SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Browser)  >  Microsoft Internet Explorer (IE) Vendors:  Microsoft
Microsoft Internet Explorer (IE) JPEG Rendering Bugs Let Remote Users Deny Service or Execute Arbitrary Code
SecurityTracker Alert ID:  1014500
SecurityTracker URL:  http://securitytracker.com/id?1014500
CVE Reference:  CAN-2005-1988   (Links to External Site)
Updated:  Aug 10 2005
Original Entry Date:  Jul 17 2005
Impact:  Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 6.0.2800.1106 (and prior versions)
Description:  Several vulnerabilities were reported in Microsoft Internet Explorer (IE) in the parsing of images. A remote user can cause denial of service conditions or cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted JPEG image that, when loaded by IE, will cause the target user's browser to crash.

Some demonstration exploit examples are available at:

http://lcamtuf.coredump.cx/crash/

The report indicates that in some cases, the image rendering code makes unbounded, user-affected memory accesses. This may allow for code execution.

Michal Zalewski reported this vulnerability.
Impact:  A remote user can cause the target user's browser to crash or execute arbitrary code with the privileges of the target user.
Solution:  The vendor has issued the following fixes as part of a cumulative update:

Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4:

http://www.microsoft.com/downloads/details.aspx?FamilyId=194E0EE7-919C-4A8B-AD8D-01A4FE771942

Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 or on Microsoft Windows XP Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?FamilyId= 68300B15-1CF9-45FB-875E-2EF6D2FBC9ED

Internet Explorer 6 for Microsoft Windows XP Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=648B6F0E- 1695-44E5-826A-43406DF4858E

Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?FamilyId=0B96EC3-E954-423A-9AB0-5712B9F14637

Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems:

http://www.microsoft.com/downloads/details.aspx?Fam ilyId=C24D3738-213A-41B8-84A3-2842B34D7B10

Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition:

http://www.microsoft.com/downloads/details.aspx?Family Id=F2D544E7-33F5-4A65-A574-15495B05B883

Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition:

http://www.microsoft.com/downloads/details.aspx?Famil yId=1181BC67-0A1D-4A06-99AC-5B2BC6DFE0F6

A restart is required.
Vendor URL:  www.microsoft.com/technet/security/Bulletin/MS05-038.mspx (Links to External Site)
Cause:  Boundary error
Underlying OS:  Windows (2000), Windows (2003), Windows (XP)
Underlying OS Comments:  2000 SP4, XP SP2 and prior service packs, 2003 SP1 and prior service packs; Tested on Windows XP SP2
Reported By:  Michal Zalewski <lcamtuf@dione.ids.pl>
Message History:   None.

 Source Message Contents
Date:  Fri, 15 Jul 2005 17:32:35 +0200 (CEST)
From:  Michal Zalewski <lcamtuf@dione.ids.pl>
Subject:  Compromising pictures of Microsoft Internet Explorer!

 

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

---1009447796-1606422298-1121296252=:15236
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.58.0507140110561.15236@dione>

Synopsis:
---------

  Well, not really. Instead, at the risk of boring you to death, I'd like
  to report on a casual 30-minute experiment I've conducted of recent.
  This experiment resulted in identifying a potential remote code
  execution path in Microsoft Internet Explorer, plus some other bugs, and
  should be a good starting point for further testing of other browsers or
  similar programs.

Discussion:
-----------

  You might remember the 'mangleme' affair, where various browsers were
  subjected by yours truly to a trivially constructed malformed HTML
  crash-course - all that in order to find exploitable input handling flaws.
  Back then, MSIE performed admirably compared to other browsers (although
  did not escape some embarassment when ned@felinemenace found the
  infamous IFRAME bug that way):

    http://lcamtuf.coredump.cx/mangleme/gallery/

  Of recent, I decided to try something completely different and radically
  new, without having to do any actual work. I used the same META REFRESH
  auto-test framework to check for image decompression and parsing flaws
  (JPEG, GIF, PNG), as opposed to making fun of HTML renderers.

  I used a simple index.cgi script (attached, though hardly noteworthy) to
  dynamically generate a page that references ten just as dynamically
  created images. These images were prepared by running a test set of
  pictures (some regular ones, and several pathological cases created with
  ImageMagick) through a slightly modified version of my old afx utility.

