length field; a single JPEG COM section could therefore contain 65533 bytes of invisible data (invisible in the sense that it's not rendered as part of the image). Because the JPEG COM field length variable is 2 bytes wide, and itself is included in the length value, the minimum value for this field is 2, this implies an empty comment. If the comment length value is set to 1 or 0, a buffer overflow occurs overwriting heap management structures. The problem is GDIPlus normalizes the COM length prior to checking it's value; a starting length of 0 becomes -2 after normalization (0xFFFE unsigned), this value is converted to the 32 bit value 0xFFFFFFFE and is eventually passed on to memcpy which attempts to copy ~4G bytes into heap memory. eEye Digital Security analyzed the bug and found that heap management structures are left in an inconsistent state with execution eventually reaching heap unlink instructions within RTLFreeHeap with EAX pointing to a pointer to data we control and we have direct control of EDX. |
|
bcool Premium Member join:2000-08-25 1 edit |
bcool
Premium Member
2004-Sep-19 11:47 am
Sorry to insert a silly question here. But - 1.) If I'm running WINXP SP1 and patched it with WindowsXP-KB833987-x86-ENU.EXEI should expect that IE6SP1 was patched at the same time, right? I was a little confused when in the MS bulletin I see under " Affected Components" a separate link for Internet Explorer 6 Service Pack 1. But this appears to be a separate patch for IE6SP1 in WIN98, WIN98SE, etc. but not WINXP. 2.) I also patched MSOffice XP separately. No problem. Now all I have to worry about is my older ACDsee ver4.x. |
|
|
WhoAmI2 to IGGY9
Anon
2004-Sep-19 5:25 pm
to IGGY9
JPEG virus (speculation & hysteria, September 2004) » vmyths.com/hoax.cfm?id=95&page=3 |
|
|
to ConfuciusIam
I just spent a bit of time looking at www.amd.com to try and find out about NX (new name DEP (microsoft)) It seems that SP2 is required for this processor to allow this function to operate. There is some info in this document: » www.amd.com/us-en/assets ··· _(2).pdfFor a quick read scroll to page 5-6 to get an idea of what DEP is. |
|
jdongEat A Beaver, Save A Tree. Premium Member join:2002-07-09 Rochester, MI |
to Cho Baka
said by Cho Baka: If this is a buffer overflow vunerability, does that mean a system running NX (a64 + sp2) is safe?
NX, per default settings in SP2 final, will not protect explorer.exe. Microsoft left DEP off except for critical system processes. Even if DEP was on, Explorer still would be terminated (i.e. Illegal Operation), which is annoying enough. |
|
|
yesac81
Anon
2004-Sep-20 8:11 am
the question is does NX pretect against buffer underflows? the vulnerability that is potentially exploited here is an underflow rather than and overflow. same thing happened with the lsass vuln patched by ms04-011, it wasn't an overflow either.
hangovers from blaster, i spose... |
|
kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH |
kpatz
Premium Member
2004-Sep-20 8:14 am
Overflow, underflow, the only difference is which end of the buffer gets overwritten. In theory, NX should protect from either, if there is executable code prior to the buffer address. |
|
jdongEat A Beaver, Save A Tree. Premium Member join:2002-07-09 Rochester, MI |
to ConfuciusIam
NX will protect buffer exploits from overwriting other apps' RAM, but will not magically keep a misbehaving program alive! |
|
2 edits |
to Cho Baka
said by Cho Baka: I just spent a bit of time looking at www.amd.com to try and find out about NX (new name DEP (microsoft)) It seems that SP2 is required for this processor to allow this function to operate. There is some info in this document: »www.amd.com/us-en/assets ··· _(2).pdf For a quick read scroll to page 5-6 to get an idea of what DEP is.
