There is a memory corruption vulnerability in TIFF file processing in
Microsoft GDI+ that can be used to crash a vulnerable application and
also to execute arbitrary code.
The vulnerability is caused due to errors in decompression of CCITT G4
compressed TIFF images.
CCITT compression is basically a RLE (Run Length Encoding) compression
of 2-color (black/white) images where run lengths of black and white
pixels are encoded using variable number of bits. In the first step of
decoding process run-lengths are determined and are stored in a buffer
of the same length as image width located on heap. After this process
the values inside the buffer are interpreted as
The process of filling the above buffer continues until the sum of all
run-lengths already written in the buffer is smaller than the image
width.
The vulnerability stems from the fact that, by the encoding mechanism,
a 0-run length is completely valid. Thus, if we specify multiple
run-lengths of zero pixels at the beginning of the image row, we can
escape the buffer boundaries and write arbitrary value after the end
of the buffer.
############
#The impact#
############
This vulnerability can be used to run arbitrary code when an
application using GDI+ is used to open a malformed TIFF file. The code
will be run with the privilages of the vulnerable application.
#####
#PoC#
#####
Due to the spread and the impact of the vulnerability, exploiting
details will not be released at this time.
############
#References#
############
http://ifsec.blogspot.com/2009/10/windows-gdi-tiff-memory-corruption.htm
l
http://www.zerodayinitiative.com/advisories/ZDI-09-072/
http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2503
Microsoft GDI+ that can be used to crash a vulnerable application and
also to execute arbitrary code.
###################
#The vulnerability#
###################
The vulnerability is caused due to errors in decompression of CCITT G4
compressed TIFF images.
CCITT compression is basically a RLE (Run Length Encoding) compression
of 2-color (black/white) images where run lengths of black and white
pixels are encoded using variable number of bits. In the first step of
decoding process run-lengths are determined and are stored in a buffer
of the same length as image width located on heap. After this process
the values inside the buffer are interpreted as
[white-run-length][black-run-length][white-run-length][black-run-length]
...
The process of filling the above buffer continues until the sum of all
run-lengths already written in the buffer is smaller than the image
width.
The vulnerability stems from the fact that, by the encoding mechanism,
a 0-run length is completely valid. Thus, if we specify multiple
run-lengths of zero pixels at the beginning of the image row, we can
escape the buffer boundaries and write arbitrary value after the end
of the buffer.
############
#The impact#
############
This vulnerability can be used to run arbitrary code when an
application using GDI+ is used to open a malformed TIFF file. The code
will be run with the privilages of the vulnerable application.
#####
#PoC#
#####
Due to the spread and the impact of the vulnerability, exploiting
details will not be released at this time.
############
#References#
############
http://ifsec.blogspot.com/2009/10/windows-gdi-tiff-memory-corruption.htm
l
http://www.zerodayinitiative.com/advisories/ZDI-09-072/
http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2503
[ reply ]