CESA-2006-004

CESA-2006-004 - rev 2

[See all my vulnerabilities at http://scary.beasts.org/security]

JDK image parsing library vulnerabilities (ICC parsing, BMP parsing)

Programs affected: JDK 1.5.0_07-b03 and others.
Fixed in: JDK 1.5.0_11-b03 and JDK 1.6.0_01-b06.
Reported date: October 2006.
Advisory release date: May 15th 2007.
Severity: Probable remote compromise of systems which use the vulnerable JDK APIs to parse images.

JDK comes with an image parsing API based around the javax.imagio.ImageIO class. A slightly sloppy demo program to exercise this API would be:

import javax.imageio.ImageIO;
import javax.imageio.ImageReader;
import java.util.Iterator;
import java.io.InputStream;
import java.io.FileInputStream;
import java.io.ByteArrayInputStream;
import javax.imageio.stream.MemoryCacheImageInputStream;
import javax.imageio.stream.ImageInputStream;

public class ImgReader {
  public static void main(String[] args) throws Exception {
    InputStream is = new FileInputStream(args[0]);
    ImageInputStream iis = new MemoryCacheImageInputStream(is);
    Iterator it = ImageIO.getImageReaders(iis);
    ImageReader reader = it.next();
    reader.setInput(iis);
    int width = reader.getWidth(0);
  }
}

This program takes the first command line argument as an image filename to put through the JDK image parsing API.

Of course, most Java image parsing will be safe from the usual gamut of buffer overflows, integer overflows, subtle memory corruptions, etc. Most, but not all. The JPEG and BMP parsers support embedded ICC profiles (to do with colour correction), and the ICC profile parser is actually backed by native code.

Flaw 1 - integer overflow(s) in the ICC profile parser

Demo JPG: http://scary.beasts.org/misc/jdk/badicc.jpg . It causes a crash of the JVM. The crash is caused by a buffer overflow subsequent to an integer overflow, so it is likely exploitable to cause arbitrary code execution on many platforms.

Generally, the ICC parser takes quite a few 32-bit integers from ICC profile data and does not check them for being excessively large.

Flaw 2 - local file opens in the BMP parser

Demo BMP: http://scary.beasts.org/misc/jdk/evil2.bmp . This, on Linux, causes the image parsing thread to hang whilst trying to read from /dev/tty.

Obviously, the broad problem here is that opening local files is not a suitable thing to do in the context of server-side image parsing.

Comments

The native code affected looks to be a library that is likely to be reused in other commercial projects. You might want to run the evil JPEG through other ICC parsing packages.
The errant memcpy() triggered can be somewhat wild, but JDK installs a SEGV handler which crashes a second time (in a more controllable way), making the condition much more interesting.

Credits

Google - this flaw was discovered in Google's time. I'm with Google's Security Team, and we're always recruiting talented security individuals. Mail me.

CESA-2006-004 - rev 2
Chris Evans
scarybeasts@gmail.com