Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Microsoft JPEG Processing Buffer Overflow vulnerability (MS04-028)

Attack ID: CPAI-2004-42
Publish Date:
Last Update:
Category: Remote Code Execution
Vulnerable Systems: Windows Windows XP (Service Pack 1, 64-bit Edition);
Microsoft Windows Server 2003;
Microsoft Office XP (Service Pack 3, Service Pack 2);
Microsoft Office 2003;
Microsoft Project (2002, 2003);
Microsoft Visio;
Microsoft Visual Studio .NET (2002, 2003);
Microsoft Picture It! (2002, version 7.0, 9);
Microsoft Digital Image Pro (version 7.0, 9)
Source:

Microsoft Security Bulletin MS04-028
Description:

A buffer overflow vulnerability exists in the GDI+ component included in several Microsoft products. Systems affected are those that provide an operating system version of the GDI component that is vulnerable to this issue. This vulnerability is triggered by a malformed JPEG image file.

An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs,  viewing, changing or deleting data; or creating new accounts with full privileges. The vulnerability has been publicly exploited. 

Severity:
Details:

There is a vulnerability in the way a Microsoft shared library of the GDI+ component parses JPEG image files. There are insufficient checks on the size of input data. By creating a specially crafted JPEG file that contains malicious code, a remote attacker could overflow the buffer, leading to a denial of service or execution of arbitrary code. An attacker could exploit this vulnerability by sending a victim a malicious email or by creating a malicious web page.

The vulnerable component is GDI+, a graphics device interface that is widely used for many software products, applications and services.
Attack Detection:

After applying the solution outlined below, users of VPN-1 NG with Application Intelligence R55, R55W and InterSpect will be able to identify blocked malformed JPEG files.

Users of VPN-1 NG with Application Intelligence R55 will identify rule number 9980 appearing on the log viewer.

Users of VPN-1 NG with Application Intelligence R55W and InterSpect will receive the following log entries:

Attack Info: JPEG Content Protection Violation
Attack Name: Encoded JPEG
Solution:

To block this vulnerability, Check Point has added a new SmartDefense section of protections designed for content checks. The new Malformed JPEG Protection is designed to block malformed JPEG files over the HTTP protocol which by default uses TCP port 80.

The new SmartDefense protection, referred to as Content Protection Malformed JPEG, has been added to VPN-1 NG with Application Intelligence R55, R55W and InterSpect.

Users of VPN-1 NG with Application Intelligence R55, R55W and InterSpect should update their SmartDefense by clicking the Update Now button (R55, InterSpect) / Online Update button (R55W) on the SmartDefense SmartDashboard General window.

To enable the protection:

On the SmartDefense navigation tree, click Content Protection and then check Malformed JPEG. Note the Monitor Only option that enables to log the attack without dropping any traffic.

Update from November 17, 2004

This protection identifies Web content as a JPEG based on two methods: (1) by analyzing the content, searching for JPEG headers and (2) by examining the Content-Type header provided by the Web server.

When the Perform Strict Enforcement option is selected, both methods are applied to identify JPEG content. If this option is not selected, identification of JPEG content will rely on the Content-Type header field only.
 

Update from January 12, 2005:

This protection is capable of detecting and blocking RFC 2397 encoded JPEGs, a method which may be used to bypass security products scanning for malformed JPEGs.

To enable the enhanced protection:

1. On the SmartDefense navigation tree, click Application Intelligence > Content Protection > Malformed JPEG.
2. Enable Block Encoded images.

3. Install policy on all modules.

Please verify that you have downloaded the latest SmartDefense Update:

Version

Build Number

R55

541050112

InterSpect

547050112

R55W

550050112

To enable the Protection on additional HTTP ports (other than TCP port 80):

To enable this protection on additional HTTP ports, define a new Service for each port and set the Protocol Type field of the Service object to HTTP.   

For example, to define a Service on TCP port 8080, proceed as follows:

  1. Create a new TCP Service (Manage > Services) and give it a name.
  2. In the Port field, enter the port and click Advanced.
  3. In the Protocol Type field, enter HTTP. Uncheck the 'Match on Any' box. Click OK.

In addition, Users of R55 and R55W are also encouraged to activate their SMTP Security Server to strip JPEG files in SMTP traffic.

To define the SMTP Security Server:

  1. Create a new SMTP resource (Manage > Resources) and give it a name.
  2. In the Action2 tab, in the Strip MIME of type field enter {message/partial, image/jpeg}

   3. Install policy on all modules.

Users of Check Point Integrity:

  • Install Microsoft provided patches to remove this vulnerability from the Windows operating system: http://windowsupdate.microsoft.com
  • Review Microsoft Security Bulletin MS04-028: http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
  • Define a Cooperative Enforcement™ rule within your enterprise policy to ensure protected endpoints have installed the required Microsoft security patches. See Microsoft Security Bulletin MS04-028 for more details.

    Note: This protection is performance-intensive. Activating it may consume considerable system resources.
Industry Reference: CAN-2004-0200
US-CERT: SA04-258A
Additional Information:

Zone Labs Security Advisory