Code to exploit Windows graphics flaw now public

[SDK]

A sample program hit the Internet on Wednesday, showing by example how malicious coders could compromise Windows computers by using a flaw in the handling of a widespread graphics format by Microsoft's software.

Security professionals expect the release of the program to herald a new round of attacks by viruses and Trojan horses incorporating the code to circumvent security on Windows computers that have not been updated. The flaw, in the way Microsoft's software processes JPEG graphics, could allow a program to take control of a victim's computer when the user opens a JPEG file.

"Within days, you'll likely see (attacks) using this code as a basis," said Vincent Weafer, senior director of security response for antivirus-software company Symantec. "This is dangerous in a sense that everyone processes JPEG files to some degree."

The program is the latest example of "exploit code," a sample that shows others how to create attack programs that can take advantage of a particular flaw. Such code preceded the Sasser worm by two days and the MSBlast worm by nine days.

The critical flaw the program exploits has to do with how Microsoft's operating systems and other software process the widely used JPEG image format. Because the software giant's Internet Explorer browser is vulnerable, Windows users could fall prey to an attack just by visiting a Web site that has JPEG images.

The flaw affects various versions of at least a dozen Microsoft software applications and operating systems, including Windows XP, Windows Server 2003, Office XP, Office 2003, Internet Explorer 6 Service Pack 1, Project, Visio, Picture It and Digital Image Pro. The software giant has a full list of the applications in the advisory on its Web site. Windows XP Service Pack 2, which is still being distributed to many customers' computers, is not vulnerable to the flaw.

Users can download the patches from Microsoft's Windows Update and Office Update servers. In addition, the software giant has made available online programs that scan for vulnerable software and patch it.

Symantec and other antivirus companies have released updates for their software to detect graphics being used in attempts to exploit the flaw.

http://news.zdnet.com/2100-1009_22-5378260.html

That was freaking fast! 8 Days for a exploit code to be release for a flaw that important! I except a MAJOR worm soon!

[TheSpecialist]

The flaw affects various versions of at least a dozen Microsoft software applications and operating systems, including Windows XP, Windows Server 2003, Office XP, Office 2003, Internet Explorer 6 Service Pack 1, Project, Visio, Picture It and Digital Image Pro. The software giant has a full list of the applications in the advisory on its Web site. Windows XP Service Pack 2, which is still being distributed to many customers' computers, is not vulnerable to the flaw.

This and that product... blah blah blah... As soon as I had heard about this awhile back, I thought there was no way it could effect that amount of software unless they all used the same dynamic link library files or something of the sort. And it looks like I was about right... what is actually flawed was a graphics device interface, all of these programs use the same API most likely.

The majority of reports I've seen are about as vague as descriptions in an MS critical update, which are usually along the lines of "download to stop a buffer overflow in our software which may crash and cause DoS effects or allows remote attackers access".

[;TT]

PoC of this exploit can be found:

http://www.k-otik.com/exploits/09232...8-admin.sh.php
http://www.k-otik.com/exploits/09222...4-28-cmd.c.php
http://www.k-otik.com/exploits/09222004.ms04-28.sh.php

[Tiger Shark]

Mitigating factors for JPEG Vulnerability - CAN-2004-0200:

• An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

• The vulnerability could only be exploited by an attacker who persuaded a user to open a specially crafted file or to view a directory that contains the specially crafted image. There is no way for an attacker to force a user to open a malicious file.

• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

• Windows XP, Window XP Service Pack 1, and Windows Server 2003 are the only operating systems that contain the vulnerable component by default. By default, Windows 98, Windows 98 SE, Windows Me, Windows NT 4.0, Windows 2000, and Windows XP Service Pack 2 are not vulnerable to this issue. However, the vulnerable component will be installed by any of the programs listed in the affected software section of this bulletin on these operating systems and you should install the appropriate security update for those programs.

From here

As is my want in situations where new exploit code becomes available my first instinct is to determine the attack vector in order to determine a method of mitigation within my network.

In this case the most likely vector will be good old email. Yes the possibility is there for using web sites to exploit the users but web sites will be quickly closed down when the exploit code is found there. I will be blocking jpg and jpeg files in email at the firewall for a while at least and for the web based attack the bleeding snort rules are as follows:-

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB-CLIENT MS04-028 exploiting jpeg"; flow:to_client,established; content:"Content-Type\: image/jpeg"; content:"|FF FE 00 00|"; classtype:attempted-user; sid:200326; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB-CLIENT MS04-028 exploiting jpeg"; flow:to_client,established; content:"Content-Type\: image/jpeg"; content:"|FF FE 00 01|"; classtype:attempted-user;sid:2001327; rev:1;)

These rules search for the malformed header of the file and warn. Note that these rules are limited to web as a vector and you need to make sure that your snort conf file variable $HTTP_PORTS is set for all the HTTP ports you allow your users to connect to. (I only allow port 80 since web based email is usually "shovelled" off onto 8000, 8080 etc.

Good luck peeps..... :eek:

[Maestr0]

The vulnerable componet is GDIplus.dll - the GDI graphics interface, unfortunately this .dll comes packaged with many diffrent apps and each app may use its own version of the library. In some cases replacing the .dll with a non-vulnerable version can break the app, and MS has said it will only support patching the component for software which is presently supported by MS. A list of the supported apps and their patches can be found here:

http://www.microsoft.com/technet/sec.../ms04-028.mspx

For those admins who would like to be able to locate this library on their machines there is a GDI Reporting Utility for locating the vulnerable library. I have attached the utility Version 1.1.0.0 - 09/22/2004


-Maestr0

[Tiger Shark]

Three rules have been placed on the Snort Sigs, (rather than Bleeding Edge).

They should prove to be more accurate.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser heap overflow attempt"; flow:from_server,established; content:"image/jp"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi"; reference:bugtraq,11173; reference:cve,CAN-2004-0200; reference:url,http://www.microsoft.com/security/bu...409_jpeg.mspx; classtype:attempted-admin; sid:2705; rev:2;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG transfer"; flow:from_server,established; content:"image/jp"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g/smi"; flowbits:set,http.jpeg; flowbits:noalert; classtype:protocol-command-decode; sid:2706; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser multipacket heap overflow"; flow:from_server,established; flowbits:isset,http.jpeg; content:"|FF|"; pcre:"/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; reference:bugtraq,11173; reference:cve,CAN-2004-0200; reference:url,http://www.microsoft.com/security/bu...409_jpeg.mspx; classtype:attempted-admin; sid:2707; rev:1;)

[hogfly]

A tool has been released by Tom Liston of ISC that scans for vulnerable files.
http://isc.sans.org/gdiscan.php

[Trench_Rot]

Got the tool and gave it a try. I detected the vulnerable .dll's. I have a question about one of them.

This one:
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.100.0_x-ww_0D1F9F94\GdiPlus.dll
Version: 5.2.3790.0 <-- Vulnerable version

What is this one for and what do you need to update to fix it. I can't figure what this folder relates to. The rest of the .dll's make sense.

Thanks

[SDK]

Be cautious when you run the utilites that hogfly post because it might give you bad info.

Scanning...
C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3097.0 <-- Vulnerable version
C:\I386\ASMS\10100\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3101.0 <-- Vulnerable version
C:\Program Files\Common Files\Microsoft Shared\Office10\MSO.DLL
Version: 10.0.6714.0
C:\Program Files\Norton SystemWorks\Password Manager\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\Program Files\Symantec\Web Tools\GDIPlus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\WINDOWS\$NtServicePackUninstall$\sxs.dll
Version: 5.1.2600.1515
C:\WINDOWS\ServicePackFiles\i386\sxs.dll
Version: 5.1.2600.2180
C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.2180
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
Version: 5.1.3101.0 <-- Vulnerable version
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll
Version: 5.1.3102.2180
Scan Complete.

Reading this, you would think I'm my windows is vulnerable but it's not. The first files are vulnerable because they are locate in the i386 directory of the installation CD that is one my hard drive, the next two vulnerable are from Norton Systemwork and last 2 are from WinSxs directory. WINSXS == > Windows Side-by-Side. Looking at the directory name, it's look also like old installation file.

[Tiger Shark]

I think this is where a major problem will come from. Since they haven't patched office automatically in the past there are a million vulnerable systems out there from the office standpoint even though the OS and IE are patched.

Look for the attackers to work this out and the major attack vector to be a word document or similar via email.