[ISN] JPEG/GDIplus vulnerability

InfoSec News isn at c4i.org
Mon Sep 27 04:23:14 EDT 2004

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade at sprint.ca>

If you have not been living under a rock (in security terms), you will
likely have heard something about the GDI+ vulnerability in the past
few days.  JPEGs and other files that may be handled in the same way
are now potentially "dangerous"  data files.

In 1994 a graphics file was spread via Usenet that contained oddities
in the header, and at about the same time a virus warning hoax was
created that warned of a viral JPEG file.  Neither of these was, in
fact, related to actual malicious software, but I did some study on
the subject and found header structures in both formats that could,
potentially, have been used as malware vectors, under certain

The specifics of the current JPEG/GDI+ vulnerability are very
difficult to obtain, even when you have copies of the various
"exploits" that have been released.  However, it does seem to be
simply your common or garden buffer overflow.  As I write I am not
aware of any specific exploits that have been released with the intent
to use them maliciously.  However, given the number of "exploit"
samples that have been released I dare say that it will not be long
before we see the real ones come out.  It is unlikely that viruses
will be created using this vulnerability, but it is quite probable
that viruses will be created that carry graphics files (likely
pornographic) that will use the vulnerability to open links to malware
on Web sites, or simply open backdoors on machines for exploitation
and amalgamation into botnets of various types.

Microsoft security bulletin MS04-028
(http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx) has
some links that, if you manage to follow them all the way through,
will lead you to a patch.  The Windows and Office Update sites will
also provide you with the patches, but not always easily.  (For
example, Windows Update seems to insist that you install SP2 first,
although there is a way around this.)  Affected systems use certain
versions of the gdiplus.dll file.  The most widespread of the affected
versions of the file come with Microsoft Windows and Office, 2003 and
XP versions.  Other Microsoft (and other vendors) products also have
vulnerable versions of the file.

The file is fairly ubiquitous.  I've got eleven copies (and two
compressed copies) of five different versions of gdiplus.dll on my
machine.  (Versions of it also exist with different file names.)  The
Microsoft site does provide details of which version numbers are
vulnerable or not--but no information about file sizes or dates that
might allow you to determine which versions are which.  If you follow
links through from that page there is also a "detection" tool--but it
only tells you that you *are* vulnerable, rather than identifying
specific instances.

SANS also has provided a scanning tool, at
http://isc.sans.org/gdiscan.php.  (Actually two, a GUI version and a
command line version.  The GUI version, as provided, seems to want a
disk in drive F:, but if you tell it to continue seems to function.)  
This tool identifies which versions are vulnerable and which are not,
and also scans other filenames which are, in fact, renamed copies of
the gdiplus.dll file, such as:

   Version: 5.1.3097.0 <-- Vulnerable version 
C:\Program Files\ArcSoft\Software Suite\PhotoImpression 
   Version: 5.1.3097.0 <-- Vulnerable version 
C:\Program Files\Common Files\Microsoft 
   Version: 11.0.6360.0
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
   Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and 
SP3 w/IE6 SP1 only)
C:\Program Files\Microsoft Office\OFFICE11\GDIPLUS.DLL
   Version: 6.0.3264.0

Banning JPEGs is unlikely to be effective as a security measure.  
Untrained users will probably not know how to turn off the relevant
functions, or be willing to so "cripple" their Web browsing.  In any
case, graphics files of various types can be renamed, and Windows will
still identify them from internal structures, and run them through
GDI+.  Using firewalls to block .jpeg, .jpg, and the various other
normal file extensions would therefore also probably be ineffective in
some cases.

Microsoft has provided some new patches (patches for Office and
Windows apparently have to be installed separately), and others will
possibly do so as well.  It may be difficult to find the appropriate
patches for all applications.  One would assume that all versions of
gdiplus.dll could simply be replaced by the latest (safe)  version,
but, knowing the industry, one would probably be wrong.

======================  (quote inserted randomly by Pegasus Mailer)
rslade at vcn.bc.ca      slade at victoria.tc.ca      rslade at sun.soci.niu.edu
Success is to be measured not so much by the position that one
has reached in life as by the obstacles which he has overcome
while trying to succeed.                      - Booker T. Washington
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

More information about the ISN mailing list