Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Delphi and C++ Builder VCL library Heap Buffer Overflow
1. *Advisory Information*
Title: Delphi and C++ Builder VCL library Heap Buffer Overflow
Advisory ID: CORE-2014-0006
Advisory URL:
http://www.coresecurity.com/advisories/delphi-and-c-builder-vcl-library-heap-buffer-overflow
Date published: 2014-09-16
Date of last update: 2014-09-16
Vendors contacted: Embarcadero
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Heap-based Buffer Overflow [CWE-122]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-0994
3. *Vulnerability Description*
Applications developed with Delphi and C++ Builder [1] that use the specific
integrated graphic library detailed below are prone to a security
vulnerability when processing malformed BMP
files. The aforementioned vulnerability has been found in the VCL
(Visual Component Library) allowing an attacker to use
a specially crafted BMP file that produces a heap buffer overflow and
potentially allows him to execute arbitrary
code by performing a "client side" attack. The vendor made a partial fix
of CVE-2014-0993 [5]
that does not cover this heap-based buffer overflow.
4. *Vulnerable Packages*
. Embarcadero® C++Builder® XE6 Version 20.0.15596.9843
. Embarcadero® Delphi® XE6 Version 20.0.15596.9843
We also found vulnerable applications that were built with the
following development tools:
. Delphi XE5 / C++Builder XE5 (Delphi:Win32) (C++Builder:Win32)
. Delphi XE4 / C++Builder XE4 (Delphi:Win32) (C++Builder:Win32)
. Delphi XE3 / C++Builder XE3 (Delphi:Win32) (C++Builder:Win32)
. Delphi XE2 / C++Builder XE2 (Delphi:Win32) (C++Builder:Win32)
. Delphi XE / C++Builder XE (Win32)
. Delphi 2010 / C++Builder 2010 (Win32)
. Delphi 2009 / C++Builder 2009 (Win32)
. Delphi 2007 / C++Builder 2007 for Win32
. Delphi 2006 / C++Builder 2006 (Win32) and Delphi/C++Builder 2007
for Win32
. Delphi 2005 (Win32)
. Delphi 7 (and 7.1)
. Delphi 6 / C++Builder 6
. Delphi 5 / C++Builder 5
. C++Builder 4
. Delphi 4
Other 32b and 64b versions could be also affected.
5. *Vendor Information, Solutions and Workarounds*
Core Security recommends those affected use third party software such as
Sentinel [3] or EMET [2]
that could help to prevent the exploitation of affected systems to some
extent.
Contact Embarcadero for further information.
6. *Credits*
This vulnerability was discovered and researched by Marcos Accossatto
from the Core
Exploits Writers Team. The publication of this advisory was coordinated by
Joaqun Rodrguez Varela from the Core Advisories Team in close
coordination with the
US-CERT.
7. *Technical Description / Proof of Concept Code*
The library 'VCL.Graphics', may be used by applications developed using
Embarcadero's Delphi and
C++ Builder to process BMP files [4]. This library is vulnerable to a
heap buffer overflow attack
when a specially crafted BMP file with specific values in the
'BITMAPINFOHEADER.biClrUsed' field
are used. This allows the crafted BMP to potentially execute arbitrary code.
The ReadDIB function in the VCL library processes the BMP header in the
following way: it first
allocates memory to copy the header, plus 1024 bytes for the color table:
/-----
mov eax, [ebp+HeaderSize] ; eax => 40 // Header size read from file
add eax, 0Ch ; eax => eax + 12
add eax, 400h ; eax => eax + (256 * 4)
call @System@@GetMem$qqri ; // Alloc necessary memory for the BMP
header and color table
-----/
Later, a pointer is calculated, off 40 bytes (HeaderSize), from the
first pointer; this new
pointer is going to be used when working with the color table later on:
/-----
mov eax, [ebp+BitmapInfo_] ; eax => BitmapInfo
add eax, [ebp+HeaderSize] ; eax => eax + HeaderSize
mov [ebp+ColorTablePtr], eax
-----/
That pointer is finally used to copy from the file to the allocated
region in the heap, with
a user controlled size of (biClrUsed * 4):
/-----
mov ecx, [ebx+20h] ; ecx => biClrUsed
movzx edi, [ebp+OS2Format]
movzx eax, byte_5F90E8[edi] ; eax => 4 // When edi is 0
imul ecx, eax ; ecx => biClrUsed * 4 // How much to copy to
allocated memory
mov edx, [ebp+ColorTablePtr]
mov eax, [ebp+Stream]
call Stream_ReadBuffer ; Stream.ReadBuffer(ColorTablePtr, biClrUsed * 4);
-----/
Thus creating a heap buffer overflow and potentially allowing code
execution.
