MSN Messenger PNG Image Parsing Vulnerability

MSN Messenger PNG Image Parsing Vulnerability

Core Security Technologies Advisory
http://www.coresecurity.com

Date Published: 2005-02-08

Last Update: 2005-02-08

Advisory ID: CORE-2004-0819

Bugtraq ID: 12506

CVE Name: CVE-2004-0597

Title: MSN Messenger PNG Image Parsing Vulnerability

Class: Boundary Error Condition (Stack Buffer Overflow)

Remotely Exploitable: Yes

Locally Exploitable: Yes

Advisory URL: http://www.coresecurity.com/?action=item&id=1323

Vendors contacted:
- Microsoft
. 2004-08-23: Notification to vendor
. 2004-08-23: Notification acknowledgment received from vendor
. 2005-02-08: Publication of fixes and advisories

Release Mode: COORDINATED RELEASE

*Vulnerability Description:*

MSN Messenger is a fully featured Instant Messaging (IM) program, that allows users to exchange pictures using the PNG image format and display them during conversations.

A vulnerability found in the parsing of PNG images could allow an attacker to execute arbitrary code in the chat partner's machine and gain access to the system with the privileges of the user running the MSN Messenger client program.

This vulnerability can be exploited on Windows 2000 (all service packs) and Windows XP (all service packs) that run vulnerable clients of MSN Messenger.

Due to the particular characteristics of the MSN Messenger communications protocol, exploitation of the vulnerability is likely to pass unnoticed to network Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and firewalls that do not implement decoding and normalization of the MSN Messenger protocol encapsulated within HTTP. Furthermore, its is possible to craft exploit code to compromise vulnerable systems without crashing or disrupting the normal functioning of the MSN Messenger client application and thus passing unnoticed to the end-user as well.

*Vulnerable Packages:*

The vulnerability was discovered and researched on the following packages:
. MSN Messenger 6.1 on Windows 2000 and Windows XP
. MSN Messenger 6.2 on Windows 2000 and Windows XP

The vendor reported the following packages as vulnerable:
. MSN Messenger 6.1
. MSN Messenger 6.2
. Windows Messenger 4.7.2009
. Windows Messenger 4.7.3000
. Windows Messenger 5.0
. Windows Media Player 9 series (CVE CAN-2004-1244)

 

*Solution/Vendor Information/Workaround:*

Microsoft Security Bulletin MS05-009 provides details and fix packages or vulnerable applications. It can be found at: http://www.microsoft.com/technet/security/bulletin/MS05-009.mspx

The vendor reported that following packages/versions are NOT vulnerable:
. Windows Media Player 6.4
. Windows Media Player 7.1
. Windows Media Player for Windows XP (8.0)
. Windows Media Player 9 Series for Windows XP Service Pack 2
. Windows Media Player 10
. MSN Messenger for Mac

Additionally, mitigating actions to reduce exposure to the vulnerability are provided below, but note that these actions might not suffice to close ALL attack vectors for ALL vulnerable packages:
. MSN Messenger users should not accept unsolicited chat session requests from chat partners not in their contacts list.
. MSN Messenger users should disable the custom emoticons feature of MSN Messenger, to do so go to
Tools->Options->Messages.
. Deny execution of MSN Messenger client application using ACLs or Host-based security controls.
. Block MSN Messenger communications at the network perimeter.
. Filter transmission of malformed PNG images using an application-layer proxy that supports MSN Messenger protocol.

Disabling the "Display Picture" feature in MSN Messenger DOES NOT prevent exploitation.

Core Security Technologies has made available a sample malformed PNG file that can be used to check if an MSN Messenger client is vulnerable.

The ZIP-compressed image is available by contacting CORE. 

After downloading it, uncompress and save it to a work folder, open MSN Messenger and select the image as your display picture in "Tools->Change Display Picture".

Vulnerable clients will either crash or display popup dialog with the following text: "Your MSN Messenger client is vulnerable"

*Credits:*

This vulnerability was found by Juliano Rizzo from Core Security Technologies.

Previous problems related to PNG images were discovered by Chris Evans in the libPNG open source library [1][2].

