Wednesday, April 4, 2007

Several Windows image viewers vulnerabilities

Table of contents

1. Introduction
2. Description of experiments
3. Image viewers
4. Experimental results
5. Concluding remarks

Appendix I - Timeline
Appendix II - A possible Win XP SP1 vulnerability
Appendix III - Source code

1. Introduction

The purpose of this post is to present a small research covering security of several popular Windows image viewers. Although, when discussing security of image viewing software, web browsers are usually implied, since they will be on the 'front lines' in the unsafe environment such as the Internet, there are cases in which you may open potentially dangerous image file with your favorite image viewer. Some examples are:

- If you click on the attachment in your email application
- If you click on a file in an archive (such as zip or rar) you downloaded or got by email
- If you open a file on a network shared folder
- If you download the file using p2p programs such as BitTorrent and eMule

2. Description of experiments

The experiments were conducted as follows: Several errornous windows bitmap (.bmp) files were specially crafted to cause buffer overflows in certain cases, if such cases are not handled properly by the opening application. Each of these images was opend with all of the viewers included in this research and unexpected viewer behavior was noted. Here is the list of images used with their short descriptions.

This file defines a colormap larger than 256 entries (max allowed)

Similar to paletteof1.bmp, except the colormap is even larger

Uses run-length encoded blocks that extend beyond the image dimensions

Similar to rle8of1 except errornous RLE blocks start with a different offset

Uses xoffset and yoffset command in RLE encoded bmp in order to escape past image boundaries, then uses non-RLE encoded blocks to write data

similar to rle8of4.bmp except it doesn't use xoffset and yoffset, but still specififies enough non-RLE encoded blocks to escape image boundaries

Image dimensions are set so that width*height*3 causes integer overflow in 32-bit processors thus causing the amount of memory allocated for the storage of bitmap bits to be smaller than the actual data provided

Image dimensions are set so that width*height*4 causes integer overflow in 32-bit processors thus causing the amount of memory allocated for the storage of bitmap bits to be smaller than the actual data provided

Image dimensions are set so that width*3 causes integer overflow in 32-bit processors thus causing the amount of memory allocated for the storage of a single bitmap row to be smaller than the actual data provided

Image dimensions are set so that width*4 causes integer overflow in 32-bit processors thus causing the amount of memory allocated for the storage of a single bitmap row to be smaller than the actual data provided

The code used to generate all of the above images is provided in Appendix III, so you can use it to test your favorite image viewer if it was not included here.

3. Image viewers

Several popular image viewers were selected for this test. The most recent version of these viewers at the time of testing was used. The viewers are

ACDSee 9.0 Photo Manager
IrfranView 3.99
FastStone Image Viewer 2.9

4. Experimental results

Test system: Windows XP SP2 on Mobile AMD Sempron 3000+, 512MB RAM

ACDSee 9.0 Photo Manager

w4intof.bmp - Application closes

ACDSee 9.0 Quick View

w3intof.bmp - Microsoft Visual C++ Runtime Library: Runtime Error
w4intof.bmp - Application crashes, Exception code 0xc0000005 (access violation)

IrfranView 3.99

rle8of3.bmp - Application crashes, Exception code 0xc0000005 (access violation)
rle8of4.bmp - Application crashes, The memory could not be "written" Application error

FastStone Image Viewer 2.9

wh3intof.bmp - Application window closes, however application keeps running in the background consuming 100% of CPU resource
wh4intof.bmp - Application closes

5. Concluding remarks

All of the applications tested showed some sort of unpredicted behavior on some of the images, demonstrating the need to further enhance the security of products of this type. Accessing memory locations outside the allowed space, possible in some applications as demonstrated above, is especially dangerous since it has a potential for being exploited by a malicious hacker to execute arbitrary code on the unsuspecting user's computer. Other vulnerabilities should also not be disregarded since they could, in theory at least, be used in Dos attacks.
Since no actual code execution was analysed in detail, it is impossible to say from the above just what consequences could any of the above have. I leave this analysis to the vendors of applications tested.
Note that this small research only covers bmp images, so that the presence of various other vulnerabilities is also possible (if not probable) in the code used to handle decoding of images in other formats.
All in all, best be carefull next time you click on that image of Britney Spears' shaved ... head :-)

Appendix I - Timeline

Feb 15 2007 - Experiments made
Feb 18 2007 - 1st attempt to contact vendors
Feb 19 2007 - IrfranView programmer responded, said the code would be fixed in the upcoming version, due out soon
Feb 21 2007 - 2nd attempt to contact remaining vendors
Feb 23 2007 - Got response from ACD System support saying that they forwarded the information to the Quality Assurance and that they would contact me when they hear back from them. Never heard from them after that.
Apr 04 2007 - Release of this report

Note: It is possible that some of the bugs mentioned here were fixed quietly. I didn't check.

