[VulnWatch] CORE-2004-0819: MSN Messenger PNG Image Parsing Vulnerability

From: CORE Security Technologies Advisories (advisories@private)
Date: Tue Feb 08 2005 - 11:56:39 PST


                   Core Security Technologies Advisory
                       http://www.coresecurity.com

               MSN Messenger PNG Image Parsing Vulnerability



Date Published: 2005-02-08

Last Update: 2005-02-08

Advisory ID: CORE-2004-0819

Bugtraq ID: None currently assigned.

CVE Name: CAN-2004-0597

Title: MSN Messenger PNG Image Parsing Vulnerability

Class: Boundary Error Condition (Stack Buffer Overflow)

Remotely Exploitable: Yes

Locally Exploitable: Yes

Advisory URL:
 http://www.coresecurity.com/common/showdoc.php?idx=421&idxseccion=10

Vendors contacted:
- Microsoft
  2004-08-23: Notification to vendor
  2004-08-23: Notification acknowledgment received from vendor
  2005-02-08: Publication of fixes and advisories

Release Mode: COORDINATED RELEASE


*Vulnerability Description:*

 MSN Messenger is a fully featured Instant Messaging (IM) program,
 that allows users to exchange pictures using the PNG image format and
 display them during conversations.

 A vulnerability found in the parsing of PNG images could allow an
 attacker to execute arbitrary code in the chat partner's machine and
 gain access to the system with the privileges of the user running the
 MSN Messenger client program.

 This vulnerability can be exploited on Windows 2000 (all service
 packs) and Windows XP (all service packs) that run vulnerable
 clients of MSN Messenger.

 Due to the particular characteristics of the MSN Messenger
 communications protocol, exploitation of the vulnerability is likely
 to pass unnoticed to network Intrusion Detection Systems (IDS),
 Intrusion Prevention Systems (IPS) and firewalls that do not
 implement decoding and normalization of the MSN Messenger protocol
 encapsulated within HTTP. Furthermore, its is possible to craft
 exploit code to compromise vulnerable systems without crashing or
 disrupting the normal functioning of the MSN Messenger client
 application and thus passing unnoticed to the end-user as well.

*Vulnerable Packages:*

 The vulnerability was discovered and researched on the following
 packages:

. MSN Messenger 6.1 on Windows 2000 and Windows XP
. MSN Messenger 6.2 on Windows 2000 and Windows XP

 The vendor reported the following packages as vulnerable:

. MSN Messenger 6.1
. MSN Messenger 6.2
. Windows Messenger 4.7.2009
. Windows Messenger 4.7.3000
. Windows Messenger 5.0
. Windows Media Player 9 series (CVE CAN-2004-1244)


*Solution/Vendor Information/Workaround:*

 Microsoft Security Bulletin MS05-009 provides details and fix
 packages or vulnerable applications. It can be found at:

 http://www.microsoft.com/technet/security/bulletin/MS05-009.mspx

 The vendor reported that following packages/versions are NOT
 vulnerable:

. Windows Media Player 6.4
. Windows Media Player 7.1
. Windows Media Player for Windows XP (8.0)
. Windows Media Player 9 Series for Windows XP Service Pack 2
. Windows Media Player 10
. MSN Messenger for Mac

 Additionally, mitigating actions to reduce exposure to the
 vulnerability are provided below, but note that these actions might
 not suffice to close ALL attack vectors for ALL vulnerable packages:

. MSN Messenger users should not accept unsolicited chat session
  requests from chat partners not in their contacts list.
. MSN Messenger users should disable the custom emoticons feature of
  MSN Messenger, to do so go to Tools->Options->Messages.
. Deny execution of MSN Messenger client application using ACLs or
  Host-based security controls.
. Block MSN Messenger communications at the network perimeter.
. Filter transmission of malformed PNG images using an
  application-layer proxy that supports MSN Messenger protocol.

 Disabling the "Display Picture" feature in MSN Messenger DOES NOT
 prevent exploitation.

 Core Security Technologies has made available a sample malformed
 PNG file that can be used to check if an MSN Messenger client is
 vulnerable.

 The ZIP-compressed image is available at

 http://www.coresecurity.com/corelabs/advisories/msn-vulncheck.zip

 After downloading it, uncompress and save it to a work folder, open
 MSN Messenger and select the image as your display picture in
 "Tools->Change Display Picture".

 Vulnerable clients will either crash or display popup dialog with the
 following text: "Your MSN Messenger client is vulnerable"


*Credits:*

 This vulnerability was found by Juliano Rizzo from Core Security
 Technologies.

 Chris Evans discovered previous problems related to PNG images in
 the libPNG open source library [1][2].