7.1. *Proof of Concept*
Given that fixing affected applications may require recompiling them
with the fixed library
by the vendor, Core Security has decided not to release proof of concept
code publicly at this time in order to
provide affected companies with additional time for patching.
Core Security is willing to collaborate with affected parties that need
assistance in understanding
the vulnerability. For additional questions please email
advisories-questions@coresecurity.com.
8. *Report Timeline*
. 2014-08-25: Core Security contacts Embarcadero to inform them that
after reviewing the fix
for CORE-2014-0004 (CVE-2014-0993), we found a way to
still exploit the vulnerability.
We scheduled this new advisory for September 1st, 2014.
. 2014-08-25: US-CERT replied that they offered to forward
Embarcadero the advisory.
. 2014-08-25: Embarcadero replies that they are willing to accept
the advisory forward from the US-CERT.
. 2014-08-26: Core Security sends the US-CERT the new PoC and an
analysis of the vulnerability.
. 2014-08-28: Core Security sends the US-CERT another email asking
if they received the PoC and
if they were able to forward it to Embarcadero.
. 2014-08-29: Core Security sends the US-CERT yet another email
asking if they received the PoC
and if they were able to forward it to Embarcadero.
The advisory is going to be
rescheduled for Tuesday 2st of September, considering
the 1st is a US holiday.
. 2014-08-29: US-CERT replied that they sent Embarcadero the PoC on
Thursday 28th of August. The
vendor asked the US-CERT if they should replace the
existing fix or publish a second
fix. The US-CERT doesn't expect the vendor to have a
fix available for 2nd of September.
. 2014-09-02: Core Security sends Embarcadero another email asking
if they were able to develop a
fix for the issue. We updated the release date for
Wednesday 3rd of September in order
to give the US based companies one more labor day to
patch their software considering
the 1st of September was a holiday.
. 2014-09-02: Embarcadero replies that they were able to reproduce
the issue and are currently
investigating a fix. They request if we can delay the
advisory until they have
this issue fixed and tested.
. 2014-09-02: Core Security inform them that we would appreciate to
receive the fix as soon as
they have it available in order to test it. We replied
that we will reschedule
the advisory publication for Monday 8th of September.
. 2014-09-02: Embarcadero replies that they would like to request us
to schedule the advisory
publication for Monday 15th of September. They say
they will provide us with the
fix as soon as they have it in order to test it and
confirm that the issue is
resolved.
. 2014-09-04: Core Security sends Embarcadero an email stating that
we will reschedule the
advisory for Monday 15th of September.
. 2014-09-04: Embarcadero replies that they agree.
. 2014-09-11: Embarcadero inform us that based on their review of
the code the fix won't be
ready on Monday, 15th of September, as we had planned.
. 2014-09-12: Core Security sends Embarcadero an email stating that
they should respect the
publication date that was coordinated. We reminded
them that we moved the
publication date based on Embarcadero's request and
scheduled it accordingly
as well.
. 2014-09-12: The US-CERT replies that as they understand the
situation, they consider that
the first BMP vulnerability is incompletely fixed.
They suggest everyone to
update their existing documentation/advisories when a
complete fix is available.
They also suggest that Core Security publishes the
15th of September.
. 2014-09-12: Core Security replies the US-CERT that the advisory
that we are going to publish
is not an update of the existing advisory. We informed
them that this is a new
advisory.
. 2014-09-12: Embarcadero informed us that they are preparing a
support article for the advisory
that we will publish on Monday 15th of September.
. 2014-09-16: Core Security releases the advisory.
9. *References*
[1] http://www.embarcadero.com/.
[2] http://support.microsoft.com/kb/2458544.
[3] https://github.com/CoreSecurity/sentinel.
[4] http://docwiki.embarcadero.com/Libraries/XE5/en/Vcl.Graphics.TPicture
[5]
http://www.coresecurity.com/advisories/delphi-and-c-builder-vcl-library-buffer-overflow.
10. *About CoreLabs*
CoreLabs, the research center of Core Security, is charged with
anticipating
the future needs and requirements for information security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at:
http://corelabs.coresecurity.com.
11. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
12. *Disclaimer*
The contents of this advisory are copyright
(c) 2014 Core Security and (c) 2014 CoreLabs,
and are licensed under a Creative Commons
Attribution Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.