Archived Blog

Patch Tuesday - GDI+ RLE Bitmap Decompression Integer Overflow

09.09.2008 - 5:00 PM

Today's Microsoft Security Bulletin Summary for September included 4 bulletins of critical severity:
  1. Vulnerability in Windows Media Player Could Allow Remote Code Execution (MS08-054)
  2. Vulnerabilities in GDI+ Could Allow Remote Code Execution (MS08-052)
  3. Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (MS08-053)
  4. Vulnerability in Microsoft Office Could Allow Remote Code Execution (MS08-055)

After receiving these 4 critical bulletins, I decided to reverse engineer the GDI+ patch to see what was wrong with the GDI+ component already installed on my system.

I noticed that Microsoft had patched the GdiPlus.dll module, so I fired up IDA Pro with the Bindiff plugin to see what had changed between the old, pre-patch module and the new, patched module.

A quick look showed that Microsoft fixed more than one vulnerability, but I'll focus on just one of them in this blog: it deals with compressed RLE bitmaps.

It appears that when GdiPlus.dll decodes a compressed RLE bitmap file, it calls the internal function:

void * __stdcall DecodeCompressedRLEBitmap(struct tagBITMAPINFO *, void *, class BitmapData *)

If we take a closer look, we can see that Microsoft fixed an integer overflow issue here. The allocation size for GpMalloc can be controlled by a malformed BITMAPINFO header field and the imul arithmetic operation:

This is the patched version:

The integer overflow is fixed with a call to ULongLongToULong that checks to see if the arithmetic operation conversion causes a truncation of the original value. If it does, INTSAFE_E_ARITHMETIC_OVERFLOW is returned.

To exploit this vulnerability, all an attacker needs to do is to craft a malformed compressed RLE bitmap file that triggers the integer overflow. That causes memory corruption, which in turn allows execution of the attacker's malicious code. Realistically, not many people send bitmaps for their friends and family to click on. However, the crafted file could be embedded as an image on a Web page set up by an attacker, and all the victims would need to do to be infected is browse to that site with Internet Explorer.

Game over!

Security Researcher: Moti Joseph

Bookmark This Post: