Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Delphi and C++ Builder VCL library Buffer Overflow 1. *Advisory Information* Title: Delphi and C++ Builder VCL library Buffer Overflow Advisory ID: CORE-2014-0004 Advisory URL: http://www.coresecurity.com/advisories/delphi-and-c-builder-vcl-library-buffer-overflow Date published: 2014-08-20 Date of last update: 2014-08-20 Vendors contacted: Embarcadero Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2014-0993 3. *Vulnerability Description* Applications developed with Delphi and C++ Builder [1] that use the specific integrated graphic library detailed below are prone to a security vulnerability when processing malformed BMP files. The aforementioned vulnerability has been found in the VCL (Visual Component Library) allowing an attacker to use a specially crafted BMP file that produces a buffer overflow and potentially allows him to execute arbitrary code by performing a "client side" attack. 4. *Vulnerable Packages* . Embarcadero® C++Builder® XE6 Version 20.0.15596.9843 . Embarcadero® Delphi® XE6 Version 20.0.15596.9843 We also found vulnerable applications that were built with the following development tools: . Delphi XE5 / C++Builder XE5 (Delphi:Win32) (C++Builder:Win32) . Delphi XE4 / C++Builder XE4 (Delphi:Win32) (C++Builder:Win32) . Delphi XE3 / C++Builder XE3 (Delphi:Win32) (C++Builder:Win32) . Delphi XE2 / C++Builder XE2 (Delphi:Win32) (C++Builder:Win32) . Delphi XE / C++Builder XE (Win32) . Delphi 2010 / C++Builder 2010 (Win32) . Delphi 2009 / C++Builder 2009 (Win32) . Delphi 2007 / C++Builder 2007 for Win32 . Delphi 2006 / C++Builder 2006 (Win32) and Delphi/C++Builder 2007 for Win32 . Delphi 2005 (Win32) . Delphi 7 (and 7.1) . Delphi 6 / C++Builder 6 . Delphi 5 / C++Builder 5 . C++Builder 4 . Delphi 4 Other 32b and 64b versions could be also affected. 5. *Vendor Information, Solutions and Workarounds* An article from Embarcadero explains the issue and includes a link to the fix [6] Core Security Technologies recommends those affected use third party software such as Sentinel [3] or EMET [2] that could help to prevent the exploitation of affected systems to some extent. 6. *Credits* This vulnerability was discovered and researched by Marcos Accossatto from the Core Exploits Writers Team. The publication of this advisory was coordinated by Joaqun Rodrguez Varela from the Core Advisories Team in close coordination with the US-CERT. 7. *Technical Description / Proof of Concept Code* The library 'VCL.Graphics', may be used by applications developed using Embarcadero's Delphi and C++ Builder to process BMP files [4]. This library is vulnerable to a buffer overflow attack when a specially crafted BMP file with specific values in the 'BITMAPINFOHEADER.biClrUsed' field are used. This allows the crafted BMP to potentially execute arbitrary code. 7.1. *Proof of Concept* Given that fixing affected applications may require recompiling them with the fixed library by the vendor, Core Security Technologies has decided not to release proof of concept code publicly at this time in order to provide affected companies with additional time for patching. Core Security Technologies is willing to collaborate with affected parties that need assistance in understanding the vulnerability. For additional questions please email advisories-questions@coresecurity.com. 8. *Report Timeline* . 2014-05-29: Core Security Technologies attempts to contact Embarcadero. . 2014-06-03: Core Security Technologies asks for a reply. . 2014-06-09: Core Security Technologies attempts to contact vendor again. . 2014-06-12: Core Security Technologies contacts the US-CERT for assistance in order to coordinate the "coordinated disclosure" of the advisory. . 2014-06-16: US-CERT answers assigning the following tracking code to the report: VU#646748. . 2014-06-30: First release date missed. . 2014-07-10: US-CERT informs that they were able to contact the vendor and that a public bug tracking link [5] was published by Embarcadero. . 2014-07-10: Core Security Technologies contacts the US-CERT asking for vendor's contact information and informs them that the Embarcadero's bug tracking entry forces us to publish the advisory because the vulnerability details are now public. . 2014-07-28: Core Security Technologies receives a reply from Embarcadero stating they expect to have a tentative date for a fix the week of July 28,2014. . 