Description

JPEGsnoop is a free Windows application that examines and decodes the inner details of JPEG, MotionJPEG AVI and Photoshop files. It can also be used to analyze the source of an image to test its authenticity.

Vulnerability Analysis

JPEGsnoop suffers from a division by zero attack when handling JFIF decoding, resulting in denial of service vulnerability and possibly loss of data. The vulnerable part found to perform a calculations that require all tables to be present. Details of the divide by zero issue. Exception happened on the EIP:0x011d2a1d, this can be disassemble (instruction pointer leads to where it crash).

Disassemble of EIP:
  0:000> u 011d2a1d 
  JPEGsnoop+0x32a1d:
  011d2a1d f7b48f78110000  div     eax,dword ptr [edi+ecx*4+1178h]
  011d2a24 33d2            xor     edx,edx
  011d2a26 894508          mov     dword ptr [ebp+8],eax
  011d2a29 8b877c190000    mov     eax,dword ptr [edi+197Ch]
  011d2a2f f7b48f78150000  div     eax,dword ptr [edi+ecx*4+1578h]
  011d2a36 83bf8c19000002  cmp     dword ptr [edi+198Ch],2
  011d2a3d 7414            je      JPEGsnoop+0x32a53 (011d2a53)
  011d2a3f 50              push    eax

We need to take note on the registers where exception happened. This will help us to determine the exception are indeed correct.

0:000> r
eax=00000000 ebx=00eb2378 ecx=00000000 edx=00000000 esi=05f5ab28 edi=00eb09e8
eip=011d2a1d esp=007ce5c8 ebp=007ce5f4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
JPEGsnoop+0x32a1d:
011d2a1d f7b48f78110000  div     eax,dword ptr [edi+ecx*4+1178h] ds:002b:00eb1b60=00000000

We can see the instruction div eax, dword ptr [edi+ecx*4+1178h], so we break down as:

edi = 00eb09e8
ecx = 00000000 * 4
0x1178

  The math:
    dword ptr — 00eb09e8 + 00000000 * 4 + 1178 = 0xeb1b60 <— data segment 
    eax — 0x00000000

Divide eax with the data segment value:
0xeb1b60 / 0x00000000 = value cannot be divide with zero

Thus, resulting to denial of service to the vulnerable application. Below are the results of crash dump and disassembly of the root cause:

Crash Dump

(5d4.39c): Integer divide-by-zero - code c0000094 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for JPEGsnoop.exe
*** ERROR: Module load completed but symbols could not be loaded for JPEGsnoop.exe
eax=00000000 ebx=00eb2378 ecx=00000000 edx=00000000 esi=05f5ab28 edi=00eb09e8
eip=011d2a1d esp=007ce5c8 ebp=007ce5f4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
JPEGsnoop+0x32a1d:
011d2a1d f7b48f78110000  div     eax,dword ptr [edi+ecx*4+1178h] ds:002b:00eb1b60=00000000

Disassembly

.text:004329C2 loc_4329C2:                             ; CODE XREF: sub_432800+1B1j
.text:004329C2                                         ; sub_432800+1BBj
.text:004329C2                 push    3               ; int
.text:004329C4                 lea     ebx, [edi+1990h]
.text:004329CA                 push    offset a?x?     ; ”?x?“
.text:004329CF                 mov     ecx, ebx
.text:004329D1                 call    sub_401AC0
.text:004329D6                 push    4               ; int
.text:004329D8                 lea     ecx, [edi+1DE8h]
.text:004329DE                 push    offset aNone    ; "NONE”
.text:004329E3                 call    sub_401AC0
.text:004329E8                 push    4               ; int
.text:004329EA                 lea     ecx, [edi+1DECh]
.text:004329F0                 push    offset aNone    ; “NONE”
.text:004329F5                 call    sub_401AC0
.text:004329FA                 cmp     byte ptr [edi+20h], 0
.text:004329FE                 jz      loc_432B3F
.text:00432A04                 mov     eax, [edi+974h]
.text:00432A0A                 cmp     eax, 3
.text:00432A0D                 jnz     short loc_432A67
.text:00432A0F                 mov     ecx, [edi+980h]
.text:00432A15                 mov     eax, [edi+1978h]
.text:00432A1B                 xor     edx, edx
.text:00432A1D                 div     dword ptr [edi+ecx*4+1178h] <— vulnerability here
.text:00432A24                 xor     edx, edx
.text:00432A26                 mov     dword ptr [ebp+ArgList], eax
.text:00432A29                 mov     eax, [edi+197Ch]
.text:00432A2F                 div     dword ptr [edi+ecx*4+1578h]
.text:00432A36                 cmp     dword ptr [edi+198Ch], 2
.text:00432A3D                 jz      short loc_432A53
.text:00432A3F                 push    eax
.text:00432A40                 push    dword ptr [ebp+ArgList] ; ArgList
.text:00432A43                 push    offset aUxU     ; “%ux%u”
.text:00432A48                 push    ebx             ; int
.text:00432A49                 call    sub_401650
.text:00432A4E                 add     esp, 10h
.text:00432A51                 jmp     short loc_432A78
.text:00432A53 ; —————————————————————————
.text:00432A53
.text:00432A53 loc_432A53:                             ; CODE XREF: sub_432800+23Dj
.text:00432A53                 push    dword ptr [ebp+ArgList]
.text:00432A56                 push    eax             ; ArgList
.text:00432A57                 push    offset aUxU     ; “%ux%u”
.text:00432A5C                 push    ebx             ; int
.text:00432A5D                 call    sub_401650
.text:00432A62                 add     esp, 10h
.text:00432A65                 jmp     short loc_432A78

Patch released in version 1.8.0:

  • http://www.impulseadventure.com/photo/jpeg-snoop.html
  • http://www.impulseadventure.com/photo/jpeg-snoop-history.html (Fixed vulnerability (div0) with invalid DQT)





Source link

Write a comment:
*

Your email address will not be published.