Appendix II - A possible Win XP SP1 vulnerability

On an old machine running Windows XP SP1 I encountered unusual behavior with one of my test images. When clicking on the w4intof.bmp in Windows Explorer (with the file details pane on the left of the window turned on) or viewing files as thumbnails in the containing folder, the Explorer crashes and Windows reports the exception code 0xc0000005, indicating a possible overflow. It is possible that Windows Explorer in SP1 too suffers from this kind of vulnerability. However I only had that one machine with SP1 installed and on the machines with other windows versions (such as XP SP2) I didn't encounter any unusual behavior. I wrote to Microsoft about this promply after discovery. They responded that they no longer support XP SP1 and this is not something they would investigate for for an out-of-support product.

Appendix III - Source code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

unsigned int bfSize;
unsigned int bfReserved;
unsigned int bfOffBits;

unsigned int biSize;
unsigned int biWidth;
unsigned int biHeight;
unsigned short biPlanes;
unsigned short biBitCount;
unsigned int biCompression;
unsigned int biSizeImage;
unsigned int biXPelsPerMeter;
unsigned int biYPelsPerMeter;
unsigned int biClrUsed;
unsigned int biClrImportant;

void writebmp(char *filename, unsigned long width, unsigned long height, unsigned int bpp, unsigned int compression, unsigned char *palette, long numpalettecolors, unsigned char *data, long numdatabytes) {


unsigned char sig[2];
sig[0] = 'B';
sig[1] = 'M';

fileheader.bfSize = sizeof(sig)+sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+numpalettecolors*4+numdatabytes;
fileheader.bfOffBits = sizeof(sig)+sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+numpalettecolors*4;

infoheader.biSize = 40;
infoheader.biWidth = width;
infoheader.biHeight = height;
infoheader.biPlanes = 1;
infoheader.biBitCount = bpp;
infoheader.biCompression = compression;
infoheader.biClrUsed = numpalettecolors;

FILE *fp = fopen(filename,"wb");
if(palette) fwrite(palette,numpalettecolors*4,1,fp);

int main() {
unsigned char * buf;
buf = (unsigned char *)malloc(4000000);
unsigned char * buf2;
buf2 = (unsigned char *)malloc(4000000);

//overflows specifying too large palette

//integer overflows with image dimensions

//overflows with RLE encoded BMPs
for(long i=0;i<500000;i++) {
for(long i=1;i<500000;i++) {
for(long i=4;i<100000-1;) {
for(long i=0;i<100000-1;) {


Fabrice Roux said...

Is your computer hardware DEP compatible? Is hardware DEP protecting your system?

That might explain the difference of behavior between SP1 and SP2. SP2 by default protects the explorer.exe from buffer overruns.

IrfanView (as Opera) can't be protected by DEP so whatever the DEP status you won't be able to protect these apps.

More information about the DEP issues:

Ivan Fratric said...

Thanks for your suggestion Fabrice. However, I don't think this is the case. I tried to turn off DEP fo explorer.exe with the same outcome. Besides AFAIK even with DEP turned on, buffer overflow would still cause an access violation exception to occur. It would only make exploitation of such overflow difficult.

I would be very much interested if anyone managed to crash any other Windows component besides Explorer in XP SP1 using this. Or in fact, if anyone managed to crash Windows Explorer in XP SP1 to finally have independent confirmation of this issue.

Anonymous said...

Good work - I used your files to kill
my company email client - bad stuff-
I will work up a POC & turn this in
to the software vendor - will certainly credit your work


good work - well done

DEP does not matter for DOS - will see if I can exploit with DEP on or Off

Ivan Fratric said...

Glad this was helpful to you. I would appreciate it if you would post a link to your discovery here if you publish it.

Fabrice Roux said...

DEP can lead to very exotic results. The most obvious one is when you run some plugins in Paint Shop Pro. (I believe it would lead to the same results in Photoshop but can't confirm) With DEP these plugins just don't succeed to run but they never raise a DEP memory violation. (sometimes you get one modal memory warning from what I assume is the "plugin manager".)

aliya seen said...

I am looking for someone who can provide online programming help with excellent experience. I am introducing web page so plz help me.

Pooja Sharma said...

Great post. This article is really very interesting and enjoyable. I think its must be helpful and informative for us. Thanks for sharing your nice post. website designing in jalandhar

Unknown said...

SAS Training Institute in noida- Webtrackker is the only training organization that distinguishes itself from industrial guidance. The organization provides not only orientations, but also ensures that training is consistent. Webtrackker provides training on SAS in the most practical way.

Hadoop Training Institute in Noida
Oracle Training Institute in Noida
Linux Training Institute in Noida
Dot net Training Institute in Noida