Wednesday, October 14, 2009

Windows GDI+ TIFF memory corruption

There is a memory corruption vulnerability in TIFF file processing in Microsoft GDI+ that can be used to crash a vulnerable application and also to execute arbitrary code.

The vulnerability

The vulnerability is caused due to errors in decompression of CCITT G4 compressed TIFF images.
CCITT compression is basically a RLE (Run Length Encoding) compression of 2-color (black/white) images where run lengths of black and white pixels are encoded using variable number of bits. In the first step of decoding process run-lengths are determined and are stored in a buffer of the same length as image width located on heap. After this process the values inside the buffer are interpreted as

[white-run-length][black-run-length][white-run-length][black-run-length]...

The process of filling the above buffer continues until the sum of all run-lengths already written in the buffer is smaller than the image width.The vulnerability stems from the fact that, by the encoding mechanism, a 0-run length is completely valid. Thus, if we specify multiple run-lengths of zero pixels at the beginning of the image row, we can escape the buffer boundaries and write arbitrary value after the end of the buffer.

Impact

This vulnerability can be used to run arbitrary code when an application using GDI+ is used to open a malformed TIF file. The code will be run with the privilages of the vulnerable application.

PoC

Due to the spread and the impact of the vulnerability, exploiting details will not be released at this time.

References

http://www.zerodayinitiative.com/advisories/ZDI-09-072/
http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2503

Windows Media Audio Voice remote code execution

There is a vulnerability in Windows Media Audio Voice decoder distributed with Windows Media Player that allows remote code execution by opening a specially crafted web page.

The vulnerability

The cause of the vulnerability is a bound checking error in the code used to decompress Windows Media Audio Voice compressed audio files (located in wmspdmod.dll). Namely, the vulnerability is caused by not properly sanitizing the audio sample rate information contained in the .wma voice file.The maximum allowed sample rate for .wma voie files is 22050 Hz. However, it can be set as high as 96000 Hz (the maximum for any .wma file) without being rejected.By setting the sample rate in .wma voice file between 22050 Hz and 96000 Hz, the attacker can corrupt memory on stack or (indirectly) on heap of the vulnerable process.

Impact

This vulnerability can be used to achieve remote code execution by tricking the victim into opening an attacker-controlled web page. This can be done by specifying a malformed .wma file as a webpage background sound (bgsound tags) or by embedding windows media player in a web page (embed tags). This attack works with multiple browsers (tested on Internet Explorer 6, Internet Explorer 7 and Mozilla Firefox 2 under Windows XP, other browsers and Windows version are affected as well).

PoC

Due to the spread and the impact of the vulnerability, exploiting details will not be released at this time.

References

http://www.zerodayinitiative.com/advisories/ZDI-09-069/
http://www.microsoft.com/technet/security/bulletin/ms09-051.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0555