dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2070
ConfuciusIam
Premium Member
join:2004-01-28
Elmhurst, IL

2 edits

1 recommendation

ConfuciusIam

Premium Member

JPEG Exploit Proof of Concept?

.
At Link Removed --WCB! under an entry dated 9-15-04 there is an item MS04-028 PoC linking to CRASH-TEST.zip.

I am wondering if this is a working Proof of Concept of the Microsoft GDIPLUS.DLL vulnerability announced this week at »www.microsoft.com/techne ··· 028.mspx.

Has anyone investigated this yet? If it’s a working PoC, malware exploiting it might not be far off.

I would be interested in the experts opinions.
IGGY9
No Guru Just Here To Help
Premium Member
join:2001-03-30
Chatham, IL

1 edit

IGGY9

Premium Member

I just downloaded it - it open the zip folder - nothing happened. I took the zip out of my temporary internet files folder - dropped it on the desktop - scanned with KAV 5.0 - no alert etc.

So unless I missed something. It didn't seem to do anything. I'm running XP Pro with SP2.

Opened in XP picture viewer - big red box was shown for a few seconds then it went to failed to draw.
Schouw
Premium Member
join:2003-05-29
Netherlands

1 recommendation

Schouw

Premium Member

XP/SP2 isn't vulnerable itself.
Just tested with xp/sp0 and explorer.exe crashes on the file.

Perhaps something for new heuristics recod.
IGGY9
No Guru Just Here To Help
Premium Member
join:2001-03-30
Chatham, IL

2 edits

IGGY9

Premium Member

Just confirmed that looking at the Microsoft link and here

»www.theinquirer.net/?art ··· le=18510

"HACKERS ARE swapping information online about the latest hole in Windows in the hope of getting a good exploit onto other people's computers before they install SP2."

So again it would seem. As long as your running a properly patched machine. You have no need to worry. Interesting how that works.:)

Although the article at the end does state this.

"Although SP2 users might feel safe that they are fairly safe from the bug, they might still have a problem because other applications in their systems are not, Symantec said."

»www.desktoppipeline.com/47212215
psloss
Premium Member
join:2002-02-24

psloss to ConfuciusIam

Premium Member

to ConfuciusIam
Click for full size
The link is from the Security.Nnov (Russia) website; attached screenshot shows what look like attempts to me. (The repeated 0x78 bytes in the lower pane and there was another "thing" on the website itself, in which the screenshot is just showing the comment)

...not sure this means much of anything. I'd be more surprised if people weren't trying to do this.

Philip Sloss
ecb12
join:2004-03-11
Columbia, MO

ecb12 to ConfuciusIam

Member

to ConfuciusIam
the exploit affects all the windows family (outlook, office, things like that) as well as the older versions of windows so even if you have sp2 you still should go do the windows update and/or the windows family (office) update.
ConfuciusIam
Premium Member
join:2004-01-28
Elmhurst, IL

2 edits

ConfuciusIam to Schouw

Premium Member

to Schouw
said by Schouw:
XP/SP2 isn't vulnerable itself.
Just tested with xp/sp0 and explorer.exe crashes on the file.

Perhaps something for new heuristics recod.

Based on your testing with XP/SP0, the JPEG in CRASH-TEST.zip may be using the comment field buffer overflow to crash explorer.exe.

It seems that this might be a valid proof of concept, although a very basic one. (A more advanced PoC might do something beyond crashing explorer.exe such as displaying a message or creating a new file such as "infectedbygdiplus.txt".)

Considering that infection may possibly occur when an infected jpeg is viewed in IE or previewed in Outlook, I'm wondering what impact this vulnerability will have on the millions of unpatched PCs?
IGGY9
No Guru Just Here To Help
Premium Member
join:2001-03-30
Chatham, IL

1 edit

IGGY9

Premium Member

"Two years ago anti-virus company McAfee got into trouble for claiming that the W32/Perrun virus could infect image files, when in fact it required a separate piece of viral code in order to spread.

But now Microsoft has released details of a major problem the GDI+ graphics system which has turned the story into a rather unpleasant reality.

As a result, millions of net users could find their machines compromised just because they visit the wrong website or look at the wrong e-mail, since a carefully constructed Jpeg image file could be carrying a virus which will infect them."

»news.bbc.co.uk/1/hi/tech ··· 6702.stm

»Taking computer insecurity seriously

Newest Microsoft Hole Ripe for Attack: Patch Now!

»blogs.pcworld.com/staffb ··· 221.html

Anon users
@qc.sympatico.ca

Anon users

Anon

I just read from »blogs.pcworld.com/staffb ··· 221.html that Photoshop, ACDsee and RSS reader are also vulnerable?!

Is that true? I checked their official forums, nothing was mentioned...Anybody

Thx.

Martinus
Premium Member
join:2001-08-06
EU

Martinus to Schouw

Premium Member

to Schouw
Look what the cat dragged in

Clicked on the CRASH-TEST.zip file and the pig squeal came out right away. KAV 4.5, x-bases.

Cho Baka
MVM
join:2000-11-23
there

Cho Baka to ConfuciusIam

MVM

to ConfuciusIam
If this is a buffer overflow vunerability, does that mean a system running NX (a64 + sp2) is safe?
ConfuciusIam
Premium Member
join:2004-01-28
Elmhurst, IL

2 edits

ConfuciusIam

Premium Member

said by Cho Baka:
If this is a buffer overflow vunerability, does that mean a system running NX (a64 + sp2) is safe?

Thats a good question.

XP/SP2 itself should not be vulnerable for two reasons: first SP2 contains an updated gdiplus.dll that is not vulnerable, and secondly, at least in theory, NX plus DEP in SP2 should protect against buffer overflows.

However, XP/SP2 running unpatched versions of Office XP and Office 2003 as well as Microsoft developer and home productivity tools is potentially vulnerable if the unpatched apps are used to access an infected JPEG. However, at least in theory, NX plus SP2 should provide protection in this situation also as long as DEP has not been disabled for the vulnerable apps.

Is there anyone on this forum running an unpatched Microsoft app on Athlon 64 with SP2 who could test this for us?

Also, below is some detail on the technical nature of the vulnerability from »lists.seifried.org/piper ··· 765.html

JPEG Comment sections (COM) allow for the embedding of comment data
into a JPEG image. COM sections are marked beginning with 0xFFFE
followed by a 16 bit unsigned integer in network byte order giving
the total comment length + the 2 bytes for the length field; a
single JPEG COM section could therefore contain 65533 bytes of
invisible data (invisible in the sense that it's not rendered as
part of the image). Because the JPEG COM field length variable is 2
bytes wide, and itself is included in the length value, the minimum
value for this field is 2, this implies an empty comment. If the
comment length value is set to 1 or 0, a buffer overflow occurs
overwriting heap management structures.

The problem is GDIPlus normalizes the COM length prior to checking
it's value; a starting length of 0 becomes -2 after normalization
(0xFFFE unsigned), this value is converted to the 32 bit value
0xFFFFFFFE and is eventually passed on to memcpy which attempts to
copy ~4G bytes into heap memory.

eEye Digital Security analyzed the bug and found that heap
management structures are left in an inconsistent state with
execution eventually reaching heap unlink instructions within
RTLFreeHeap with EAX pointing to a pointer to data we control and we
have direct control of EDX.

bcool
Premium Member
join:2000-08-25

1 edit

bcool

Premium Member

Sorry to insert a silly question here. But -

1.) If I'm running WINXP SP1 and patched it with WindowsXP-KB833987-x86-ENU.EXE
I should expect that IE6SP1 was patched at the same time, right? I was a little confused when in the MS bulletin I see under "Affected Components" a separate link for Internet Explorer 6 Service Pack 1. But this appears to be a separate patch for IE6SP1 in WIN98, WIN98SE, etc. but not WINXP.

2.) I also patched MSOffice XP separately. No problem.

Now all I have to worry about is my older ACDsee ver4.x.

WhoAmI2
@insightBB.com

WhoAmI2 to IGGY9

Anon

to IGGY9
JPEG virus (speculation & hysteria, September 2004)

»vmyths.com/hoax.cfm?id=95&page=3

Cho Baka
MVM
join:2000-11-23
there

Cho Baka to ConfuciusIam

MVM

to ConfuciusIam
I just spent a bit of time looking at www.amd.com to try and find out about NX (new name DEP (microsoft)) It seems that SP2 is required for this processor to allow this function to operate.
There is some info in this document:
»www.amd.com/us-en/assets ··· _(2).pdf
For a quick read scroll to page 5-6 to get an idea of what DEP is.

jdong
Eat A Beaver, Save A Tree.
Premium Member
join:2002-07-09
Rochester, MI

jdong to Cho Baka

Premium Member

to Cho Baka
said by Cho Baka:
If this is a buffer overflow vunerability, does that mean a system running NX (a64 + sp2) is safe?

NX, per default settings in SP2 final, will not protect explorer.exe. Microsoft left DEP off except for critical system processes.

Even if DEP was on, Explorer still would be terminated (i.e. Illegal Operation), which is annoying enough.

yesac81
@224.xx.220.dsl.comin

yesac81

Anon

the question is does NX pretect against buffer underflows? the vulnerability that is potentially exploited here is an underflow rather than and overflow. same thing happened with the lsass vuln patched by ms04-011, it wasn't an overflow either.

hangovers from blaster, i spose...
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz

Premium Member

Overflow, underflow, the only difference is which end of the buffer gets overwritten. In theory, NX should protect from either, if there is executable code prior to the buffer address.

jdong
Eat A Beaver, Save A Tree.
Premium Member
join:2002-07-09
Rochester, MI

jdong to ConfuciusIam

Premium Member

to ConfuciusIam
NX will protect buffer exploits from overwriting other apps' RAM, but will not magically keep a misbehaving program alive!
ConfuciusIam
Premium Member
join:2004-01-28
Elmhurst, IL

2 edits

ConfuciusIam to Cho Baka

Premium Member

to Cho Baka
said by Cho Baka:
I just spent a bit of time looking at www.amd.com to try and find out about NX (new name DEP (microsoft)) It seems that SP2 is required for this processor to allow this function to operate.
There is some info in this document:
»www.amd.com/us-en/assets ··· _(2).pdf
For a quick read scroll to page 5-6 to get an idea of what DEP is.

Reading »www.microsoft.com/techne ··· mpr.mspx
having a processor that supports hardware DEP (aka NX) along with SP2 only protects you against SOME but NOT ALL buffer overflow / underflow conditions. For one thing, it seems that Microsoft only enabled DEP in some cases for compatibility reasons. Its definitely not a case of NX plus SP2 = safe from all buffer overrun exploits. Its more like NX plus SP2 will protect you from certain types of exploits, but you may still be vulnerable to other types of "overflow" exploits.

DEP is only active in certain cases and as jdong says by default is only turned on for some system processes.

Here is a link to simple instructions with screen capture illustrations to turn on DEP for all programs and services. Warning - reading the instructions is interesting, but personally I would not turn on DEP for all progs/svcs unless I had a reliable backup to restore from! Here is the link »open-node.net/archive/20 ··· 584.aspx

Here is a link to a 35 page AMD presentation on AMD64 Enhanced Virus Protection. It appears that there are a lot of technical details. I haven't had a change to read it yet.
»www.amd.com/us-en/assets ··· inal.pdf

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger

MVM

Microsoft I believe was unable to enable all of DEP as it would kill a pile of software products as they have either intended or more likely unintended overflow issues. Hopefully the idea was to let software developers know that this puppy is out there and is coming so they better test their apps and ensure that they will work properly with this technology.

This is going to cause a problem in the software development industry as now everyone has to upgrade at least some of their hardware to a level where there is hardware DEP functionality and review and fix some code which in itself is going to be an interesting revelation for some companies. In some cases you will have to stop using old unsupported code or products which contains these unintended but non-fatal overflows as they will be halted on a DEP enabled system.

Blake

jdong
Eat A Beaver, Save A Tree.
Premium Member
join:2002-07-09
Rochester, MI

jdong

Premium Member

said by Link Logger:
Microsoft I believe was unable to enable all of DEP as it would kill a pile of software products as they have either intended or more likely unintended overflow issues. Hopefully the idea was to let software developers know that this puppy is out there and is coming so they better test their apps and ensure that they will work properly with this technology.

Most AV's break, Ad-aware breaks, Office 2003 had trouble installing in SP2 beta, the list goes on.
VirtualLarry
Premium Member
join:2003-08-01

1 edit

VirtualLarry to yesac81

Premium Member

to yesac81
said by yesac81:
the question is does NX pretect against buffer underflows? the vulnerability that is potentially exploited here is an underflow rather than and overflow. same thing happened with the lsass vuln patched by ms04-011, it wasn't an overflow either.
hangovers from blaster, i spose...
What are you talking about? Of course this is a buffer overflow attack. There is no such thing as a buffer "underflow"/"underrun" attack.

A numeric field in the file-format that contains the length of the comment is set to a number that is in fact lower than the shortest possible comment field, so when the GDI+ library processes it, it subtracts two from the number, leading to -2, which in hexidecimal is 0xFFFE, which somewhere in the code gets sign-extended to a 32-bit value, 0xFFFFFFFE, and then passed to a memory-allocation routine as an unsigned value, which tries to allocate 4GB-2 of RAM, obviously fails, and then the code starts to scribble-over stuff in the heap, because it doesn't check for an error in the memory-allocation.

It's sloppy code, pure and simple, that doesn't rigorously check for error conditions along the way, in order to properly and safely validate the file-format data it is recieving. This type of sloppy coding is all too common in MS software, and is exactly the type of thing that leads to exploits further down the line. When you are a programmer, "in the trenches", and you have to produce working functionality by a deadline, and are not tested on the basis of the security of those features, this is what happens. We've seen exploits in the past for nearly all of the various additional shell add-on features for Windows XP, and this is, IMHO, no different.

I question whether this code was ever singlely- and doublely- code-reviewed at all - unlike the Mozilla development process, which requires both an +r (review) and +sr (super-review), in order to be accepted into the source-code tree.