Reading » www.microsoft.com/techne ··· mpr.mspxhaving a processor that supports hardware DEP (aka NX) along with SP2 only protects you against SOME but NOT ALL buffer overflow / underflow conditions. For one thing, it seems that Microsoft only enabled DEP in some cases for compatibility reasons. Its definitely not a case of NX plus SP2 = safe from all buffer overrun exploits. Its more like NX plus SP2 will protect you from certain types of exploits, but you may still be vulnerable to other types of "overflow" exploits. DEP is only active in certain cases and as jdong says by default is only turned on for some system processes. Here is a link to simple instructions with screen capture illustrations to turn on DEP for all programs and services. Warning - reading the instructions is interesting, but personally I would not turn on DEP for all progs/svcs unless I had a reliable backup to restore from! Here is the link » open-node.net/archive/20 ··· 584.aspxHere is a link to a 35 page AMD presentation on AMD64 Enhanced Virus Protection. It appears that there are a lot of technical details. I haven't had a change to read it yet. » www.amd.com/us-en/assets ··· inal.pdf |
|
|
Microsoft I believe was unable to enable all of DEP as it would kill a pile of software products as they have either intended or more likely unintended overflow issues. Hopefully the idea was to let software developers know that this puppy is out there and is coming so they better test their apps and ensure that they will work properly with this technology.
This is going to cause a problem in the software development industry as now everyone has to upgrade at least some of their hardware to a level where there is hardware DEP functionality and review and fix some code which in itself is going to be an interesting revelation for some companies. In some cases you will have to stop using old unsupported code or products which contains these unintended but non-fatal overflows as they will be halted on a DEP enabled system.
Blake |
|
jdongEat A Beaver, Save A Tree. Premium Member join:2002-07-09 Rochester, MI |
jdong
Premium Member
2004-Sep-20 3:28 pm
said by Link Logger: Microsoft I believe was unable to enable all of DEP as it would kill a pile of software products as they have either intended or more likely unintended overflow issues. Hopefully the idea was to let software developers know that this puppy is out there and is coming so they better test their apps and ensure that they will work properly with this technology.
Most AV's break, Ad-aware breaks, Office 2003 had trouble installing in SP2 beta, the list goes on. |
|
1 edit |
to yesac81
said by yesac81: the question is does NX pretect against buffer underflows? the vulnerability that is potentially exploited here is an underflow rather than and overflow. same thing happened with the lsass vuln patched by ms04-011, it wasn't an overflow either. hangovers from blaster, i spose...
What are you talking about? Of course this is a buffer overflow attack. There is no such thing as a buffer "underflow"/"underrun" attack. A numeric field in the file-format that contains the length of the comment is set to a number that is in fact lower than the shortest possible comment field, so when the GDI+ library processes it, it subtracts two from the number, leading to -2, which in hexidecimal is 0xFFFE, which somewhere in the code gets sign-extended to a 32-bit value, 0xFFFFFFFE, and then passed to a memory-allocation routine as an unsigned value, which tries to allocate 4GB-2 of RAM, obviously fails, and then the code starts to scribble-over stuff in the heap, because it doesn't check for an error in the memory-allocation. It's sloppy code, pure and simple, that doesn't rigorously check for error conditions along the way, in order to properly and safely validate the file-format data it is recieving. This type of sloppy coding is all too common in MS software, and is exactly the type of thing that leads to exploits further down the line. When you are a programmer, "in the trenches", and you have to produce working functionality by a deadline, and are not tested on the basis of the security of those features, this is what happens. We've seen exploits in the past for nearly all of the various additional shell add-on features for Windows XP, and this is, IMHO, no different. I question whether this code was ever singlely- and doublely- code-reviewed at all - unlike the Mozilla development process, which requires both an +r (review) and +sr (super-review), in order to be accepted into the source-code tree. The fact is, the quality of the software-development process itself, is higher with Mozilla than with 95% of Microsoft software, IMHO. So many people don't seem to understand this, and think blindly that IE and other MS software is more vulnerable, simply because it is more popular or has greater market share. In the end though, it all codes down to one major thing - code quality, especially with an eye towards security, something that MS has never seemed to have until perhaps recently. Edit: According to the description that ConfuciusIam posted, it's actually the memcpy() routine that gets called, not a memory-allocation routine, that overwrites heap structures or something - that's actually worse, even. |
|
|
said by VirtualLarry:
In the end though, it all codes down to one major thing - code quality, especially with an eye towards security, something that MS has never seemed to have until perhaps recently.