*Technical Description - Exploit/Concept Code:*

This vulnerability was found in MSN Messenger 6.2.0137, all technical details apply to that package and version but may be applicable to other vulnerable versions as well.

The MSN Messenger protocol supports transmission of several types of images between users that are displayed during conversations. These include:
. The display picture, which usually is a picture of the user.
. Custom icons that are small images shown in the message line.
. Thumbnails of images being transferred.
. Background images.

The image format used is PNG [3]. When a user selects a picture to be displayed as avatar, Messenger converts it to PNG format with a fixed size and encoding characteristics. When a conversation is initiated with a contact, the image is transmitted over the same communication channel used to exchange text messages. By sending a specially crafted PNG image an attacker can trigger a buffer overflow and execute arbitrary code on the chat partner's system.

The PNG file format structure is based on chunks as described in [3]. The vulnerability is present in processing intentionally malformed image chunks with specially crafted values for some fields in the IHDR and tRNS chunk types. The IHDR chunk has a "color type" field: a single-byte integer that describes the interpretation of the image data. To trigger the bug, the flags "color used" and "palette used" have to be set in the color type field, whereas the "alpha channel used" flag must not be set. Thus, the color type value has to be set to 0x03. There must also exist a tRNS chunk with enough data length (>256) to overflow a buffer and reach a function pointer address. A PLTE chunk could exist in the file, but it has to be after the tRNS chunk.

[MSN Messenger clients compiled with the /GS stack-overflow protection mechanism]

Although the MSN Messenger client is compiled with the /GS compiler switch that provides protection against stack-based overflows as described in [4], exploitation is not prevented in this case.

The following excerpt from MSDN describes the functionality of the /GS switch:

"...The /GS switch provides a "speed bump" or cookie, between the buffer and the return address. If an overflow writes over the return address, it will have to overwrite the cookie put in between it and the buffer, resulting in a new stack layout..."

The protection mechanism verifies the integrity of a called function's return address. By building a longer buffer, data beyond the return address can be overwritten, including: function parameters, local variables and Structured Exception Handling records [5]. Due to the way errors are handled in the MSN Messenger client, an exception is raised after the overflow occurs but before any stack integrity verification is done. To process that exception the first SEH record in the exception handlers chain is used and, since this is located in the stack and near the overflowed buffer, the most obvious method to execute arbitrary code bypassing the protection seems to be overwriting the function pointer contained in that SEH record.

To be precise, the exception is raised when the program tries to check the chunk's CRC32 and the exception code is 0xE06D7363.

The tRNS chunk to accomplish the above strategy would look like the following:

| chunk type | space for code |(1) SEH record | CRC32 |
["tRNS" 4 bytes][256+168 bytes ][next/eip: 8 bytes]

The chunk type and crc32 fields are not copied into the stack.

After taking control of the execution flow, [ESP+8] points to (1), so a possible structure for the fake SEH record could be:

EB F9 ?? ?? XX XX XX XX

Where EB F9 is the opcode for a jump to 5 bytes back, the next two bytes (?? ??) can have any value and the next 4 bytes are the address of a "jmp [esp+8]". In this way only a small portion of the program stack is modified and execution of arbitrary code is obtained.

[Attack vectors]

The vulnerability may be used to infect image files. This means that a valid PNG file could be modified to exploit vulnerable programs and still look as a harmless picture to other applications.

There are 4 known attack vectors to trigger the vulnerability in the PNG image processing code:
- Delivery of a malformed PNG image as display picture
- Delivery of a malformed PNG image as a thumbnail
- Delivery of a malformed PNG image as an icon
- Delivery of a malformed PNG image as a regular file transfer offering

[Detection of an attack]

An important success factor for attacks targeting end-user applications is being unnoticeable by the user. Error messages, crashes and hangs are not desirable when attacking a server, but tend to be catastrophic to an attack whenever a user on the other side is interacting with the program being attacked.

Some characteristics of this vulnerability and program design make the perpetration of stealth attacks easier. This means that it's possible to exploit the vulnerability, executing code while keeping the application running normally. There are several ways to achieve this:

The basic idea is to return the execution flow to the application after creating a new thread or process. In the exploitation scheme described above, the code executed by the attacker may act as a legitimate exception handler by behaving in the following manner:

1. moves stack pointer to a lower address and saves registers.
2. performs the desired operations, i.e. creates a new thread.
3. reconstructs the overwritten SEH record.
4. recover saved register values, including the stack pointer.
5. returns a valid filter expression value (-1, 0 or 1) [5].

Since delivery of an attack does not rely on any noticeable or suspicious network traffic outside of the normal behavior for the application's protocol, the only suitable way of detection from a network point of view is with the use of a proxy, IPS or firewall system with the capability of interpreting and normalizing the MSN Messenger protocol. In lieu of a patched client, attack detection should be based on the identification of malformed PNG images in MSN Messenger protocol traffic.

The known attack vectors can be used to deliver successful attacks that are unnoticeable to the end user, not disrupting the execution of the MSN Messenger client running on the victim's computer and using it as a vantage point to compromise other clients by 'infecting' the victim's display picture. In this manner the vulnerability can be used to launch massive attacks using the application's underlying communications protocol as a delivery vector. Therefore, understanding the technical attributes for exploitation is also highly relevant to detect and prevent attacks.

[Plausible exploit implementations]

The code to exploit a server vulnerability usually involves implementing a limited portion of a network protocol that are in general, standard and well documented. Knowledge about encodings, languages and file formats are also needed to exploit browser or mail client flaws. However, even in those cases, the implementation complexity is low.

In this case, crafting the malformed PNG image file seems simple but delivering the image to the victim through the Messenger protocol is somewhat a more difficult task.

Alternatives to implementing an entire messenger client are:

1) using the standard client application to send the image.
2) using an open source third party client.
3) using a messenger protocol proxy.

1. In order to send the image using the standard client, it must be previously patched and modified to accept the infected image file as a display picture, emoticon or any other desired image type.

2. The difference with the previous option is that the modifications can be made easily.

3. The idea behind using a proxy is to avoid modifying a client, and being able to synchronize the other stages of an attack, as well as the possibility of using the same communication channel to control the victim's computer. A messenger protocol proxy can be used both to inject malformed PNG images to deliver an attack, or to sanitize outgoing traffic to prevent exploitation of third parties system.

[Proof of Concept exploit code]

To check if a MSN Messenger client is vulnerable, users can download the PNG image by contacting CORE. 

The PNG image was built to work with MSN Messenger 6.2.0137. Once downloaded and uncompressed, open MSN Messenger, go to Tools->"Change display picture..." and select the file.

On vulnerable clients either a message box will be shown or MSN Messenger will crash.

*References*

[1] libPNG 1.2.5 stack-based buffer overflow and other code concerns
http://scary.beasts.org/security/CESA-2004-001.txt

[2] Multiple buffer overflows in libpng 1.2.5
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597

[3] Portable Network Graphics (PNG) Specification and Extensions
http://www.libpng.org/pub/png/spec/

[4] MSDN Compiler Security Checks In Depth
http://go.microsoft.com/fwlink/?Linkid=7260

[5] Structured Exception Handling
http://msdn.microsoft.com/library/en-us/debug/base/structured_exception_handling.asp
http://www.microsoft.com/msj/0197/exception/exception.aspx
http://msdn.microsoft.com/library/en-us/debug/base/using_an_exception_handler.asp

[6] MSN Messenger protocol - display pictures
http://www.hypothetic.org/docs/msn/phorum/read.php?f=1&i=7834&t=7834

*About Core Security Technologies*

Core Security Technologies develops strategic security solutions for Fortune 1000 corporations, government agencies and military organizations. The company offers information security software and services designed to assess risk and protect and manage information assets. Headquartered in Boston, MA, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

To learn more about CORE IMPACT, the first comprehensive penetration testing product, visit: http://www.coresecurity.com/products/coreimpact.

*DISCLAIMER:*

The contents of this advisory are copyright (c) 2005 CORE Security Technologies and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

$Id: msn-png-advisory.txt,v 1.19 2005/02/08 19:14:02 iarce Exp $