Code to exploit Windows graphics flaw now public

Quote:

---

A sample program hit the Internet on Wednesday, showing by example how malicious coders could compromise Windows computers by using a flaw in the handling of a widespread graphics format by Microsoft's software.

Security professionals expect the release of the program to herald a new round of attacks by viruses and Trojan horses incorporating the code to circumvent security on Windows computers that have not been updated. The flaw, in the way Microsoft's software processes JPEG graphics, could allow a program to take control of a victim's computer when the user opens a JPEG file.

"Within days, you'll likely see (attacks) using this code as a basis," said Vincent Weafer, senior director of security response for antivirus-software company Symantec. "This is dangerous in a sense that everyone processes JPEG files to some degree."

The program is the latest example of "exploit code," a sample that shows others how to create attack programs that can take advantage of a particular flaw. Such code preceded the Sasser worm by two days and the MSBlast worm by nine days.

The critical flaw the program exploits has to do with how Microsoft's operating systems and other software process the widely used JPEG image format. Because the software giant's Internet Explorer browser is vulnerable, Windows users could fall prey to an attack just by visiting a Web site that has JPEG images.

The flaw affects various versions of at least a dozen Microsoft software applications and operating systems, including Windows XP, Windows Server 2003, Office XP, Office 2003, Internet Explorer 6 Service Pack 1, Project, Visio, Picture It and Digital Image Pro. The software giant has a full list of the applications in the advisory on its Web site. Windows XP Service Pack 2, which is still being distributed to many customers' computers, is not vulnerable to the flaw.

Users can download the patches from Microsoft's Windows Update and Office Update servers. In addition, the software giant has made available online programs that scan for vulnerable software and patch it.

Symantec and other antivirus companies have released updates for their software to detect graphics being used in attempts to exploit the flaw.

---

http://news.zdnet.com/2100-1009_22-5378260.html

That was freaking fast! 8 Days for a exploit code to be release for a flaw that important! I except a MAJOR worm soon! :(

Quote:

---

The flaw affects various versions of at least a dozen Microsoft software applications and operating systems, including Windows XP, Windows Server 2003, Office XP, Office 2003, Internet Explorer 6 Service Pack 1, Project, Visio, Picture It and Digital Image Pro. The software giant has a full list of the applications in the advisory on its Web site. Windows XP Service Pack 2, which is still being distributed to many customers' computers, is not vulnerable to the flaw.

---

This and that product... blah blah blah... As soon as I had heard about this awhile back, I thought there was no way it could effect that amount of software unless they all used the same dynamic link library files or something of the sort. And it looks like I was about right... what is actually flawed was a graphics device interface, all of these programs use the same API most likely.

The majority of reports I've seen are about as vague as descriptions in an MS critical update, which are usually along the lines of "download to stop a buffer overflow in our software which may crash and cause DoS effects or allows remote attackers access". :rolleyes:

PoC of this exploit can be found:

http://www.k-otik.com/exploits/09232...8-admin.sh.php
http://www.k-otik.com/exploits/09222...4-28-cmd.c.php
http://www.k-otik.com/exploits/09222004.ms04-28.sh.php

Quote:

---

Mitigating factors for JPEG Vulnerability - CAN-2004-0200:

• An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

• The vulnerability could only be exploited by an attacker who persuaded a user to open a specially crafted file or to view a directory that contains the specially crafted image. There is no way for an attacker to force a user to open a malicious file.

• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

• Windows XP, Window XP Service Pack 1, and Windows Server 2003 are the only operating systems that contain the vulnerable component by default. By default, Windows 98, Windows 98 SE, Windows Me, Windows NT 4.0, Windows 2000, and Windows XP Service Pack 2 are not vulnerable to this issue. However, the vulnerable component will be installed by any of the programs listed in the affected software section of this bulletin on these operating systems and you should install the appropriate security update for those programs.

---

From here

As is my want in situations where new exploit code becomes available my first instinct is to determine the attack vector in order to determine a method of mitigation within my network.

In this case the most likely vector will be good old email. Yes the possibility is there for using web sites to exploit the users but web sites will be quickly closed down when the exploit code is found there. I will be blocking jpg and jpeg files in email at the firewall for a while at least and for the web based attack the bleeding snort rules are as follows:-

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB-CLIENT MS04-028 exploiting jpeg"; flow:to_client,established; content:"Content-Type\: image/jpeg"; content:"|FF FE 00 00|"; classtype:attempted-user; sid:200326; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB-CLIENT MS04-028 exploiting jpeg"; flow:to_client,established; content:"Content-Type\: image/jpeg"; content:"|FF FE 00 01|"; classtype:attempted-user;sid:2001327; rev:1;)

These rules search for the malformed header of the file and warn. Note that these rules are limited to web as a vector and you need to make sure that your snort conf file variable $HTTP_PORTS is set for all the HTTP ports you allow your users to connect to. (I only allow port 80 since web based email is usually "shovelled" off onto 8000, 8080 etc.

Good luck peeps..... :eek:

The vulnerable componet is GDIplus.dll - the GDI graphics interface, unfortunately this .dll comes packaged with many diffrent apps and each app may use its own version of the library. In some cases replacing the .dll with a non-vulnerable version can break the app, and MS has said it will only support patching the component for software which is presently supported by MS. A list of the supported apps and their patches can be found here:

http://www.microsoft.com/technet/sec.../ms04-028.mspx

For those admins who would like to be able to locate this library on their machines there is a GDI Reporting Utility for locating the vulnerable library. I have attached the utility Version 1.1.0.0 - 09/22/2004


-Maestr0

Three rules have been placed on the Snort Sigs, (rather than Bleeding Edge).

They should prove to be more accurate.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser heap overflow attempt"; flow:from_server,established; content:"image/jp"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi"; reference:bugtraq,11173; reference:cve,CAN-2004-0200; reference:url,http://www.microsoft.com/security/bu...409_jpeg.mspx; classtype:attempted-admin; sid:2705; rev:2;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG transfer"; flow:from_server,established; content:"image/jp"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g/smi"; flowbits:set,http.jpeg; flowbits:noalert; classtype:protocol-command-decode; sid:2706; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser multipacket heap overflow"; flow:from_server,established; flowbits:isset,http.jpeg; content:"|FF|"; pcre:"/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; reference:bugtraq,11173; reference:cve,CAN-2004-0200; reference:url,http://www.microsoft.com/security/bu...409_jpeg.mspx; classtype:attempted-admin; sid:2707; rev:1;)

A tool has been released by Tom Liston of ISC that scans for vulnerable files.
http://isc.sans.org/gdiscan.php

Got the tool and gave it a try. I detected the vulnerable .dll's. I have a question about one of them.

This one:
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.100.0_x-ww_0D1F9F94\GdiPlus.dll
Version: 5.2.3790.0 <-- Vulnerable version

What is this one for and what do you need to update to fix it. I can't figure what this folder relates to. The rest of the .dll's make sense.

Thanks

Be cautious when you run the utilites that hogfly post because it might give you bad info.

Quote:

---

Scanning...
C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3097.0 <-- Vulnerable version
C:\I386\ASMS\10100\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3101.0 <-- Vulnerable version
C:\Program Files\Common Files\Microsoft Shared\Office10\MSO.DLL
Version: 10.0.6714.0
C:\Program Files\Norton SystemWorks\Password Manager\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\Program Files\Symantec\Web Tools\GDIPlus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\WINDOWS\$NtServicePackUninstall$\sxs.dll
Version: 5.1.2600.1515
C:\WINDOWS\ServicePackFiles\i386\sxs.dll
Version: 5.1.2600.2180
C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.2180
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
Version: 5.1.3101.0 <-- Vulnerable version
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll
Version: 5.1.3102.2180
Scan Complete.

---

Reading this, you would think I'm my windows is vulnerable but it's not. The first files are vulnerable because they are locate in the i386 directory of the installation CD that is one my hard drive, the next two vulnerable are from Norton Systemwork and last 2 are from WinSxs directory. WINSXS == > Windows Side-by-Side. Looking at the directory name, it's look also like old installation file.

I think this is where a major problem will come from. Since they haven't patched office automatically in the past there are a million vulnerable systems out there from the office standpoint even though the OS and IE are patched.

Look for the attackers to work this out and the major attack vector to be a word document or similar via email.

on a positive note nortons heuristic scaning picks up the jpeg that k-otik's code produces as bloodhound.exploit. rather generic but flags it none the less. i dont believe shell code can be morphed so it will take entirely new shell code that has not been not used in other exploits to get past it. im sure it'll show up but i dont think its going to be the field day they're portraying.

but then again those that dont keep up on their patching are not likely to keep their virus sigs up to date either. so once again it will be the same bunch getting slammed.

Symantec, mcafee, trend and a few others are matching on the JFIF headers of the jpegs. These can not change since it's required to cause the overflow. Still..people don't patch and don't update regularly. I expect the vector to be email that has embedded activeX controls, but there are so many possibilities.....
It should be interesting....

well ive a question , what about the people who donot want to install sp2 ?? like i ve sp 1 and do not want to move over to sp 2, is there any way to be safe from it?

Has anyone actualy gotten any of these to work ??

I've been playing with this local cmd.exe (not bound to the net) version..

Perhaps it's the:
"\xB8\x44\x80\xC2\x77" // mov eax,77c28044h (address of system() on WinXP SP1)
part that doesn't work on my Dutch WinXP SP1..

The C code was compiled with visual C++ 6.0 and executed on a Windows98 box.


I attached the resulting jpg (zipped).. it should be safe (a cmd.exe window should pop up if exploit works)
Disclaimer
The attachment shouldn't be harmfull and is uploaded for experimentation only.
I can't be held responsible for your stupidity if this actualy crashes a production server,
eats your hamster, steals your lunchmoney, creates a hole in the space time continuum
or anything else..

Quote:

---

k-otik's code produces as bloodhound.exploit.

---

tedob1, yeah i saw my norton pick it up too. Norton knows it since 14/09 it seems.

Anyway i've been playing the latest from k-otik , the ActiveX one and i have the same prob as the_jinx, namely that probably the hexcode for the GDIPLUS.DLL in Win XP NL.

I compiled it under linux and I put it in as a .jpg under my apache webserverroot. When I surf to it, it is active since Norton picks it up, but it doesn't create an extra account as it claims.
I believe its a matter of getting the right hex for the GDIPLUS.DLL. Here's a snip of its code to show you what i mean. I did had some weird actions by a win xp unpatched box but again not the account as it claims.

Code:

---

#********************************************
#Address of shellcode
#********************************************
#printf "\x42\x42\x42\x42" #control EDX, left these values if u wanna raise an exception and debug in GDI+
printf "\xDC\xB1\xE7\x70" #70E7B1DC WinXP Professional English SP1 -GDIPLUS.DLL version 5.1.3097.0
#printf "\xDC\xB1\x30\x78" #7830B1DC WinXP Professional Italian SP1 -GDIPLUS.DLL version 5.1.3101.0

---

Quote:

---

well ive a question , what about the people who donot want to install sp2 ?? like i ve sp 1 and do not want to move over to sp 2, is there any way to be safe from it?

---

Apparently keep your AV up-to-date, since they seem to pick it up already. ;)

Greetz,

Quote:

---

Has anyone actualy gotten any of these to work ??

---

No. I too have tried all the POC code in the wild and so far it has been just that - POC. However, after handing the code to someone who i believe is extremely talented, I can see how quickly minor ajustments can be made and thus, the avelanch of crap will surely soon be upon us.

Yes. I was able to modify the PoC to bind a shell and create a reverse shell. But as hog mentioned the trigger in the header will be easily detectable.

-Maestr0

I'm suprised this didn't show up in articles before Wednesday. The security group that works for my company had POC code over the weekend that they were able to run and confirm that it works.. That was on Saturday. We were blocking all jpgs at our proxy and email servers over the weekend because they were expecting a virus to come out by last Sunday...

McAfee has generic protection built into their 4394 dats if you enable heuristics.. The really bad thing about this is that it can infect you even if the file is renamed to .gif or some other image extension.. If the file extension envokes the gdiplus.dll the exploit code can run, regardless of the file extension...

The GDIScan tool at http://isc.sans.org/gdiscan.php detects other files besides gdiplus.dll:

sxs.dll, wsxs.dll, mso.dll, vgx.dll

Does anyone know more details about these files? According to the morons at Microsoft, the MS04-028 vulnerability only affects gdiplus.dll. Apparently not...?

Roberto F.

This post is in response to tigersharks post posted 09-23-2004 01:31 PM where he states *• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.* It would be entirely possible to force a user to visit a malicious site. It's called a pop-up. We see them all the time. You can use a pop-up blocker or for that matter any mozilla browser to prevent this.

Quote:

---

It would be entirely possible to force a user to visit a malicious site. It's called a pop-up. We see them all the time.

---

But you aren't forcing the user to visit the site that initiates the popup thus you can't _force_ the user to visit the infected site. If you have that much control over the initial site that you can make it initiate the popup then why wouldn't you just insert the jpg in the initial site. Your point doesn't seem to make sense..... Am I missing something?

I was wondering if anyone knew of a tool like GDIScan but did not have to be run locally. I need an enterprise solution. We are running many different versions of office. And you all know that to ask 25,000+ users to run their own GDIScan locally is not a viable option. Even if we did have them run it locally, they would not know what to do from there.

So I guess the bottom line is: Are there any tools out there, like landesk, that will help with the enterprise wide scan?

TIA

Microsoft Baseline Security Analyzer V1.2.1 can help you for Windows Patch but it cannot scan Office Remotely! :(

Well, I was using baseline to check for the XP SP1 GDI patch. But you are correct, that is not capeable of scanning MS Office. Since that post I have already started using Hfnetchk Pro. Awesome program, everyone working in a large scale network should check it out.

On another note, when and if this ever hits in mass, there are going to be quite a few admins out there caught with their pants down. With so many versions of office out there with different levels of SPs it is quite demanding to patch. But Visio and Project also have seperate patches that are not covered in the Office updates. Ouch...this sucks.

Just to let everyone know, SUS v.2 should be out early next year. It is the long anticipated follow up to v.1 that will support Office updates. Thank god.

I have just one more question, I read on here that XP SP1 is still vuln after applying the patch ( I am almost afraid to ask because the last poor soul got neg'd to death.) and that SP2 is the only way to be completely safe. Is there some article I can reference for this? It can make a big difference in wether we start pushing SP2 from our test group into the AD production groups.

TIA

There is a new version of the GDIPlus Reporting Tool. Fixes are outlined
below:

Version 1.1.3.0 - 09/29/2004
* Fixed - UI problem where "Tabs" pane did not expand vertically
when the form was expanded
Version 1.1.2.0 - 09/29/2004
* Fixed - bug that caused an exception when a "directory path" was
too long (2nd bug of this type)
Version 1.1.1.0 - 09/28/2004
* Added - Right-Mouse (Context) menu to the "Search Paths",
"Execution Status" and "Search Results" output panes
* Fixed - bug that caused an exception when a "directory path" was
too long
Version 1.1.0.0 - 09/22/2004
* Added - Ability to specify a "Machine" name and have all of the
logical drives added to the "Search Paths" as "Administrative Shares"
* Added - Link to web site from the "Help" menu
* Changed - "Search Paths" user interface
* Changed - "Search Paths" information can now be Copied, Printed,
and Saved
* Fixed - bug that caused an exception when a directory that the
user did not have access to was encountered
* Fixed - bug that caused an exception when an attempt to add a
"Search Path" to the list was already in the list
Version 1.0.1.0 - 09/21/2004
* Fixed - bug where search path did not contain a full path (D: rather
than D:\)
Version 1.0.0.0 - 09/16/2004
Initial Release - No revision history

Homepage: http://www.dynicity.com/products/gdireporter.aspx


-Maestr0