Weblog di Fabio Cozzolino

La nuova falla riguarda il sistema di elaborazione delle immagini JPEG, attraverso il quale utenti maliziosi protrebbero «prendere il completo controllo del sistema vulnerabile, incluso installare programmi; visualizzare, modificare o cancellare dati; o creare nuovi account con pieni privilegi», semplicemente reindirizzando il browser verso pagine web contenenti immagini JPG create ad arte.

Il bug è stato segnalato da Nick DeBaggis:

"JPEG Comment sections (COM) allow for the embedding of comment data
into a JPEG image.  COM sections are marked beginning with 0xFFFE
followed by a 16 bit unsigned integer in network byte order giving
the total comment length + the 2 bytes for the length field; a
single JPEG COM section could therefore contain 65533 bytes of
invisible data (invisible in the sense that it's not rendered as
part of the image).  Because the JPEG COM field length variable is 2
bytes wide, and itself is included in the length value, the minimum
value for this field is 2, this implies an empty comment.  If the
comment length value is set to 1 or 0, a buffer overflow occurs
overwriting heap management structures.

The problem is GDIPlus normalizes the COM length prior to checking
it's value; a starting length of 0 becomes -2 after normalization
(0xFFFE unsigned), this value is converted to the 32 bit value
0xFFFFFFFE and is eventually passed on to memcpy which attempts to
copy ~4G bytes into heap memory.

eEye Digital Security analyzed the bug and found that heap
management structures are left in an inconsistent state with
execution eventually reaching heap unlink instructions within
RTLFreeHeap with EAX pointing to a pointer to data we control and we
have direct control of EDX."

Riferimenti

Bollettino sulla sicurezza MS04-28

Patch per l'aggiornamento