The fact is, the quality of the software-development process itself, is higher with Mozilla than with 95% of Microsoft software, IMHO. So many people don't seem to understand this, and think blindly that IE and other MS software is more vulnerable, simply because it is more popular or has greater market share. In the end though, it all codes down to one major thing - code quality, especially with an eye towards security, something that MS has never seemed to have until perhaps recently.

Edit: According to the description that ConfuciusIam posted, it's actually the memcpy() routine that gets called, not a memory-allocation routine, that overwrites heap structures or something - that's actually worse, even.

bugfree9
join:2004-03-30
UK

bugfree9

Member

said by VirtualLarry:

In the end though, it all codes down to one major thing - code quality, especially with an eye towards security, something that MS has never seemed to have until perhaps recently.
Could the fact that MS now owns an anti virus product have anything to do with this (too late too little) shift towards more security awareness (SP2)?
In other words are we going to see antivirus code in the next SP?

bugfree

kaspersky2
join:2004-02-14
China

kaspersky2 to ConfuciusIam

Member

to ConfuciusIam
dangerous~~
ConfuciusIam
Premium Member
join:2004-01-28
Elmhurst, IL

ConfuciusIam

Premium Member

Apparently more dangerous exploits of the JPEG vulnerability are surfacing.

The SANS - Internet Storm Center Handlers Diary for September 22nd »isc.sans.org/index.php includes the following:

MS04-028 PoCs and Exploits released

Today another exploit for the MS04-28 , regarding the JPG, was public released. This one will open a command prompt in your machine.

The first PoC (proof-of-concept) released some days ago is already detected by some AV vendors.
According to the free service VirusTotal, Symantec, Trend, Kaspersky and McAfee detects the malformated jpeg headers. So, if you run updated versions, you should be safe.

On the other hand, if we are seeing exploits opening command prompts, something worst is on its way...

kaspersky2
join:2004-02-14
China

kaspersky2 to ConfuciusIam

Member

to ConfuciusIam
# MS04-028 Exploit PoC II with Shellcode: CreateUser X in Administrators Group
#
# Tested on:
# WinXP Professional English SP1 - GDIPLUS.DLL version 5.1.3097.0
# WinXP Professional Italian SP1 - GDIPLUS.DLL version 5.1.3101.0
# (SP2 is not vulnerable, don't waste your time trying this exploit on it!)
#
# Usage:
# first, replace the "\xCC" = INT3 instruction at beginning of shellcode
# second, choose a right ret address for GDI+ DLL and WinXP version
# then, create crafted JPEG with: sh ms04-028.sh > img.jpg
#
# Created by:
# Elia Florio
# (heap overflow study purpose, not for lamerz, not for script-kiddie)
#
# Thanx to:
# jerome.athias
# metasploit.org
# idefense
# full-disclosure list

kaspersky2

kaspersky2 to ConfuciusIam

Member

to ConfuciusIam
A NEW VIRUS WILL BREAK OUT£¿£¿£¿

:D
ConfuciusIam
Premium Member
join:2004-01-28
Elmhurst, IL

1 recommendation

ConfuciusIam to Link Logger

Premium Member

to Link Logger

A recent Paul Thurrott article provides some additional information about SP2 DEP that may add to our understanding of DEP on 32-bit and 64-bit platforms.

The following is from "Windows XP Pro x64 Data Protection Features" at »www.windowsitpro.com/Art ··· Security

Data Execution Prevention

XP Pro x64 supports the data execution prevention (DEP) technologies that Microsoft developed for XP SP2, but the XP Pro x64 version has some pretty significant differences. DEP helps protect against software-based attacks by intercepting attempts to execute code in memory that's marked for data only. It can be an effective prevention against the common buffer overrun-type attacks that are so prevalent today.

In 32-bit versions of XP SP2, DEP is a purely software-based technology because current 32-bit microprocessors don't support this feature, although future versions likely will. However, 64-bit chips, such as those based on the AMD64 processor (AMD Athlon 64 and AMD Opteron) and on the Intel Extended Memory 64 Technology (EM64T--new Xeon and Pentium 4 designs), do support DEP. On these 64-bit systems, XP Pro x64 interacts with unique hardware features of each platform--the no execute (NX) page protection feature on AMD64 and the Execute Disable feature on EM64T--to raise an exception when software attempts to execute code improperly. The result is a more stable and secure operating environment.

Microsoft originally intended for 32-bit versions of XP SP2 to ship with the software-based DEP feature enabled by default. However, during SP2 testing, the company discovered that far too many legitimate applications were triggering DEP exceptions. To the user, a DEP exception can be quite jarring: You receive a DEP alert that informs you that Windows has closed the offending program to protect you from potential harm. However, you can click Change Settings to add that program to a list of DEP exceptions (i.e., programs that will no longer be protected by DEP).

Because these alerts were so annoying to testers, Microsoft opted to turn off DEP for non-OS applications in 32-bit versions of XP SP2.