2014-07-29: Core Security Technologies replies to Embarcadero that considering there is a public bug tracking report link [5], we would like to publish the advisory as soon as possible in order to help to protect the users. . 2014-08-04: Embarcadero informs Core Security Technologies that they have a fix ready which is currently under internal review. They hope to give Core Security Technologies an expected release date by the end of the week. . 2014-08-08: Expected release date (or reply) not received from Embarcadero, Core Security Technologies writes again asking for an update. . 2014-08-11: Core Security Technologies notices the status of the public bug tracking report [5] was changed to "fixed". Core Security Technologies emails the Embarcadero asking for clarification about the new status. Two questions are submitted to the Embarcadero (1) Core Security Technologies asks Embarcadero to confirm whether the new status means the fix was made public and (2) in case the fix is still not public, Core Security Technologies requests the tentative release date. . 2014-08-11: Embarcadero informs Core Security Technologies that they are testing the fix internally and that they are planning to release it publicly on August 15, 2014. . 2014-08-11: Core Security Technologies requests Embarcadero link to the fix so it can be include in the coordinated advisory report. . 2014-08-11: Embarcadero replies to Core Security Technologies stating that the link will be delivered August 15, 2014. . 2014-08-12: Core Security Technologies requests the estimated time when the fix will be public on August 15, 2014. . 2014-08-12: Embarcadero replies that they estimate the fix will be released on August 15, 2014, at 3 p.m. PDT. . 2014-08-14: Core Security Technologies requests Embarcadero to postpone the fix release day to August 18, 2014 in order to give users time to patch their software and avoid giving a two-day head start to potential malicious parties. Core Security Technologies informs Embarcadero that it will release the advisory on August 19, 2014 if they accept the postponement. Additionally, Core Security Technologies offers help in contacting third parties affected by this vulnerability. . 2014-08-14: Embarcadero agrees with suggested release approach and will postpone the publishing of the fix until August 18, 2014 at 10 a.m. PDT. They also state they are internally discussing how they will notify their customers. . 2014-08-15: Core Security Technologies requests Embarcadero deliver the support article and fix so it can be verified. . 2014-08-15: Embarcadero sends Core Security Technologies a copy of the support article. . 2014-08-15: Upon review of the proposed fix, Core Security Technologies informs Embarcadero that the fix seems incorrect. . 2014-08-15: Embarcadero indicates they will investigate based on that assessment of the fix, and says they will need to delay the publishing of the fix until the issue is resolved. . 2014-08-15: Embarcadero confirms a problem with the proposed fix was included in the support article and indicates they have a fixed the problem. Embarcadero requests confirmation from Core Security Technologies regarding the new article that includes the updated fix. . 2014-08-18: Embarcadero informs Core Security Technologies of updated content in the article, and proposes publishing the same day. . 2014-08-18: Core Security Technologies didn't reply due to a national holiday affecting their Buenos Aires offices, but Embarcadero publishes the fix and an accompanying support article. . 2014-08-19: Core Security Technologies requests the fix from Embarcadero to update the advisory and verify it. . 2014-08-19: Embarcadero replies sending Core Security Technologies a link to the fix. Due to the fact that the fix was released on August 18, 2014 Core Security Technologies schedules the advisory publication for August 20, 2014, leaving the fix analysis task for post-advisory release. . 2014-08-20: Advisory CORE-2014-0004 published. 9. *References* [1] http://www.embarcadero.com/. [2] http://support.microsoft.com/kb/2458544. [3] https://github.com/CoreSecurity/sentinel. [4] http://docwiki.embarcadero.com/Libraries/XE5/en/Vcl.Graphics.TPicture [5] http://qc.embarcadero.com/wc/qcmain.aspx?d=126004 [6] http://support.embarcadero.com/article/44015 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2014 Core Security Technologies and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.