J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1537
    posted: 11/06/09
  • NSM Daily Update #1537
    posted: 11/06/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1537
    posted: 11/06/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/06/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/05/09

Title: Microsoft MSN Messenger/Windows Messenger PNG Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

A remotely exploitable buffer overflow exists in MSN Messenger and Windows Messenger. This vulnerability is related to parsing of Portable Network Graphics (PNG) image header data. The vulnerability exists in the libpng library, which is used by the affected applications to render PNG format images.

The specific issue is related to processing image chunks with malformed values for various fields in the PNG IHDR and tRNS chunks. For the vulnerability to occur, the flags 'color used' and 'palette used' must be set in the 'color type' field of the IHDR chunk, and the 'alpha channel used' flag must not be set. This will result in the 'color type' field being set to 0x03. It is then possible to overflow an internal buffer with data from a malicious tRNS chunk that is greater than 256 bytes, corrupting adjacent regions of memory in a manner sufficient to control execution flow of the program.

Successful exploitation could result in execution of arbitrary code in the context of the client user.

Attack vectors and mitigations may differ for MSN Messenger and Windows Messenger. For Windows Messenger, the attacker must spoof the .NET Messenger service and the client must be configured to receive .NET alerts.

However, MSN Messenger may be exploited through various methods in a client-to-client attack. Possible attack vectors for this vulnerability in MSN Messenger include:
User display pictures
Custom icons that are displayed inline in instant messages
Thumbnails of transferred images
Background images

Since this issue may be exploited in a client-to-client attack for MSN Messenger, it is a likely candidate for development of a worm. It is conjectured that worm propagation could however possibly be mitigated by Microsoft through either forcing vulnerable clients to upgrade or through content filters that drop malicious images with the properties necessary for exploitation.

It is noted that versions of the applications that have been compiled with stack protection features (as provided by the /GS compilation flag) do not sufficiently protect against exploitation. Known methods may be employed to bypass this protection by corrupting structured exception handlers to control program execution flow.

This issue was originally described in BID 10857. Further analysis has determined that there are unique properties of the vulnerability that distinguish it from the general libpng issue on other platforms.

**Update (February 9, 2005, 1:48 GMT): A trojan exploiting this vulnerability has appeared in the wild. Apparently, when the payload of the malcode containing a malicious PNG file is executed through a vulnerable application, a remote file is downloaded. This file is a back door trojan. The trojan is named Trojan.Hexem (MCID 4329). This information will be updated when more details are available.

Affected Products:

  • Microsoft MSN Messenger Service 6.1
  • Microsoft MSN Messenger Service 6.2
  • Microsoft Windows Messenger 4.7.0.2009
  • Microsoft Windows Messenger 4.7.0.3000
  • Microsoft Windows Messenger 5.0
  • Microsoft Windows XP 64-bit Edition Version 2003
  • Microsoft Windows XP Home SP1
  • Microsoft Windows XP Home SP2
  • Microsoft Windows XP Media Center Edition SP1
  • Microsoft Windows XP Media Center Edition SP2
  • Microsoft Windows XP Professional SP1
  • Microsoft Windows XP Professional SP2
  • Microsoft Windows XP Tablet PC Edition SP1
  • Microsoft Windows XP Tablet PC Edition SP2
  • Nortel Networks IP softphone 2050
  • Nortel Networks Mobile Voice Client 2050
  • Nortel Networks Optivity Telephony Manager (OTM)
  • Nortel Networks Symposium Call Center Server (SCCS)

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.