Could the fact that MS now owns an anti virus product have anything to do with this (too late too little) shift towards more security awareness (SP2)? In other words are we going to see antivirus code in the next SP? bugfree |
|
|
to ConfuciusIam
dangerous~~ |
|
|
Apparently more dangerous exploits of the JPEG vulnerability are surfacing. The SANS - Internet Storm Center Handlers Diary for September 22nd » isc.sans.org/index.php includes the following: MS04-028 PoCs and Exploits releasedToday another exploit for the MS04-28 , regarding the JPG, was public released. This one will open a command prompt in your machine. The first PoC (proof-of-concept) released some days ago is already detected by some AV vendors. According to the free service VirusTotal, Symantec, Trend, Kaspersky and McAfee detects the malformated jpeg headers. So, if you run updated versions, you should be safe. On the other hand, if we are seeing exploits opening command prompts, something worst is on its way... |
|
|
to ConfuciusIam
# MS04-028 Exploit PoC II with Shellcode: CreateUser X in Administrators Group # # Tested on: # WinXP Professional English SP1 - GDIPLUS.DLL version 5.1.3097.0 # WinXP Professional Italian SP1 - GDIPLUS.DLL version 5.1.3101.0 # (SP2 is not vulnerable, don't waste your time trying this exploit on it!) # # Usage: # first, replace the "\xCC" = INT3 instruction at beginning of shellcode # second, choose a right ret address for GDI+ DLL and WinXP version # then, create crafted JPEG with: sh ms04-028.sh > img.jpg # # Created by: # Elia Florio # (heap overflow study purpose, not for lamerz, not for script-kiddie) # # Thanx to: # jerome.athias # metasploit.org # idefense # full-disclosure list |
|
kaspersky2 |
to ConfuciusIam
A NEW VIRUS WILL BREAK OUT£¿£¿£¿ :D |
|
1 recommendation |
to Link Logger
A recent Paul Thurrott article provides some additional information about SP2 DEP that may add to our understanding of DEP on 32-bit and 64-bit platforms. The following is from "Windows XP Pro x64 Data Protection Features" at » www.windowsitpro.com/Art ··· SecurityData Execution PreventionXP Pro x64 supports the data execution prevention (DEP) technologies that Microsoft developed for XP SP2, but the XP Pro x64 version has some pretty significant differences. DEP helps protect against software-based attacks by intercepting attempts to execute code in memory that's marked for data only. It can be an effective prevention against the common buffer overrun-type attacks that are so prevalent today. In 32-bit versions of XP SP2, DEP is a purely software-based technology because current 32-bit microprocessors don't support this feature, although future versions likely will. However, 64-bit chips, such as those based on the AMD64 processor (AMD Athlon 64 and AMD Opteron) and on the Intel Extended Memory 64 Technology (EM64T--new Xeon and Pentium 4 designs), do support DEP. On these 64-bit systems, XP Pro x64 interacts with unique hardware features of each platform--the no execute (NX) page protection feature on AMD64 and the Execute Disable feature on EM64T--to raise an exception when software attempts to execute code improperly. The result is a more stable and secure operating environment. Microsoft originally intended for 32-bit versions of XP SP2 to ship with the software-based DEP feature enabled by default. However, during SP2 testing, the company discovered that far too many legitimate applications were triggering DEP exceptions. To the user, a DEP exception can be quite jarring: You receive a DEP alert that informs you that Windows has closed the offending program to protect you from potential harm. However, you can click Change Settings to add that program to a list of DEP exceptions (i.e., programs that will no longer be protected by DEP). Because these alerts were so annoying to testers, Microsoft opted to turn off DEP for non-OS applications in 32-bit versions of XP SP2. |
|