CORE-2004-0819: MSN Messenger PNG Image Parsing Vulnerability
Core Security Technologies Advisory
http://www.coresecurity.com
MSN Messenger PNG Image Parsing Vulnerability
Date Published: 2005-02-08
Last Update: 2005-02-08
Advisory ID: CORE-2004-0819
Bugtraq ID: None currently assigned.
CVE Name: CAN-2004-0597
Title: MSN Messenger PNG Image Parsing Vulnerability
Class: Boundary Error Condition (Stack Buffer Overflow)
Remotely Exploitable: Yes
Locally Exploitable: Yes
Advisory URL:
http://www.coresecurity.com/common/showdoc.php?idx=421&idxseccion=10
Vendors contacted:
- Microsoft
2004-08-23: Notification to vendor
2004-08-23: Notification acknowledgment received from vendor
2005-02-08: Publication of fixes and advisories
Release Mode: COORDINATED RELEASE
*Vulnerability Description:*
MSN Messenger is a fully featured Instant Messaging (IM) program,
that allows users to exchange pictures using the PNG image format and
display them during conversations.
A vulnerability found in the parsing of PNG images could allow an
attacker to execute arbitrary code in the chat partner's machine and
gain access to the system with the privileges of the user running the
MSN Messenger client program.
This vulnerability can be exploited on Windows 2000 (all service
packs) and Windows XP (all service packs) that run vulnerable
clients of MSN Messenger.
Due to the particular characteristics of the MSN Messenger
communications protocol, exploitation of the vulnerability is likely
to pass unnoticed to network Intrusion Detection Systems (IDS),
Intrusion Prevention Systems (IPS) and firewalls that do not
implement decoding and normalization of the MSN Messenger protocol
encapsulated within HTTP. Furthermore, its is possible to craft
exploit code to compromise vulnerable systems without crashing or
disrupting the normal functioning of the MSN Messenger client
application and thus passing unnoticed to the end-user as well.
*Vulnerable Packages:*
The vulnerability was discovered and researched on the following
packages:
. MSN Messenger 6.1 on Windows 2000 and Windows XP
. MSN Messenger 6.2 on Windows 2000 and Windows XP
The vendor reported the following packages as vulnerable:
. MSN Messenger 6.1
. MSN Messenger 6.2
. Windows Messenger 4.7.2009
. Windows Messenger 4.7.3000
. Windows Messenger 5.0
. Windows Media Player 9 series (CVE CAN-2004-1244)
*Solution/Vendor Information/Workaround:*
Microsoft Security Bulletin MS05-009 provides details and fix
packages or vulnerable applications. It can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-009.mspx
The vendor reported that following packages/versions are NOT
vulnerable:
. Windows Media Player 6.4
. Windows Media Player 7.1
. Windows Media Player for Windows XP (8.0)
. Windows Media Player 9 Series for Windows XP Service Pack 2
. Windows Media Player 10
. MSN Messenger for Mac
Additionally, mitigating actions to reduce exposure to the
vulnerability are provided below, but note that these actions might
not suffice to close ALL attack vectors for ALL vulnerable packages:
. MSN Messenger users should not accept unsolicited chat session
requests from chat partners not in their contacts list.
. MSN Messenger users should disable the custom emoticons feature of
MSN Messenger, to do so go to Tools->Options->Messages.
. Deny execution of MSN Messenger client application using ACLs or
Host-based security controls.
. Block MSN Messenger communications at the network perimeter.
. Filter transmission of malformed PNG images using an
application-layer proxy that supports MSN Messenger protocol.
Disabling the "Display Picture" feature in MSN Messenger DOES NOT
prevent exploitation.
Core Security Technologies has made available a sample malformed
PNG file that can be used to check if an MSN Messenger client is
vulnerable.
The ZIP-compressed image is available at
http://www.coresecurity.com/corelabs/advisories/msn-vulncheck.zip
After downloading it, uncompress and save it to a work folder, open
MSN Messenger and select the image as your display picture in
"Tools->Change Display Picture".
Vulnerable clients will either crash or display popup dialog with the
following text: "Your MSN Messenger client is vulnerable"
*Credits:*
This vulnerability was found by Juliano Rizzo from Core Security
Technologies.
Chris Evans discovered previous problems related to PNG images in
the libPNG open source library [1][2].
*Technical Description - Exploit/Concept Code:*
This vulnerability was found in MSN Messenger 6.2.0137, all technical
details apply to that package and version but may be applicable to
other vulnerable versions as well.
The MSN Messenger protocol supports transmission of several types of
images between users that are displayed during conversations.
These include:
. The display picture, which usually is a picture of the user.
. Custom icons that are small images shown in the message line.
. Thumbnails of images being transferred.
. Background images.
The image format used is PNG [3]. When a user selects a picture to be
displayed as avatar, Messenger converts it to PNG format with a fixed
size and encoding characteristics. When a conversation is initiated
with a contact, the image is transmitted over the same communication
channel used to exchange text messages.
By sending a specially crafted PNG image an attacker can trigger a
buffer overflow and execute arbitrary code on the chat partner's
system.
The PNG file format structure is based on chunks as described in [3].
The vulnerability is present in processing intentionally malformed
image chunks with specially crafted values for some fields in the
IHDR and tRNS chunk types.
The IHDR chunk has a "color type" field: a single-byte integer that
describes the interpretation of the image data. To trigger the bug,
the flags "color used" and "palette used" have to be set in the color
type field, whereas the "alpha channel used" flag must not be set.
Thus, the color type value has to be set to 0x03. There must also
exist a tRNS chunk with enough data length (>256) to overflow a
buffer and reach a function pointer address. A PLTE chunk could exist
in the file, but it has to be after the tRNS chunk.
[MSN Messenger clients compiled with the /GS stack-overflow protection
mechanism]
Although the MSN Messenger client is compiled with the /GS compiler
switch that provides protection against stack-based overflows as
described in [4], exploitation is not prevented in this case.
The following excerpt from MSDN describes the functionality of the
/GS switch:
"...The /GS switch provides a "speed bump" or cookie, between the
buffer and the return address. If an overflow writes over the return
address, it will have to overwrite the cookie put in between it and
the buffer, resulting in a new stack layout..."
The protection mechanism verifies the integrity of a called
function's return address. By building a longer buffer, data beyond
the return address can be overwritten, including: function
parameters, local variables and Structured Exception Handling records
[5]. Due to the way errors are handled in the MSN Messenger client,
an exception is raised after the overflow occurs but before any
stack integrity verification is done. To process that exception the
first SEH record in the exception handlers chain is used and, since
this is located in the stack and near the overflowed buffer, the
most obvious method to execute arbitrary code bypassing the
protection seems to be overwriting the function pointer contained in
that SEH record.
To be precise, the exception is raised when the program tries to
check the chunk's CRC32 and the exception code is 0xE06D7363.
The tRNS chunk to accomplish the above strategy would look like the
following:
| chunk type |space for code|(1) SEH record | CRC32 |
["tRNS" 4 bytes][256+168 bytes ][next/eip: 8 bytes]
The chunk type and crc32 fields are not copied into the stack.
After taking control of the execution flow, [ESP+8] points to (1), so
a possible structure for the fake SEH record could be:
EB F9 ?? ?? XX XX XX XX
Where EB F9 is the opcode for a jump to 5 bytes back, the next two
bytes (?? ??) can have any value and the next 4 bytes are the address
of a "jmp [esp+8]". In this way only a small portion of the program
stack is modified and execution of arbitrary code is obtained.
[Attack vectors]
The vulnerability may be used to infect image files. This means that
a valid PNG file could be modified to exploit vulnerable programs
and still look as a harmless picture to other applications.
There are 4 known attack vectors to trigger the vulnerability in
the PNG image processing code:
- Delivery of a malformed PNG image as display picture
- Delivery of a malformed PNG image as a thumbnail
- Delivery of a malformed PNG image as an icon
- Delivery of a malformed PNG image as a regular file transfer
offering
[Detection of an attack]
An important success factor for attacks targeting end-user
applications is being unnoticeable by the user. Error messages,
crashes and hangs are not desirable when attacking a server, but tend
to be catastrophic to an attack whenever a user on the other side is
interacting with the program being attacked.
Some characteristics of this vulnerability and program design make
the perpetration of stealth attacks easier. This means that it's
possible to exploit the vulnerability, executing code while keeping
the application running normally. There are several ways to achieve
this:
The basic idea is to return the execution flow to the application
after creating a new thread or process. In the exploitation scheme
described above, the code executed by the attacker may act as a
legitimate exception handler by behaving in the following manner:
1. moves stack pointer to a lower address and saves registers.
2. performs the desired operations, i.e. creates a new thread.
3. reconstructs the overwritten SEH record.
4. recover saved register values, including the stack pointer.
5. returns a valid filter expression value (-1, 0 or 1) [5].
Since delivery of an attack does not rely on any noticeable or
suspicious network traffic outside of the normal behavior for the
application's protocol, the only suitable way of detection from a
network point of view is with the use of a proxy, IPS or firewall
system with the capability of interpreting and normalizing the MSN
Messenger protocol. In lieu of a patched client, attack detection
should be based on the identification of malformed PNG images in
MSN Messenger protocol traffic.
The known attack vectors can be used to deliver successful attacks
that are unnoticeable to the end user, not disrupting the execution
of the MSN Messenger client running on the victim's computer and
using it as a vantage point to compromise other clients by 'infecting'
the victim's display picture.
In this manner the vulnerability can be used to launch massive
attacks using the application's underlying communications protocol as
a delivery vector.
Therefore, understanding the technical attributes for exploitation
is also highly relevant to detect and prevent attacks.
[Plausible exploit implementations]
The code to exploit a server vulnerability usually involves
implementing a limited portion of a network protocol that are in
general, standard and well documented. Knowledge about encodings,
languages and file formats are also needed to exploit browser or mail
client flaws. However, even in those cases, the implementation
complexity is low.
In this case, crafting the malformed PNG image file seems simple but
delivering the image to the victim through the Messenger protocol is
somewhat a more difficult task.
Alternatives to implementing an entire messenger client are:
1) using the standard client application to send the image.
2) using an open source third party client.
3) using a messenger protocol proxy.
1. In order to send the image using the standard client, it must be
previously patched and modified to accept the infected image file as
a display picture, emoticon or any other desired image type.
2. The difference with the previous option is that the modifications
can be made easily.
3. The idea behind using a proxy is to avoid modifying a client, and
being able to synchronize the other stages of an attack, as well as
the possibility of using the same communication channel to control
the victim's computer.
A messenger protocol proxy can be used both to inject malformed PNG
images to deliver an attack, or to sanitize outgoing traffic to
prevent exploitation of third parties system.
[Proof of Concept exploit code]
To check if a MSN Messenger client is vulnerable, users can
download the PNG image provided in the following URL
http://www.coresecurity.com/corelabs/advisories/msn-vulncheck.zip
The PNG image was built to work with MSN Messenger 6.2.0137.
Once downloaded and uncompressed, open MSN Messenger, go to
Tools->"Change display picture..." and select the file.
On vulnerable clients either a message box will be shown or
MSN Messenger will crash.
*References*
[1] libPNG 1.2.5 stack-based buffer overflow and other code concerns
http://scary.beasts.org/security/CESA-2004-001.txt
[2] Multiple buffer overflows in libpng 1.2.5
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597
[3] Portable Network Graphics (PNG) Specification and Extensions
http://www.libpng.org/pub/png/spec/
[4] MSDN Compiler Security Checks In Depth
http://go.microsoft.com/fwlink/?Linkid=7260
[5] Structured Exception Handling
http://msdn.microsoft.com/library/en-us/debug/base/structured_exception_handling.asp
http://www.microsoft.com/msj/0197/exception/exception.aspx
http://msdn.microsoft.com/library/en-us/debug/base/using_an_exception_handler.asp
[6] MSN Messenger protocol - display pictures
http://www.hypothetic.org/docs/msn/phorum/read.php?f=1&i=7834&t=7834
*About Core Security Technologies*
Core Security Technologies develops strategic security solutions for
Fortune 1000 corporations, government agencies and military
organizations. The company offers information security software and
services designed to assess risk and protect and manage information
assets. Headquartered in Boston, MA, Core Security Technologies can
be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
To learn more about CORE IMPACT, the first comprehensive penetration
testing product, visit:
http://www.coresecurity.com/products/coreimpact
*DISCLAIMER:*
The contents of this advisory are copyright (c) 2005 CORE Security
Technologies and may be distributed freely provided that no fee is
charged for this distribution and proper credit is given.
$Id: msn-png-advisory.txt,v 1.19 2005/02/08 19:14:02 iarce Exp $