CESA-2007-005 - rev 2

[See all my vulnerabilities at http://scary.beasts.org/security]

[Blog if you want to subscribe to new findings is at http://scarybeastsecurity.blogspot.com/]

JDK image parsing library vulnerabilities (more ICC parsing)

Programs affected: JDK 1.6.0u3 and others.
Fixed version: JDK 1.6.0u5.
Reported date: October 2007.
Vendor advisory: http://sunsolve.sun.com/search/document.do?assetkey=1-66-233325-1

Severity: Possible remote compromise of systems which use the vulnerable JDK APIs to parse images.

JDK comes with an image parsing API based around the javax.imagio.ImageIO class. A slightly sloppy demo program to exercise this API would be:

import javax.imageio.ImageIO;
import javax.imageio.ImageReader;
import java.util.Iterator;
import java.io.InputStream;
import java.io.FileInputStream;
import java.io.ByteArrayInputStream;
import javax.imageio.stream.MemoryCacheImageInputStream;
import javax.imageio.stream.ImageInputStream;

public class ImgReader {
  public static void main(String[] args) throws Exception {
    InputStream is = new FileInputStream(args[0]);
    ImageInputStream iis = new MemoryCacheImageInputStream(is);
    Iterator it = ImageIO.getImageReaders(iis);
    ImageReader reader = it.next();
    int width = reader.getWidth(0);
This program takes the first command line argument as an image filename to put through the JDK image parsing API.

Of course, most Java image parsing will be safe from the usual gamut of buffer overflows, integer overflows, subtle memory corruptions, etc. Most, but not all. The JPEG and BMP parsers support embedded ICC profiles (to do with colour correction), and the ICC profile parser is actually backed by native code.

Flaw 1 - DoS due to heap buffer out-of-bounds write with para-type curves

Demo JPG: http://scary.beasts.org/misc/jdk/evilicc.jpg. It causes a crash of the JVM. The crash is caused by writing out-of-bounds to a heap buffer. It is not immediately clear how controllable the data written past the heap is, so this may be just a DoS. However, a DoS still represents a serious problem in a server-side context.

The code flaw would seem quite unfortunate: 4096 bytes are allocated in a buffer, which is then treated as being capable of fitting 4096 uint16 values. It seems that any ICC profile containing a parametric-type curve should crash out the JVM.

There seem to be a few genuine reports of what could be this issue in the wild: http://www.google.com/search?hl=en&q=sun.awt.color.CMM.cmmCombineTransforms&btnG=Google+Search

Flaw 2 - heap-based buffer overflow parsing curv-type curves

Demo JPG: http://scary.beasts.org/misc/jdk/evilicc2.jpg. This, on my machine, causes a crash due to an out-of-bounds heap write. The code flaw is an integer overflow in SpCurveToPublic:

  Limit = SpGetUInt32 (Buf);
  UInt16Ptr = (KpUInt16_t *)SpMalloc (Limit * (KpInt32_t)sizeof (*UInt16Ptr));
  for (Index = 0; Index < Limit; Index++)
    *UInt16Ptr++ = SpGetUInt16 (Buf);



CESA-2007-005 - rev 2
Chris Evans