Information Assurance

Jeffrey Mendoza



front | classes | research | personal | contact

 

Information Assurance

Bugtraq Analysis

Microsoft Internet Explorer BMP file memory DoS vulnerability

back to bugtraq analyses page

Bugtraq Email: Microsoft Internet Explorer BMP file memory DoS vulnerability
Link: http://www.securityfocus.com/archive/1/360166/2004-04-05/2004-04-11/0

 

Internet Explorer, one of the most widely used internet programs (regrettably), has another flaw (woopty doo).  When reading bitmaps (.bmp), it allocates the amount of memory that is written in the file.  However, Explorer does NOT check to see whether the bitmap file’s size is the specified number written inside the file.   Therefore, someone can make an webpage (html, xml, php, etc.) which includes hundreds or even just dozens of small unique bitmap images that tell Explorer to allocate enormous amounts of memory.

 

Arman Nayyeri was the person who wrote about this vulnerability in bugtraq.  According to him, the maximum size a bitmap can tell Explorer to allocate is FFFFFFFF^2.  This is a huge freaking number.  F = 16 so FFFFFFFF^2 = 16 ^ 8 ^ 2 = 18,446,744,070,000,000,000 = 51,539,607,528 GB L

 

However, this does not seem to be the case when IE actually allocates space.  It seems Windows or the operating system in use will still coordinate memory space as best it can.

 

Nayyeri made a webpage which shows off this vulnerability.

http://www.4rman.com/exploits/tinybmp.htm

 

Upon entering the page, which consists of little tiny dots.  My physical memory usage suddenly jumped to around 1.4 GBs.  I opened more pages of the same web url but it did not fluctuate any further.  This shows that the image was already loaded into my memory and was using pointers to show the image.  After opening a dozen or so pages, I eventually got an operating system message saying that I was running sufficiently low on resources and programs may be automatically shut down to conserve them.  My system would have crashed if I had opened more pages.  This exploit is disastrous especially to those who do not have a popup blocker because one window has the ability to spawn many other windows.

 

To avoid this vulnerability, Explorer needs to be patched to give it the ability to check how big an actual bitmap file is before allocating memory for it.  Another way to avoid this exploit is to have operating systems that can check if the internet browser is attempting to allocate more space than is needed.  The last option available is to turn off “show pictures” all together in the Internet Options preferences menu (tools > internet options > advanced > multimedia) but instead turn on “show image placeholders” to keep the web pages in their appropriate structure.