Wednesday, October 14, 2009

Windows GDI+ TIFF memory corruption

There is a memory corruption vulnerability in TIFF file processing in Microsoft GDI+ that can be used to crash a vulnerable application and also to execute arbitrary code.

The vulnerability

The vulnerability is caused due to errors in decompression of CCITT G4 compressed TIFF images.
CCITT compression is basically a RLE (Run Length Encoding) compression of 2-color (black/white) images where run lengths of black and white pixels are encoded using variable number of bits. In the first step of decoding process run-lengths are determined and are stored in a buffer of the same length as image width located on heap. After this process the values inside the buffer are interpreted as

[white-run-length][black-run-length][white-run-length][black-run-length]...

The process of filling the above buffer continues until the sum of all run-lengths already written in the buffer is smaller than the image width.The vulnerability stems from the fact that, by the encoding mechanism, a 0-run length is completely valid. Thus, if we specify multiple run-lengths of zero pixels at the beginning of the image row, we can escape the buffer boundaries and write arbitrary value after the end of the buffer.

Impact

This vulnerability can be used to run arbitrary code when an application using GDI+ is used to open a malformed TIF file. The code will be run with the privilages of the vulnerable application.

PoC

Due to the spread and the impact of the vulnerability, exploiting details will not be released at this time.

References

http://www.zerodayinitiative.com/advisories/ZDI-09-072/
http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2503

2 comments: