Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31215
HistoryOct 15, 2014 - 12:00 a.m.

[CORE-2014-0006] - Delphi and C++ Builder VCL library Heap Buffer Overflow

2014-10-1500:00:00
vulners.com
9

Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Delphi and C++ Builder VCL library Heap Buffer Overflow

  1. Advisory Information

Title: Delphi and C++ Builder VCL library Heap Buffer Overflow
Advisory ID: CORE-2014-0006
Advisory URL:
http://www.coresecurity.com/advisories/delphi-and-c-builder-vcl-library-heap-buffer-overflow
Date published: 2014-09-16
Date of last update: 2014-09-16
Vendors contacted: Embarcadero
Release mode: Coordinated release

  1. Vulnerability Information

Class: Heap-based Buffer Overflow [CWE-122]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-0994

  1. Vulnerability Description

Applications developed with Delphi and C++ Builder [1] that use the specific
integrated graphic library detailed below are prone to a security
vulnerability when processing malformed BMP
files. The aforementioned vulnerability has been found in the VCL
(Visual Component Library) allowing an attacker to use
a specially crafted BMP file that produces a heap buffer overflow and
potentially allows him to execute arbitrary
code by performing a "client side" attack. The vendor made a partial fix
of CVE-2014-0993 [5]
that does not cover this heap-based buffer overflow.

  1. Vulnerable Packages

    . Embarcadero® C++Builder® XE6 Version 20.0.15596.9843
    . Embarcadero® Delphi® XE6 Version 20.0.15596.9843

    We also found vulnerable applications that were built with the
    following development tools:

    . Delphi XE5 / C++Builder XE5 (Delphi:Win32) (C++Builder:Win32)
    . Delphi XE4 / C++Builder XE4 (Delphi:Win32) (C++Builder:Win32)
    . Delphi XE3 / C++Builder XE3 (Delphi:Win32) (C++Builder:Win32)
    . Delphi XE2 / C++Builder XE2 (Delphi:Win32) (C++Builder:Win32)
    . Delphi XE / C++Builder XE (Win32)
    . Delphi 2010 / C++Builder 2010 (Win32)
    . Delphi 2009 / C++Builder 2009 (Win32)
    . Delphi 2007 / C++Builder 2007 for Win32
    . Delphi 2006 / C++Builder 2006 (Win32) and Delphi/C++Builder 2007
    for Win32
    . Delphi 2005 (Win32)
    . Delphi 7 (and 7.1)
    . Delphi 6 / C++Builder 6
    . Delphi 5 / C++Builder 5
    . C++Builder 4
    . Delphi 4

    Other 32b and 64b versions could be also affected.

  2. Vendor Information, Solutions and Workarounds

Core Security recommends those affected use third party software such as
Sentinel [3] or EMET [2]
that could help to prevent the exploitation of affected systems to some
extent.

Contact Embarcadero for further information.

  1. Credits

This vulnerability was discovered and researched by Marcos Accossatto
from the Core
Exploits Writers Team. The publication of this advisory was coordinated by
Joaquin Rodriguez Varela from the Core Advisories Team in close
coordination with the
US-CERT.

  1. Technical Description / Proof of Concept Code

The library 'VCL.Graphics', may be used by applications developed using
Embarcadero's Delphi and
C++ Builder to process BMP files [4]. This library is vulnerable to a
heap buffer overflow attack
when a specially crafted BMP file with specific values in the
'BITMAPINFOHEADER.biClrUsed' field
are used. This allows the crafted BMP to potentially execute arbitrary code.

The ReadDIB function in the VCL library processes the BMP header in the
following way: it first
allocates memory to copy the header, plus 1024 bytes for the color table:

/-----
mov eax, [ebp+HeaderSize] ; eax => 40 // Header size read from file
add eax, 0Ch ; eax => eax + 12
add eax, 400h ; eax => eax + (256 * 4)
call @System@@GetMem$qqri ; // Alloc necessary memory for the BMP
header and color table
-----/

Later, a pointer is calculated, off 40 bytes (HeaderSize), from the
first pointer; this new
pointer is going to be used when working with the color table later on:

/-----
mov eax, [ebp+BitmapInfo_] ; eax => BitmapInfo
add eax, [ebp+HeaderSize] ; eax => eax + HeaderSize
mov [ebp+ColorTablePtr], eax
-----/

That pointer is finally used to copy from the file to the allocated
region in the heap, with
a user controlled size of (biClrUsed * 4):

/-----
mov ecx, [ebx+20h] ; ecx => biClrUsed
movzx edi, [ebp+OS2Format]
movzx eax, byte_5F90E8[edi] ; eax => 4 // When edi is 0
imul ecx, eax ; ecx => biClrUsed * 4 // How much to copy to
allocated memory
mov edx, [ebp+ColorTablePtr]
mov eax, [ebp+Stream]
call Stream_ReadBuffer ; Stream.ReadBuffer(ColorTablePtr, biClrUsed * 4);
-----/

Thus creating a heap buffer overflow and potentially allowing code
execution.

