Code to exploit Windows graphics flaw now public
Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: Code to exploit Windows graphics flaw now public

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Code to exploit Windows graphics flaw now public

    A sample program hit the Internet on Wednesday, showing by example how malicious coders could compromise Windows computers by using a flaw in the handling of a widespread graphics format by Microsoft's software.

    Security professionals expect the release of the program to herald a new round of attacks by viruses and Trojan horses incorporating the code to circumvent security on Windows computers that have not been updated. The flaw, in the way Microsoft's software processes JPEG graphics, could allow a program to take control of a victim's computer when the user opens a JPEG file.

    "Within days, you'll likely see (attacks) using this code as a basis," said Vincent Weafer, senior director of security response for antivirus-software company Symantec. "This is dangerous in a sense that everyone processes JPEG files to some degree."

    The program is the latest example of "exploit code," a sample that shows others how to create attack programs that can take advantage of a particular flaw. Such code preceded the Sasser worm by two days and the MSBlast worm by nine days.

    The critical flaw the program exploits has to do with how Microsoft's operating systems and other software process the widely used JPEG image format. Because the software giant's Internet Explorer browser is vulnerable, Windows users could fall prey to an attack just by visiting a Web site that has JPEG images.

    The flaw affects various versions of at least a dozen Microsoft software applications and operating systems, including Windows XP, Windows Server 2003, Office XP, Office 2003, Internet Explorer 6 Service Pack 1, Project, Visio, Picture It and Digital Image Pro. The software giant has a full list of the applications in the advisory on its Web site. Windows XP Service Pack 2, which is still being distributed to many customers' computers, is not vulnerable to the flaw.

    Users can download the patches from Microsoft's Windows Update and Office Update servers. In addition, the software giant has made available online programs that scan for vulnerable software and patch it.

    Symantec and other antivirus companies have released updates for their software to detect graphics being used in attempts to exploit the flaw.
    http://news.zdnet.com/2100-1009_22-5378260.html

    That was freaking fast! 8 Days for a exploit code to be release for a flaw that important! I except a MAJOR worm soon!
    -Simon \"SDK\"

  2. #2
    Banned
    Join Date
    Apr 2004
    Posts
    843
    The flaw affects various versions of at least a dozen Microsoft software applications and operating systems, including Windows XP, Windows Server 2003, Office XP, Office 2003, Internet Explorer 6 Service Pack 1, Project, Visio, Picture It and Digital Image Pro. The software giant has a full list of the applications in the advisory on its Web site. Windows XP Service Pack 2, which is still being distributed to many customers' computers, is not vulnerable to the flaw.
    This and that product... blah blah blah... As soon as I had heard about this awhile back, I thought there was no way it could effect that amount of software unless they all used the same dynamic link library files or something of the sort. And it looks like I was about right... what is actually flawed was a graphics device interface, all of these programs use the same API most likely.

    The majority of reports I've seen are about as vague as descriptions in an MS critical update, which are usually along the lines of "download to stop a buffer overflow in our software which may crash and cause DoS effects or allows remote attackers access".

  3. #3

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Mitigating factors for JPEG Vulnerability - CAN-2004-0200:

    An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

    The vulnerability could only be exploited by an attacker who persuaded a user to open a specially crafted file or to view a directory that contains the specially crafted image. There is no way for an attacker to force a user to open a malicious file.

    In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

    Windows XP, Window XP Service Pack 1, and Windows Server 2003 are the only operating systems that contain the vulnerable component by default. By default, Windows 98, Windows 98 SE, Windows Me, Windows NT 4.0, Windows 2000, and Windows XP Service Pack 2 are not vulnerable to this issue. However, the vulnerable component will be installed by any of the programs listed in the affected software section of this bulletin on these operating systems and you should install the appropriate security update for those programs.
    From here

    As is my want in situations where new exploit code becomes available my first instinct is to determine the attack vector in order to determine a method of mitigation within my network.

    In this case the most likely vector will be good old email. Yes the possibility is there for using web sites to exploit the users but web sites will be quickly closed down when the exploit code is found there. I will be blocking jpg and jpeg files in email at the firewall for a while at least and for the web based attack the bleeding snort rules are as follows:-

    alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB-CLIENT MS04-028 exploiting jpeg"; flow:to_client,established; content:"Content-Type\: image/jpeg"; content:"|FF FE 00 00|"; classtype:attempted-user; sid:200326; rev:1;)

    alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB-CLIENT MS04-028 exploiting jpeg"; flow:to_client,established; content:"Content-Type\: image/jpeg"; content:"|FF FE 00 01|"; classtype:attempted-user;sid:2001327; rev:1;)

    These rules search for the malformed header of the file and warn. Note that these rules are limited to web as a vector and you need to make sure that your snort conf file variable $HTTP_PORTS is set for all the HTTP ports you allow your users to connect to. (I only allow port 80 since web based email is usually "shovelled" off onto 8000, 8080 etc.

    Good luck peeps..... :eek:
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604

    GDIplus

    The vulnerable componet is GDIplus.dll - the GDI graphics interface, unfortunately this .dll comes packaged with many diffrent apps and each app may use its own version of the library. In some cases replacing the .dll with a non-vulnerable version can break the app, and MS has said it will only support patching the component for software which is presently supported by MS. A list of the supported apps and their patches can be found here:

    http://www.microsoft.com/technet/sec.../ms04-028.mspx

    For those admins who would like to be able to locate this library on their machines there is a GDI Reporting Utility for locating the vulnerable library. I have attached the utility Version 1.1.0.0 - 09/22/2004


    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Snort Sigs Update

    Three rules have been placed on the Snort Sigs, (rather than Bleeding Edge).

    They should prove to be more accurate.

    alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser heap overflow attempt"; flow:from_server,established; content:"image/jp"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi"; reference:bugtraq,11173; reference:cve,CAN-2004-0200; reference:url,http://www.microsoft.com/security/bu...409_jpeg.mspx; classtype:attempted-admin; sid:2705; rev:2;)

    alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG transfer"; flow:from_server,established; content:"image/jp"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g/smi"; flowbits:set,http.jpeg; flowbits:noalert; classtype:protocol-command-decode; sid:2706; rev:1;)

    alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser multipacket heap overflow"; flow:from_server,established; flowbits:isset,http.jpeg; content:"|FF|"; pcre:"/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; reference:bugtraq,11173; reference:cve,CAN-2004-0200; reference:url,http://www.microsoft.com/security/bu...409_jpeg.mspx; classtype:attempted-admin; sid:2707; rev:1;)
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    A tool has been released by Tom Liston of ISC that scans for vulnerable files.
    http://isc.sans.org/gdiscan.php
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  8. #8
    Member
    Join Date
    Sep 2003
    Posts
    42
    Got the tool and gave it a try. I detected the vulnerable .dll's. I have a question about one of them.

    This one:
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.100.0_x-ww_0D1F9F94\GdiPlus.dll
    Version: 5.2.3790.0 <-- Vulnerable version

    What is this one for and what do you need to update to fix it. I can't figure what this folder relates to. The rest of the .dll's make sense.

    Thanks

  9. #9
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Be cautious when you run the utilites that hogfly post because it might give you bad info.

    Scanning...
    C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
    Version: 5.1.3097.0 <-- Vulnerable version
    C:\I386\ASMS\10100\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
    Version: 5.1.3101.0 <-- Vulnerable version
    C:\Program Files\Common Files\Microsoft Shared\Office10\MSO.DLL
    Version: 10.0.6714.0
    C:\Program Files\Norton SystemWorks\Password Manager\gdiplus.dll
    Version: 5.1.3097.0 <-- Vulnerable version
    C:\Program Files\Symantec\Web Tools\GDIPlus.dll
    Version: 5.1.3097.0 <-- Vulnerable version
    C:\WINDOWS\$NtServicePackUninstall$\sxs.dll
    Version: 5.1.2600.1515
    C:\WINDOWS\ServicePackFiles\i386\sxs.dll
    Version: 5.1.2600.2180
    C:\WINDOWS\system32\sxs.dll
    Version: 5.1.2600.2180
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
    Version: 5.1.3097.0 <-- Vulnerable version
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
    Version: 5.1.3101.0 <-- Vulnerable version
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll
    Version: 5.1.3102.2180
    Scan Complete.
    Reading this, you would think I'm my windows is vulnerable but it's not. The first files are vulnerable because they are locate in the i386 directory of the installation CD that is one my hard drive, the next two vulnerable are from Norton Systemwork and last 2 are from WinSxs directory. WINSXS == > Windows Side-by-Side. Looking at the directory name, it's look also like old installation file.
    -Simon \"SDK\"

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I think this is where a major problem will come from. Since they haven't patched office automatically in the past there are a million vulnerable systems out there from the office standpoint even though the OS and IE are patched.

    Look for the attackers to work this out and the major attack vector to be a word document or similar via email.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •