exploits , vulnerabilities , articles , Microsoft GDI+ Library JPEG Segment Length Integer Underflow Vulnerability

Title	Microsoft GDI+ Library JPEG Segment Length Integer Underflow Vulnerability
Published	2004-09-14-12:00AM
Updated	2005-01-18-09:29PM
Class	Boundary Condition Error
CVE	CAN-2004-0200
Remote	Yes
Local	No
Credit	This issue was discovered by Cassidy Macfarlane and later independently rediscovered by Nick Debaggis. The issue is similar in nature to BID 1503, discovered by Solar Designer.
Vulnerable	Microsoft Windows XP Professional SP1 Microsoft Windows XP Professional Microsoft Windows XP Home SP1 Microsoft Windows XP Home Microsoft Windows XP 64bit Edition Version 2003 Microsoft Windows XP 64bit Edition SP1 Microsoft Windows XP 64bit Edition Microsoft Windows Server 2003 Web Edition Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Enterprise Edition 64bit Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Datacenter Edition 64bit Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows Messenger 5.0 Microsoft Visual Studio .NET 2003 Microsoft Visual Basic .NET Standard 2003 Microsoft Visual C# .NET Standard 2003 Microsoft Visual C .NET Standard 2003 Microsoft Visual J# .NET Standard 2003 Microsoft Visual Studio .NET 2002 Microsoft Visual Basic .NET Standard 2002 Microsoft Visual C# .NET Standard 2002 Microsoft Visual C .NET Standard 2002 Microsoft Visual FoxPro Runtime Library 8.0 Microsoft Visual FoxPro 8.0 Microsoft Visio 2003 Standard Microsoft Visio 2003 Professional Microsoft Visio 2002 Standard SP2 Microsoft Visio 2002 Professional SP2 Microsoft Project 2003 Microsoft Project 2002 SP1 Microsoft Project 2002 Microsoft Producer for Microsoft Office PowerPoint Microsoft Platform SDK Redistributable: GDI Microsoft Picture It! Library Microsoft MSN Messenger Service 9.0 Microsoft Picture It! 2002 Microsoft Picture It! 9.0 Microsoft MSN Messenger Service 9.0 Microsoft Picture It! 7.0 Microsoft Office XP SP3 Microsoft Excel 2002 SP3 Microsoft FrontPage 2002 SP3 Microsoft Outlook 2002 SP3 Microsoft PowerPoint 2002 SP3 Microsoft Publisher 2002 SP3 Microsoft Word 2002 SP3 Microsoft Office XP SP2 Microsoft Windows 2000 Professional Microsoft Windows 2000 Professional SP1 Microsoft Windows 2000 Professional SP2 Microsoft Windows 2000 Professional SP3 Microsoft Windows 98 Microsoft Windows 98SE Microsoft Windows ME Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Workstation 4.0 SP1 Microsoft Windows NT Workstation 4.0 SP2 Microsoft Windows NT Workstation 4.0 SP3 Microsoft Windows NT Workstation 4.0 SP4 Microsoft Windows NT Workstation 4.0 SP5 Microsoft Windows NT Workstation 4.0 SP6 Microsoft Windows NT Workstation 4.0 SP6a Microsoft Windows XP Home Microsoft Windows XP Home SP1 Microsoft Windows XP Professional Microsoft Windows XP Professional SP1 Microsoft Office 2003 Microsoft Excel 2003 Microsoft FrontPage 2003 Microsoft InfoPath 2003 Microsoft OneNote 2003 Microsoft Outlook 2003 Microsoft PowerPoint 2003 Microsoft Publisher 2003 Microsoft Word 2003 Microsoft Internet Explorer 6.0 SP1 Microsoft Greetings 2002 Microsoft Digital Image Suite 9.0 Microsoft Digital Image Pro 9.0 Microsoft Digital Image Pro 7.0 Microsoft .NET Framework SDK 1.0 SP2 Microsoft .NET Framework SDK 1.0 SP1 Microsoft .NET Framework SDK 1.0 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.0 SP2 Business Objects Crystal Reports 10.0 Business Objects Crystal Reports 9.0 Business Objects Crystal Enterprise 10.0 Business Objects Crystal Enterprise 9.0 Avaya S8100 Media Servers Avaya S3400 Message Application Server Avaya IP600 Media Servers Avaya DefinityOne Media Servers
Not Vulnerable	Microsoft Windows XP Professional SP2 Microsoft Windows XP Media Center Edition SP2 Microsoft Windows XP Home SP2 Microsoft Windows NT Terminal Server 4.0 SP6 Microsoft Windows NT Server 4.0 SP6a Avaya DefinityOne Media Servers Avaya IP600 Media Servers Avaya S8100 Media Servers Microsoft Windows Messenger 5.1 Microsoft Windows ME Microsoft Windows 98SE Microsoft Windows 98 Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Server SP3 Microsoft Windows 2000 Professional SP4 Microsoft Windows 2000 Professional SP3 Microsoft Windows 2000 Advanced Server SP4 Microsoft Windows 2000 Advanced Server SP3 Microsoft Visio 2003 SP1 Microsoft Visio 2000 Enterprise Edition Microsoft Project 2003 SP1 Microsoft Project 2000 - Microsoft Windows 2000 Professional - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows NT 4.0 Microsoft Picture It! Premium 10.0 Microsoft Office 2003 SP1 Microsoft Office 2000 SP3 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP3 - Microsoft Windows 98 - Microsoft Windows 98SE - Microsoft Windows ME - Microsoft Windows NT Workstation 4.0 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows XP Home - Microsoft Windows XP Home SP1 - Microsoft Windows XP Professional - Microsoft Windows XP Professional SP1 Microsoft Office 2000 SP2 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows ME - Microsoft Windows NT Workstation 4.0 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows XP Home - Microsoft Windows XP Professional Microsoft Office 2000 SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows ME - Microsoft Windows NT Workstation 4.0 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows XP Home - Microsoft Windows XP Professional Microsoft Office 2000 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows ME - Microsoft Windows NT Workstation 4.0 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows XP Home - Microsoft Windows XP Professional Microsoft Internet Explorer 5.5 SP2 - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Datacenter Server - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Server - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Terminal Services - Microsoft Windows 2000 Terminal Services SP1 - Microsoft Windows 2000 Terminal Services SP2 - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows 98SE - Microsoft Windows ME - Microsoft Windows NT Enterprise Server 4.0 - Microsoft Windows NT Enterprise Server 4.0 SP1 - Microsoft Windows NT Enterprise Server 4.0 SP2 - Microsoft Windows NT Enterprise Server 4.0 SP3 - Microsoft Windows NT Enterprise Server 4.0 SP4 - Microsoft Windows NT Enterprise Server 4.0 SP5 - Microsoft Windows NT Enterprise Server 4.0 SP6 - Microsoft Windows NT Enterprise Server 4.0 SP6a - Microsoft Windows NT Server 4.0 - Microsoft Windows NT Server 4.0 SP1 - Microsoft Windows NT Server 4.0 SP2 - Microsoft Windows NT Server 4.0 SP3 - Microsoft Windows NT Server 4.0 SP4 - Microsoft Windows NT Server 4.0 SP5 - Microsoft Windows NT Server 4.0 SP6 - Microsoft Windows NT Server 4.0 SP6a - Microsoft Windows NT Terminal Server 4.0 - Microsoft Windows NT Terminal Server 4.0 SP1 - Microsoft Windows NT Terminal Server 4.0 SP2 - Microsoft Windows NT Terminal Server 4.0 SP3 - Microsoft Windows NT Terminal Server 4.0 SP4 - Microsoft Windows NT Terminal Server 4.0 SP5 - Microsoft Windows NT Terminal Server 4.0 SP6 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP6a Microsoft Internet Explorer 5.0.1 SP4 Microsoft Internet Explorer 5.0.1 SP3 Microsoft Digital Image Suite 10.0 Microsoft Digital Image Pro 10.0 Microsoft .NET Framework 1.1 SP1 Microsoft .NET Framework 1.0 SP3
Code	A proof of concept JPEG that will trigger this issue and crash the affected library is available. It is also reported that the Solar Designer proof of concept 'crash-netscape.jpg' will trigger this vulnerability. An additional proof of concept exploit 'jpegcompoc.zip' is made available by GulfTech Research. A script to create a proof of concept JPEG 'ms04-028.sh' is also available. The 'MSjpegExploitByFoToZ.c' exploit, which opens a command shell on the local system, is available. An additional exploit, "jfif-expII.sh", with a functional payload has been published. The payload will add user "X" to the Admin group when executed. The exploit is reportedly successful against various versions of GDI+. A new exploit, "JpegOfDeath.c", is available. It is based on the FoToZ exploit but provides a reverse connection for the command shell. CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild. /data/vulnerabilities/exploits/CRASH-TEST.zip /data/vulnerabilities/exploits/crash-netscape.jpg /data/vulnerabilities/exploits/jpegcompoc.zip /data/vulnerabilities/exploits/ms04-028.sh /data/vulnerabilities/exploits/MSjpegExploitByFoToZ.c /data/vulnerabilities/exploits/jfif-expII.sh /data/vulnerabilities/exploits/msJPEGParsingVulnHighT1mes.c /data/vulnerabilities/exploits/JpegOfDeath.c /data/vulnerabilities/exploits/jpegOfDeathv0_6_a.c /data/vulnerabilities/exploits/JPGDownloaderATmaCA.c /data/vulnerabilities/exploits/sacred_jpg.c
TXT

Vulnerabilities - newest 10 RSS | More

• 2008-12-01 SystemImager Flamethrower Insecure Temporary File Creation Vulnerabilities
• 2008-12-01 Rumpus FTP Server Command Argument Remote Buffer Overflow Vulnerability
• 2008-12-01 Rumpus FTP Server HTTP Command Remote Denial of Service Vulnerability
• 2008-11-29 Multiple ActiveWebSoftwares Products Login Parameters SQL Injection Vulnerabilities
• 2008-11-29 Venalsur Booking Centre Multiple Cross-Site Scripting Vulnerabilities
• 2008-11-28 ReVou Login SQL Injection Vulnerability
• 2008-11-28 Web Calendar System SQL Injection and Cross Site Scripting Vulnerabilities
• 2008-11-28 SailPlanner Login SQL Injection Vulnerability
• 2008-11-28 Livio.net WEB Calendar Cross Site Scripting and Multiple SQL Injection Vulnerabilities
• 2008-11-28 Subtext Anchor Tags HTML Injection Vulnerability

• Vulnerabilities
• Exploits
• News
• Articles

Copyright 2007, SecurityDot
Tue, 02 Dec 2008 05:24:58 +0000