CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
95.3%
**Title:**Delphi and C++ Builder VCL library Heap Buffer Overflow
**Advisory ID:**CORE-2014-0006
**Advisory URL:**http://www.coresecurity.com/core-labs/advisories/delphi-and-c-builder-vcl-library-heap-buffer-overflow
**Date published:**2014-09-16
**Date of last update:**2014-09-16
**Vendors contacted:**Embarcadero
**Release mode:**Coordinated release
**Class:**Heap-based Buffer Overflow [CWE-122]
**Impact:**Code execution
**Remotely Exploitable:**No
**Locally Exploitable:**Yes
CVE Name:CVE-2014-0994
Applications developed with Delphi and C++ Builder [1] that use the specific integrated graphic library detailed below are prone to a security vulnerability when processing malformed BMP files. The aforementioned vulnerability has been found in the VCL (Visual Component Library) allowing an attacker to use a specially crafted BMP file that produces a heap buffer overflow and potentially allows him to execute arbitrary code by performing a “client side” attack. The vendor made a partial fix of CVE-2014-0993 [5] that does not cover this heap-based buffer overflow.
We also found vulnerable applications that were built with the following development tools:
Other 32b and 64b versions could be also affected.
Core Security recommends those affected use third party software such as Sentinel [3] or EMET [2] that could help to prevent the exploitation of affected systems to some extent.
Contact Embarcadero for further information.
This vulnerability was discovered and researched by Marcos Accossatto from the Core Exploits Writers Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from the Core Advisories Team in close coordination with the US-CERT.
The library VCL.Graphics
, may be used by applications developed using Embarcadero’s Delphi and C++ Builder to process BMP files [4]. This library is vulnerable to a heap buffer overflow attack when a specially crafted BMP file with specific values in the BITMAPINFOHEADER.biClrUsed
field are used. This allows the crafted BMP to potentially execute arbitrary code.
The ReadDIB function in the VCL library processes the BMP header in the following way: it first allocates memory to copy the header, plus 1024 bytes for the color table:
mov eax, [ebp+HeaderSize] ; eax => 40 // Header size read from file add eax, 0Ch ; eax => eax + 12
add eax, 400h ; eax => eax + (256 * 4) call @System@@GetMem$qqri ; // Alloc necessary memory for the
BMP header and color table
Later, a pointer is calculated, off 40 bytes (HeaderSize), from the first pointer; this new pointer is going to be used when working with the color table later on:
mov eax, [ebp+BitmapInfo_] ; eax => BitmapInfo add eax, [ebp+HeaderSize] ; eax => eax + HeaderSize mov
[ebp+ColorTablePtr], eax
That pointer is finally used to copy from the file to the allocated region in the heap, with a user controlled size of (biClrUsed * 4):
mov ecx, [ebx+20h] ; ecx => biClrUsed movzx edi, [ebp+OS2Format] movzx eax, byte_5F90E8[edi] ; eax => 4 //
When edi is 0 imul ecx, eax ; ecx => biClrUsed * 4 // How much to copy to allocated memory mov edx,
[ebp+ColorTablePtr] mov eax, [ebp+Stream] call Stream_ReadBuffer ; Stream.ReadBuffer(ColorTablePtr,
biClrUsed * 4);
Thus creating a heap buffer overflow and potentially allowing code execution.
Given that fixing affected applications may require recompiling them with the fixed library by the vendor, Core Security has decided not to release proof of concept code publicly at this time in order to provide affected companies with additional time for patching. Core Security is willing to collaborate with affected parties that need assistance in understanding the vulnerability.
[1] <http://www.embarcadero.com/>.
[2] <http://support.microsoft.com/kb/2458544>.
[3] <https://github.com/CoreSecurity/sentinel>.
[4] <http://docwiki.embarcadero.com/Libraries/XE5/en/Vcl.Graphics.TPicture>
[5] http://www.coresecurity.com/core-labs/advisories/delphi-and-c-builder-vcl-library-buffer-overflow.
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: https://www.coresecurity.com/core-labs.
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security’s software solutions build on over a decade of trusted research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached on the Web at: https://www.coresecurity.com.
The contents of this advisory are copyright © 2014 Core Security and © 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
This advisory has been signed with the GPG key of Core Security advisories team.