Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Delphi and C++ Builder VCL library Heap Buffer Overflow 1. *Advisory Information* Title: Delphi and C++ Builder VCL library Heap Buffer Overflow Advisory ID: CORE-2014-0006 Advisory URL: http://www.coresecurity.com/advisories/delphi-and-c-builder-vcl-library-heap-buffer-overflow Date published: 2014-09-16 Date of last update: 2014-09-16 Vendors contacted: Embarcadero Release mode: Coordinated release 2. *Vulnerability Information* Class: Heap-based Buffer Overflow [CWE-122] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2014-0994 3. *Vulnerability Description* Applications developed with Delphi and C++ Builder [1] that use the specific integrated graphic library detailed below are prone to a security vulnerability when processing malformed BMP files. The aforementioned vulnerability has been found in the VCL (Visual Component Library) allowing an attacker to use a specially crafted BMP file that produces a heap buffer overflow and potentially allows him to execute arbitrary code by performing a "client side" attack. The vendor made a partial fix of CVE-2014-0993 [5] that does not cover this heap-based buffer overflow. 4. *Vulnerable Packages* . Embarcadero® C++Builder® XE6 Version 20.0.15596.9843 . Embarcadero® Delphi® XE6 Version 20.0.15596.9843 We also found vulnerable applications that were built with the following development tools: . Delphi XE5 / C++Builder XE5 (Delphi:Win32) (C++Builder:Win32) . Delphi XE4 / C++Builder XE4 (Delphi:Win32) (C++Builder:Win32) . Delphi XE3 / C++Builder XE3 (Delphi:Win32) (C++Builder:Win32) . Delphi XE2 / C++Builder XE2 (Delphi:Win32) (C++Builder:Win32) . Delphi XE / C++Builder XE (Win32) . Delphi 2010 / C++Builder 2010 (Win32) . Delphi 2009 / C++Builder 2009 (Win32) . Delphi 2007 / C++Builder 2007 for Win32 . Delphi 2006 / C++Builder 2006 (Win32) and Delphi/C++Builder 2007 for Win32 . Delphi 2005 (Win32) . Delphi 7 (and 7.1) . Delphi 6 / C++Builder 6 . Delphi 5 / C++Builder 5 . C++Builder 4 . Delphi 4 Other 32b and 64b versions could be also affected. 5. *Vendor Information, Solutions and Workarounds* Core Security recommends those affected use third party software such as Sentinel [3] or EMET [2] that could help to prevent the exploitation of affected systems to some extent. Contact Embarcadero for further information. 6. *Credits* This vulnerability was discovered and researched by Marcos Accossatto from the Core Exploits Writers Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from the Core Advisories Team in close coordination with the US-CERT. 7. *Technical Description / Proof of Concept Code* The library 'VCL.Graphics', may be used by applications developed using Embarcadero's Delphi and C++ Builder to process BMP files [4]. This library is vulnerable to a heap buffer overflow attack when a specially crafted BMP file with specific values in the 'BITMAPINFOHEADER.biClrUsed' field are used. This allows the crafted BMP to potentially execute arbitrary code. The ReadDIB function in the VCL library processes the BMP header in the following way: it first allocates memory to copy the header, plus 1024 bytes for the color table: /----- mov eax, [ebp+HeaderSize] ; eax => 40 // Header size read from file add eax, 0Ch ; eax => eax + 12 add eax, 400h ; eax => eax + (256 * 4) call @System@@GetMem$qqri ; // Alloc necessary memory for the BMP header and color table -----/ Later, a pointer is calculated, off 40 bytes (HeaderSize), from the first pointer; this new pointer is going to be used when working with the color table later on: /----- mov eax, [ebp+BitmapInfo_] ; eax => BitmapInfo add eax, [ebp+HeaderSize] ; eax => eax + HeaderSize mov [ebp+ColorTablePtr], eax -----/ That pointer is finally used to copy from the file to the allocated region in the heap, with a user controlled size of (biClrUsed * 4): /----- mov ecx, [ebx+20h] ; ecx => biClrUsed movzx edi, [ebp+OS2Format] movzx eax, byte_5F90E8[edi] ; eax => 4 // When edi is 0 imul ecx, eax ; ecx => biClrUsed * 4 // How much to copy to allocated memory mov edx, [ebp+ColorTablePtr] mov eax, [ebp+Stream] call Stream_ReadBuffer ; Stream.ReadBuffer(ColorTablePtr, biClrUsed * 4); -----/ Thus creating a heap buffer overflow and potentially allowing code execution. 7.1. *Proof of Concept* Given that fixing affected applications may require recompiling them with the fixed library by the vendor, Core Security has decided not to release proof of concept code publicly at this time in order to provide affected companies with additional time for patching. Core Security is willing to collaborate with affected parties that need assistance in understanding the vulnerability. For additional questions please email advisories-questions@coresecurity.com. 8. *Report Timeline* . 2014-08-25: Core Security contacts Embarcadero to inform them that after reviewing the fix for CORE-2014-0004 (CVE-2014-0993), we found a way to still exploit the vulnerability. We scheduled this new advisory for September 1st, 2014. . 2014-08-25: US-CERT replied that they offered to forward Embarcadero the advisory. . 2014-08-25: Embarcadero replies that they are willing to accept the advisory forward from the US-CERT. . 2014-08-26: Core Security sends the US-CERT the new PoC and an analysis of the vulnerability. . 2014-08-28: Core Security sends the US-CERT another email asking if they received the PoC and if they were able to forward it to Embarcadero. . 2014-08-29: Core Security sends the US-CERT yet another email asking if they received the PoC and if they were able to forward it to Embarcadero. The advisory is going to be rescheduled for Tuesday 2st of September, considering the 1st is a US holiday. . 2014-08-29: US-CERT replied that they sent Embarcadero the PoC on Thursday 28th of August. The vendor asked the US-CERT if they should replace the existing fix or publish a second fix. The US-CERT doesn't expect the vendor to have a fix available for 2nd of September. . 2014-09-02: Core Security sends Embarcadero another email asking if they were able to develop a fix for the issue. We updated the release date for Wednesday 3rd of September in order to give the US based companies one more labor day to patch their software considering the 1st of September was a holiday. . 2014-09-02: Embarcadero replies that they were able to reproduce the issue and are currently investigating a fix. They request if we can delay the advisory until they have this issue fixed and tested. . 2014-09-02: Core Security inform them that we would appreciate to receive the fix as soon as they have it available in order to test it. We replied that we will reschedule the advisory publication for Monday 8th of September. . 2014-09-02: Embarcadero replies that they would like to request us to schedule the advisory publication for Monday 15th of September. They say they will provide us with the fix as soon as they have it in order to test it and confirm that the issue is resolved. . 2014-09-04: Core Security sends Embarcadero an email stating that we will reschedule the advisory for Monday 15th of September. . 2014-09-04: Embarcadero replies that they agree. . 2014-09-11: Embarcadero inform us that based on their review of the code the fix won't be ready on Monday, 15th of September, as we had planned. . 2014-09-12: Core Security sends Embarcadero an email stating that they should respect the publication date that was coordinated. We reminded them that we moved the publication date based on Embarcadero's request and scheduled it accordingly as well. . 2014-09-12: The US-CERT replies that as they understand the situation, they consider that the first BMP vulnerability is incompletely fixed. They suggest everyone to update their existing documentation/advisories when a complete fix is available. They also suggest that Core Security publishes the 15th of September. . 2014-09-12: Core Security replies the US-CERT that the advisory that we are going to publish is not an update of the existing advisory. We informed them that this is a new advisory. . 2014-09-12: Embarcadero informed us that they are preparing a support article for the advisory that we will publish on Monday 15th of September. . 2014-09-16: Core Security releases the advisory. 9. *References* [1] http://www.embarcadero.com/. [2] http://support.microsoft.com/kb/2458544. [3] https://github.com/CoreSecurity/sentinel. [4] http://docwiki.embarcadero.com/Libraries/XE5/en/Vcl.Graphics.TPicture [5] http://www.coresecurity.com/advisories/delphi-and-c-builder-vcl-library-buffer-overflow. 10. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.