*Technical Description - Exploit/Concept Code:*

 This vulnerability was found in MSN Messenger 6.2.0137, all technical
 details apply to that package and version but may be applicable to
 other vulnerable versions as well.

 The MSN Messenger protocol supports transmission of several types of
 images between  users that are displayed during conversations.
 These include:

 . The display picture, which usually is a picture of the user.
 . Custom icons that are small images shown in the message line.
 . Thumbnails of images being transferred.
 . Background images.

 The image format used is PNG [3]. When a user selects a picture to be
 displayed as avatar, Messenger converts it to PNG format with a fixed
 size and encoding characteristics. When a conversation is initiated
 with a contact, the image is transmitted over the same communication
 channel used to exchange text messages.
 By sending a specially crafted PNG image an attacker can trigger a
 buffer overflow and execute arbitrary code on the chat partner's
 system.

 The PNG file format structure is based on chunks as described in [3].
 The vulnerability is present in processing intentionally malformed
 image chunks with specially crafted values for some fields in the
 IHDR and tRNS chunk types.
 The IHDR chunk has a "color type" field: a single-byte integer that
 describes the interpretation of the image data. To trigger the bug,
 the flags "color used" and "palette used" have to be set in the color
 type field, whereas the "alpha channel used" flag must not be set.
 Thus, the color type value has to be set to 0x03. There must also
 exist a tRNS chunk with enough data length (>256) to overflow a
 buffer and reach a function pointer address. A PLTE chunk could exist
 in the file, but it has to be after the tRNS chunk.

[MSN Messenger clients compiled with the /GS stack-overflow protection
mechanism]

 Although the MSN Messenger client is compiled with the /GS compiler
 switch that provides protection against stack-based overflows as
 described in [4], exploitation is not prevented in this case.

 The following excerpt from MSDN describes the functionality of the
 /GS switch:

 "...The /GS switch provides a "speed bump" or cookie, between the
 buffer and the return address. If an overflow writes over the return
 address, it will have to overwrite the cookie put in between it and
 the buffer, resulting in a new stack layout..."

 The protection mechanism verifies the integrity of a called
 function's return address. By building a longer buffer, data beyond
 the return address can be overwritten, including: function
 parameters, local variables and Structured Exception Handling records
 [5]. Due to the way errors are handled in the MSN Messenger client,
 an exception is raised after the overflow occurs but before any
 stack integrity verification is done. To process that exception the
 first SEH record in the exception handlers chain is used and, since
 this  is located in the stack and near the overflowed buffer, the
 most obvious method to execute arbitrary code bypassing the
 protection seems to be overwriting the function pointer contained in
 that SEH record.

 To be precise, the exception is raised when the program tries to
 check the chunk's CRC32 and the exception code is 0xE06D7363.

 The tRNS chunk to accomplish the above strategy would look like the
 following:

  |  chunk type   |space for code|(1)   SEH record    | CRC32 |
  ["tRNS" 4 bytes][256+168 bytes ][next/eip: 8 bytes]

 The chunk type and crc32 fields are not copied into the stack.

 After taking control of the execution flow, [ESP+8] points to (1), so
 a  possible structure for the fake SEH record could be:

 EB F9 ?? ?? XX XX XX XX

 Where EB F9 is the opcode for a jump to 5 bytes back, the next  two
 bytes (?? ??) can have any value and the next 4 bytes are the address
 of a "jmp [esp+8]". In this way only a small portion of the program
 stack is modified and execution of arbitrary code is obtained.

[Attack vectors]

 The vulnerability may be used to infect image files. This means that
 a valid PNG file  could be modified to exploit vulnerable programs
 and still look as a harmless picture to other applications.

 There are 4 known attack vectors to trigger the vulnerability in
 the PNG image processing code:
 - Delivery of a malformed PNG image as display picture
 - Delivery of a malformed PNG image as a thumbnail
 - Delivery of a malformed PNG image as an icon
 - Delivery of a malformed PNG image as a regular file transfer
   offering

[Detection of an attack]

 An important success factor for attacks targeting end-user
 applications is being unnoticeable by the user. Error messages,
 crashes and hangs are not desirable when attacking a server, but tend
 to be catastrophic to an attack whenever a user on the other side is
 interacting with the program being attacked.

 Some characteristics of this vulnerability and program design make
 the perpetration of stealth attacks easier. This means that it's
 possible to exploit the vulnerability, executing code while keeping
 the application running normally. There are several ways to achieve
 this:

 The basic idea is to return the execution flow to the application
 after  creating a new thread or process. In the exploitation scheme
 described above, the code executed by the attacker may act as a
 legitimate exception handler by behaving in the following manner:

 1. moves stack pointer to a lower address and saves registers.
 2. performs the desired operations, i.e. creates a new thread.
 3. reconstructs the overwritten SEH record.
 4. recover saved register values, including the stack pointer.
 5. returns a valid filter expression value (-1, 0 or 1) [5].

 Since delivery of an attack does not rely on any noticeable or
 suspicious network traffic outside of the normal behavior for the
 application's protocol, the only suitable way of detection from a
 network point of view is with the use of a proxy, IPS or firewall
 system with the capability of interpreting and normalizing the MSN
 Messenger protocol.  In lieu of a patched client, attack detection
 should be based on the identification of malformed PNG images in
 MSN Messenger protocol traffic.

 The known attack vectors can be used to deliver successful attacks
 that are unnoticeable to the end user, not disrupting the execution
 of the MSN Messenger client running on the victim's computer and
 using it as a vantage point to compromise other clients by 'infecting'
 the victim's display picture.
 In this manner the vulnerability can be used to launch  massive
 attacks using the application's underlying communications protocol as
 a delivery vector.
 Therefore, understanding the technical attributes for exploitation
 is also highly relevant to detect and prevent attacks.

[Plausible exploit implementations]

 The code to exploit a server vulnerability usually involves
 implementing a limited portion of a network protocol that are in
 general, standard and well documented. Knowledge about encodings,
 languages and file formats are also needed to exploit browser or mail
 client flaws. However, even in those cases, the implementation
 complexity is low.

 In this case, crafting the malformed PNG image file seems simple but
 delivering the image to the victim through the Messenger protocol is
 somewhat a more difficult task.

 Alternatives to implementing an entire messenger client are:

    1) using the standard client application to send the image.
    2) using an open source third party client.
    3) using a messenger protocol proxy.

 1. In order to send the image using the standard client, it must be
 previously patched and modified to accept the infected image file as
 a display picture, emoticon or any other desired image type.

 2. The difference with the previous option is that the modifications
 can be made easily.

 3. The idea behind using a proxy is to avoid modifying a client, and
 being able to synchronize the other stages of an attack, as well as
 the possibility of using the same communication channel to control
 the victim's computer.
 A messenger protocol proxy can be used both to inject malformed PNG
 images to deliver an attack, or to sanitize outgoing traffic to
 prevent exploitation of third parties system.

[Proof of Concept exploit code]

 To check if a  MSN Messenger client is vulnerable, users can
 download the PNG image provided in the following URL

 http://www.coresecurity.com/corelabs/advisories/msn-vulncheck.zip

 The PNG image was built to work with MSN Messenger 6.2.0137.
 Once downloaded and uncompressed, open MSN Messenger, go to
 Tools->"Change display picture..."  and select the file.

 On vulnerable clients either a message box will be  shown or
 MSN Messenger will crash.


*References*

 [1] libPNG 1.2.5 stack-based buffer overflow and other code concerns
 http://scary.beasts.org/security/CESA-2004-001.txt

 [2] Multiple buffer overflows in libpng 1.2.5
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597

 [3] Portable Network Graphics (PNG) Specification and Extensions
 http://www.libpng.org/pub/png/spec/

 [4] MSDN Compiler Security Checks In Depth
 http://go.microsoft.com/fwlink/?Linkid=7260

 [5] Structured Exception Handling
 http://msdn.microsoft.com/library/en-us/debug/base/structured_exception_handling.asp 

 http://www.microsoft.com/msj/0197/exception/exception.aspx
 http://msdn.microsoft.com/library/en-us/debug/base/using_an_exception_handler.asp

 [6] MSN Messenger protocol - display pictures
 http://www.hypothetic.org/docs/msn/phorum/read.php?f=1&i=7834&t=7834


*About Core Security Technologies*

 Core Security Technologies develops strategic security solutions for
 Fortune 1000 corporations, government agencies and military
 organizations. The company offers information security software and
 services designed to assess risk and protect and manage information
 assets. Headquartered in Boston, MA, Core Security Technologies can
 be reached at 617-399-6980 or on the Web at
 http://www.coresecurity.com.

 To learn more about CORE IMPACT, the first comprehensive penetration
 testing product, visit:
 http://www.coresecurity.com/products/coreimpact

*DISCLAIMER:*

 The contents of this advisory are copyright (c) 2005 CORE Security
 Technologies and may be distributed freely provided that no fee is
 charged for this distribution and proper credit is given.

$Id: msn-png-advisory.txt,v 1.19 2005/02/08 19:14:02 iarce Exp $



This archive was generated by hypermail 2.1.3 : Tue Feb 08 2005 - 12:58:36 PST