  Surprisingly, it is MSIE and its proprietary JPEG decoder (apparently
  not shared with other Windows components?) that performed embarassingly
  poor this time. Results below.

Vulnerability examples:
-----------------------

  NOTE #1: As with mangleme, this list of problems is most certainly NOT
  exhaustive, and performing longer tests or improving the technique
  would most likely result in additional findings.

  Several MSIE crash sample files from that 30-minute run are available
  at:

    http://lcamtuf.coredump.cx/crash/

  Note that these may produce different results depending on program
  versions, plugins and configuration. Tested with WinXP Pro PL
  2600.xpsp2.050301-1526 SP1, MSIE PL 6.0.2800.1106, up-to-date.

  mov_fencepost.jpg - on most platforms, causes a crash due to mov
    destination fencepost error after going past allocated memory, or
    after accessing a bogus address such as 0x27272727. The destination
    address appears to be controllable (i.e. changing the file or
    displaying other data before or along with this image alters it).
    My bets are that this is exploitable for remote execution.

  cmp_fencepost.jpg - here, causes a crash due to a very similar cmp
    fencepost (no write). Not necessarily exploitable for remote code
    execution, unless code execution path can be affected later on.

  oom_dos.jpg - usually causes a OOM crash. Less interesting, unless
    you like to punish people who borrow your pictures for their blogs.

  random.jpg - causes mov fencepost of CPU consumption + crash. Didn't
    investigate in much detail.

  NOTE #2: MSIE comes with no sources, and reverse engineering is naughty.
  I didn't examine the renderer to see what went wrong; I see unbounded,
  user-dependent memory accesses, and that spells trouble.

Vendor notification:
--------------------

  It is my experience that reporting and discussing security problems with
  Microsoft is a needlessly lengthy process that puts too much burden and
  effort on the researcher's end, especially if you just have a crash
  case, not a working exploit; hence, they did not get an advance notice.

Bonus (OT)
----------

  Since piggyback request smuggling and fooling proxies and filters is a
  popular new pastime, some of you might find it entertaining to have a
  look at how various applications differ in handling duplicate instances
  of HTTP/SMTP message/NNTP headers that are, in common perception,
  "supposed to" occur only once.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2005-07-14 00:29 --

      http://lcamtuf.coredump.cx/silence/
---1009447796-1606422298-1121296252=:15236
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="index.cgi"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.58.0507140110520.15236@dione>
Content-Description: 
Content-Disposition: ATTACHMENT; FILENAME="index.cgi"

IyEvYmluL2Jhc2gNCg0KZWNobyAiQ29udGVudC1UeXBlOiB0ZXh0L2h0bWwi
DQplY2hvDQoNCklEPSJ0aW1nLSQkLSRSQU5ET00tJFJBTkRPTSINCg0Kcm0g
LWYgdGltZy0qIEFGWC5sb2cNCg0KY2F0IDw8X0VPRl8NCjxIVE1MPg0KPEhF
QUQ+DQo8TUVUQSBIVFRQLUVRVUlWPSJSZWZyZXNoIiBjb250ZW50PSIwO1VS
TD0vIj4NCjwvSEVBRD4NCjxCT0RZPg0KX0VPRl8NCg0KQ05UPTANCg0KZm9y
IGkgaW4gaW1nLyo7IGRvDQogIENOVD0iJFtDTlQrMV0iDQogIEZOQU09IiRJ
RC0kQ05UIg0KICBFWFQ9YGVjaG8gJGkgfCBjdXQgLWQuIC1mMmANCiAgLi9h
ZngtbG9jIC1wIDEgLWkgMTAwIC1tIFJBTkRPTSAtcyA2MDAwMCA8JGkgMj4k
Rk5BTS4kRVhUID4+QUZYLmxvZw0KICBlY2hvICJUZXN0ICRDTlQgLSA8SU1H
IFNSQz1cIiRGTkFNLiRFWFRcIj48QlI+Ig0KZG9uZQ0KDQo=

---1009447796-1606422298-1121296252=:15236--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC