MS jpeg vunerability

Discussion in 'Computer Security' started by Jim Watt, Sep 20, 2004.

  1. Jim Watt

    Jim Watt Guest

    Jim Watt, Sep 20, 2004
    #1
    1. Advertising

  2. Jim Watt

    Leythos Guest

    Leythos, Sep 20, 2004
    #2
    1. Advertising

  3. Jim Watt

    ipgrunt Guest

    Leythos <> confessed in news:MPG.1bb880533589a5a9896f0@news-
    server.columbus.rr.com:

    > In article <>,
    > _way says...
    >> looks like those .jpg files are not as safe as we hoped
    >>
    >> http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

    >
    > Actually, one person showed me that no file extension really means
    > anything when using IE.
    >



    That's great, but the truth is there's a bug in GDI+ code that can cause
    buffer overruns and a knowledgeable cracker can use this to get control of a
    server.

    So, be advised to patch your Windows systems.

    -- ipgrunt
    ipgrunt, Sep 22, 2004
    #3
  4. Jim Watt

    David Shaw Guest

    Yeah, that's the new big bug; better patch it up fast, guys. A proof
    of concept has already appeared on BugTraq...

    Anyway, you can find the CERT vulnerability notes here
    (http://www.kb.cert.org/vuls/id/297462).

    ds
    David Shaw, Sep 22, 2004
    #4
  5. Jim Watt

    L;ozT Guest

    ...At my place of work, we have configured SUSupdates, to automatically force
    updates to each of our client PC's. About 4 or 5 days ago, a patch relating
    to GDI+ code was offered for download to the updates server, but on looking
    today, it would seem that Microsoft has retracted the patch, and it is no
    longer offered for download.

    Anyone have any ideas what's going on here?

    Cheers

    L;ozT ....... Just a little!

    "David Shaw" <> wrote in message
    news:...
    > Yeah, that's the new big bug; better patch it up fast, guys. A proof
    > of concept has already appeared on BugTraq...
    >
    > Anyway, you can find the CERT vulnerability notes here
    > (http://www.kb.cert.org/vuls/id/297462).
    >
    > ds
    L;ozT, Sep 23, 2004
    #5
  6. Jim Watt

    Jim Watt Guest

    On Wed, 22 Sep 2004 23:47:12 +0000 (UTC), "L;ozT"
    <> wrote:

    >..At my place of work, we have configured SUSupdates, to automatically force
    >updates to each of our client PC's. About 4 or 5 days ago, a patch relating
    >to GDI+ code was offered for download to the updates server, but on looking
    >today, it would seem that Microsoft has retracted the patch, and it is no
    >longer offered for download.
    >
    >Anyone have any ideas what's going on here?


    I did a windows update yesterday on a machine and it downloaded
    a program to check if the GDI+ was present. It was not and it said
    GDI+ was part of the .net framework. So if you use that you need to
    update that. At least its not part of IE ...


    >Cheers
    >
    >L;ozT ....... Just a little!
    >
    >"David Shaw" <> wrote in message
    >news:...
    >> Yeah, that's the new big bug; better patch it up fast, guys. A proof
    >> of concept has already appeared on BugTraq...
    >>
    >> Anyway, you can find the CERT vulnerability notes here
    >> (http://www.kb.cert.org/vuls/id/297462).
    >>
    >> ds

    >


    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Sep 23, 2004
    #6
  7. In article <Xns956C7A9AB7038eternalgruntgerman@130.133.1.4>,
    says...
    > Leythos <> confessed in news:MPG.1bb880533589a5a9896f0@news-
    > server.columbus.rr.com:
    >
    > > In article <>,
    > > _way says...
    > >> looks like those .jpg files are not as safe as we hoped
    > >>
    > >> http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

    > >
    > > Actually, one person showed me that no file extension really means
    > > anything when using IE.
    > >

    >
    >
    > That's great, but the truth is there's a bug in GDI+ code that can cause
    > buffer overruns and a knowledgeable cracker can use this to get control of a
    > server.


    Is this a problem on servers? As far as I understand, somebody has to
    view a JPG, so for a server to become infected, somebody has to use that
    server to view a JPG (on the internet or in a mail). Normally, that
    doesn't happen if you use your servers only as servers.

    (I'm not saying you don't have to patch your servers, but I don't see
    the attack vector (yet).)

    I think the main problem is at the client machines.

    Filip
    Filip Van Laenen, Sep 23, 2004
    #7
  8. Jim Watt

    Leythos Guest

    In article <>,
    says...
    > Is this a problem on servers? As far as I understand, somebody has to
    > view a JPG, so for a server to become infected, somebody has to use that
    > server to view a JPG (on the internet or in a mail). Normally, that
    > doesn't happen if you use your servers only as servers.
    >
    > (I'm not saying you don't have to patch your servers, but I don't see
    > the attack vector (yet).)
    >
    > I think the main problem is at the client machines.


    I've seen servers that provide pages with infected JPG images. If you
    had scripting enabled the images would still display fine, but they
    contained a payload that was some form of trojan dropper.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Sep 23, 2004
    #8
  9. "Filip Van Laenen" <> wrote in message
    news:...
    > > That's great, but the truth is there's a bug in GDI+ code that can cause
    > > buffer overruns and a knowledgeable cracker can use this to get control

    of a
    > > server.

    >
    > Is this a problem on servers? As far as I understand, somebody has to
    > view a JPG, so for a server to become infected, somebody has to use that
    > server to view a JPG (on the internet or in a mail). Normally, that
    > doesn't happen if you use your servers only as servers.
    >
    > (I'm not saying you don't have to patch your servers, but I don't see
    > the attack vector (yet).)
    >
    > I think the main problem is at the client machines.
    >
    > Filip


    If the virus get's onto a machine that is logged in with admin rights to the
    domain, it could copy JPG files to the servers through the admin shares,
    then use a simple remote procedural call to run a program that will view the
    jpg.

    Rick
    Richard S. Westmoreland, Sep 23, 2004
    #9
  10. Jim Watt

    Bill Guest

    On 22 Sep 2004 18:00:42 GMT, ipgrunt <> wrote:

    >Leythos <> confessed in news:MPG.1bb880533589a5a9896f0@news-
    >server.columbus.rr.com:
    >
    >> In article <>,
    >> _way says...
    >>> looks like those .jpg files are not as safe as we hoped
    >>>
    >>> http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

    >>
    >> Actually, one person showed me that no file extension really means
    >> anything when using IE.
    >>

    >
    >
    >That's great, but the truth is there's a bug in GDI+ code that can cause
    >buffer overruns and a knowledgeable cracker can use this to get control of a
    >server.
    >
    >So, be advised to patch your Windows systems.
    >
    >-- ipgrunt


    I'm lost here. Why does this problem exist with JPEG images and
    not GIFs or BMPs ?? Doesn't the header information in the image
    file determine what GDI functions get called with Header parameters
    being passed to the GDI functions ?

    If someone could tell me the GDI funtions and JPEG headers
    involved that would help me.

    When it comes to laying down trojans using VBscript and
    ActiveX Components, I can somewhat understand that,
    but this is beyond me. What newfangled thing did they
    add to JPEG headers to allow for this ?? Is some "nut"
    trying to get JPEGs to be "Objects" which can/could
    include executable code ?

    Any and all information will help this "dude". Old and
    gray dude now.

    Thanks,
    Bill
    Bill, Sep 29, 2004
    #10
  11. In article <>, on Tue, 28 Sep 2004 19:20:54 -0700, Bill
    <> wrote:

    <snip />

    | I'm lost here. Why does this problem exist with JPEG images and
    | not GIFs or BMPs ?? Doesn't the header information in the image
    | file determine what GDI functions get called with Header parameters
    | being passed to the GDI functions ?

    From <http://www.us-cert.gov/cas/techalerts/TA04-260A.html>:

    "Overview

    Microsoft's Graphic Device Interface Plus (GDI+) contains a vulnerability
    in the processing of JPEG images. This vulnerability may allow attackers to
    remotely execute arbitrary code on the affected system. Exploitation may occur
    as the result of viewing a malicious web site, reading an HTML-rendered email
    message, or opening a crafted JPEG image in any vulnerable application.
    The privileges gained by a remote attacker depend on the software component
    being attacked."

    | If someone could tell me the GDI funtions and JPEG headers
    | involved that would help me.
    |
    | When it comes to laying down trojans using VBscript and
    | ActiveX Components, I can somewhat understand that,
    | but this is beyond me. What newfangled thing did they
    | add to JPEG headers to allow for this ?? Is some "nut"
    | trying to get JPEGs to be "Objects" which can/could
    | include executable code ?

    "I. Description

    Microsoft Security Bulletin MS04-028 describes a remotely exploitable buffer
    overflow vulnerability in Microsoft's Graphic Device Interface Plus (GDI+) JPEG
    processing component."

    So the answer to your last question is yes. You can pretty much do anything
    with buffer overruns. Search for ""buffer overrun" tutorial" if you really want
    to know more.

    <davidp />

    --
    David Postill
    David Postill, Sep 29, 2004
    #11
  12. Jim Watt

    Jim Watt Guest

    On Wed, 29 Sep 2004 06:41:16 GMT, David Postill <>
    wrote:

    >So the answer to your last question is yes. You can pretty much do anything
    >with buffer overruns. Search for ""buffer overrun" tutorial" if you really want
    >to know more.


    Is the buffer overrun issue a feature of stuff written in C? it does
    seem to be a frequent program defect. Never had one using
    Fortran :)

    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Sep 29, 2004
    #12
  13. Jim Watt

    Bill Unruh Guest

    Jim Watt <_way> writes:

    ]On Wed, 29 Sep 2004 06:41:16 GMT, David Postill <>
    ]wrote:

    ]>So the answer to your last question is yes. You can pretty much do anything
    ]>with buffer overruns. Search for ""buffer overrun" tutorial" if you really want
    ]>to know more.

    ]Is the buffer overrun issue a feature of stuff written in C? it does
    ]seem to be a frequent program defect. Never had one using
    ]Fortran :)

    Oh, yes I have. I have had real doozies with Fortran (eg changed the value
    of all constant numbers 2 in the program). HOwever fortran is
    almost never used to write admin type software.
    Bill Unruh, Sep 29, 2004
    #13
  14. Jim Watt

    Jim Watt Guest

    On 29 Sep 2004 16:29:53 GMT, (Bill Unruh)
    wrote:

    >Jim Watt <_way> writes:
    >
    >]On Wed, 29 Sep 2004 06:41:16 GMT, David Postill <>
    >]wrote:
    >
    >]>So the answer to your last question is yes. You can pretty much do anything
    >]>with buffer overruns. Search for ""buffer overrun" tutorial" if you really want
    >]>to know more.
    >
    >]Is the buffer overrun issue a feature of stuff written in C? it does
    >]seem to be a frequent program defect. Never had one using
    >]Fortran :)
    >
    >Oh, yes I have. I have had real doozies with Fortran (eg changed the value
    >of all constant numbers 2 in the program). HOwever fortran is
    >almost never used to write admin type software.


    Guess it depends on the compiler.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Sep 29, 2004
    #14
  15. Jim Watt

    yada yada Guest

    On Mon, 20 Sep 2004 09:07:20 +0200, Jim Watt <_way>
    wrote:

    >looks like those .jpg files are not as safe as we hoped
    >
    >http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx



    Passing this along...

    This tool scans your entire drive(s) for the vulnerable .dll files,
    and is NOT LIMITED to microsoft products. It can be obtained here :

    http://isc.sans.org/gdiscan.php
    (even has a pgp sig for the paranoid lot)

    Also, here is a link that contains a small tutorial on using the
    tool and how to interpret the results:

    http://www.bleepingcomputer.com/forums/topict3077.html
    yada yada, Oct 9, 2004
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. kl
    Replies:
    6
    Views:
    887
    Martin Brown
    Nov 12, 2003
  2. certsnsearches

    Exiff-jpeg and jpeg

    certsnsearches, Jan 7, 2004, in forum: Digital Photography
    Replies:
    2
    Views:
    3,210
    Jim Townsend
    Jan 7, 2004
  3. Amit
    Replies:
    3
    Views:
    1,237
    Ed Ruf (REPLY to E-MAIL IN SIG!)
    Mar 17, 2006
  4. T.N.O.

    OSX vunerability

    T.N.O., Dec 1, 2003, in forum: NZ Computing
    Replies:
    3
    Views:
    393
    Peter KERR
    Dec 2, 2003
  5. Skybuck Flying

    Webbrowser vunerability

    Skybuck Flying, Feb 8, 2011, in forum: Windows 64bit
    Replies:
    1
    Views:
    1,025
    joevan
    Feb 9, 2011
Loading...

Share This Page