7.1. Proof of Concept

Given that fixing affected applications may require recompiling them
with the fixed library
by the vendor, Core Security has decided not to release proof of concept
code publicly at this time in order to
provide affected companies with additional time for patching.
Core Security is willing to collaborate with affected parties that need
assistance in understanding
the vulnerability. For additional questions please email
[email protected].

  1. Report Timeline

    . 2014-08-25: Core Security contacts Embarcadero to inform them that
    after reviewing the fix
    for CORE-2014-0004 (CVE-2014-0993), we found a way to
    still exploit the vulnerability.
    We scheduled this new advisory for September 1st, 2014.

    . 2014-08-25: US-CERT replied that they offered to forward
    Embarcadero the advisory.

    . 2014-08-25: Embarcadero replies that they are willing to accept
    the advisory forward from the US-CERT.

    . 2014-08-26: Core Security sends the US-CERT the new PoC and an
    analysis of the vulnerability.

    . 2014-08-28: Core Security sends the US-CERT another email asking
    if they received the PoC and
    if they were able to forward it to Embarcadero.

    . 2014-08-29: Core Security sends the US-CERT yet another email
    asking if they received the PoC
    and if they were able to forward it to Embarcadero.
    The advisory is going to be
    rescheduled for Tuesday 2st of September, considering
    the 1st is a US holiday.

    . 2014-08-29: US-CERT replied that they sent Embarcadero the PoC on
    Thursday 28th of August. The
    vendor asked the US-CERT if they should replace the
    existing fix or publish a second
    fix. The US-CERT doesn't expect the vendor to have a
    fix available for 2nd of September.

    . 2014-09-02: Core Security sends Embarcadero another email asking
    if they were able to develop a
    fix for the issue. We updated the release date for
    Wednesday 3rd of September in order
    to give the US based companies one more labor day to
    patch their software considering
    the 1st of September was a holiday.

    . 2014-09-02: Embarcadero replies that they were able to reproduce
    the issue and are currently
    investigating a fix. They request if we can delay the
    advisory until they have
    this issue fixed and tested.

    . 2014-09-02: Core Security inform them that we would appreciate to
    receive the fix as soon as
    they have it available in order to test it. We replied
    that we will reschedule
    the advisory publication for Monday 8th of September.

    . 2014-09-02: Embarcadero replies that they would like to request us
    to schedule the advisory
    publication for Monday 15th of September. They say
    they will provide us with the
    fix as soon as they have it in order to test it and
    confirm that the issue is
    resolved.

    . 2014-09-04: Core Security sends Embarcadero an email stating that
    we will reschedule the
    advisory for Monday 15th of September.

    . 2014-09-04: Embarcadero replies that they agree.

    . 2014-09-11: Embarcadero inform us that based on their review of
    the code the fix won't be
    ready on Monday, 15th of September, as we had planned.

    . 2014-09-12: Core Security sends Embarcadero an email stating that
    they should respect the
    publication date that was coordinated. We reminded
    them that we moved the
    publication date based on Embarcadero's request and
    scheduled it accordingly
    as well.

    . 2014-09-12: The US-CERT replies that as they understand the
    situation, they consider that
    the first BMP vulnerability is incompletely fixed.
    They suggest everyone to
    update their existing documentation/advisories when a
    complete fix is available.
    They also suggest that Core Security publishes the
    15th of September.

    . 2014-09-12: Core Security replies the US-CERT that the advisory
    that we are going to publish
    is not an update of the existing advisory. We informed
    them that this is a new
    advisory.

    . 2014-09-12: Embarcadero informed us that they are preparing a
    support article for the advisory
    that we will publish on Monday 15th of September.

    . 2014-09-16: Core Security releases the advisory.

  2. References

[1] http://www.embarcadero.com/.
[2] http://support.microsoft.com/kb/2458544.
[3] https://github.com/CoreSecurity/sentinel.
[4] http://docwiki.embarcadero.com/Libraries/XE5/en/Vcl.Graphics.TPicture
[5]
http://www.coresecurity.com/advisories/delphi-and-c-builder-vcl-library-buffer-overflow.

  1. About CoreLabs

CoreLabs, the research center of Core Security, is charged with
anticipating
the future needs and requirements for information security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at:
http://corelabs.coresecurity.com.

  1. About Core Security Technologies

Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.

  1. Disclaimer

The contents of this advisory are copyright
(c) 2014 Core Security and (c) 2014 CoreLabs,
and are licensed under a Creative Commons
Attribution Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/

  1. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security
advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

Related for SECURITYVULNS:DOC:31215