Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Delphi and C++ Builder VCL library Buffer Overflow


1. *Advisory Information*

    Title: Delphi and C++ Builder VCL library Buffer Overflow
    Advisory ID: CORE-2014-0004
    Advisory URL:
http://www.coresecurity.com/advisories/delphi-and-c-builder-vcl-library-buffer-overflow
    Date published: 2014-08-20
    Date of last update: 2014-08-20
    Vendors contacted: Embarcadero
    Release mode: Coordinated release


2. *Vulnerability Information*

    Class: Buffer overflow [CWE-119]
    Impact: Code execution
    Remotely Exploitable: No
    Locally Exploitable: Yes
    CVE Name: CVE-2014-0993


3. *Vulnerability Description*

    Applications developed with Delphi and C++ Builder [1] that use the
specific
    integrated graphic library detailed below are prone to a security
vulnerability when processing malformed BMP
    files. The aforementioned vulnerability has been found in the VCL
(Visual Component Library)  allowing an attacker to use
    a specially crafted BMP file that produces a buffer overflow and
potentially allows him to execute arbitrary
    code by performing a "client side" attack.


4. *Vulnerable Packages*

   . Embarcadero® C++Builder® XE6 Version 20.0.15596.9843
   . Embarcadero® Delphi® XE6 Version 20.0.15596.9843

    We also found vulnerable applications that were built with the
following development tools:

   . Delphi XE5 / C++Builder XE5 (Delphi:Win32) (C++Builder:Win32)
   . Delphi XE4 / C++Builder XE4 (Delphi:Win32) (C++Builder:Win32)
   . Delphi XE3 / C++Builder XE3 (Delphi:Win32) (C++Builder:Win32)
   . Delphi XE2 / C++Builder XE2 (Delphi:Win32) (C++Builder:Win32)
   . Delphi XE / C++Builder XE (Win32)
   . Delphi 2010 / C++Builder 2010 (Win32)
   . Delphi 2009 / C++Builder 2009 (Win32)
   . Delphi 2007 / C++Builder 2007 for Win32
   . Delphi 2006 / C++Builder 2006 (Win32) and Delphi/C++Builder 2007
for Win32
   . Delphi 2005 (Win32)
   . Delphi 7 (and 7.1)
   . Delphi 6 / C++Builder 6
   . Delphi 5 / C++Builder 5
   . C++Builder 4
   . Delphi 4

    Other 32b and 64b versions could be also affected.


5. *Vendor Information, Solutions and Workarounds*

    An article from Embarcadero explains the issue and includes a link
to the fix [6]

    Core Security Technologies recommends those affected use third party
software such as
    Sentinel [3] or EMET [2]
    that could help to prevent the exploitation of affected systems to
some extent.


6. *Credits*

    This vulnerability was discovered and researched by Marcos
Accossatto from the Core Exploits Writers Team. The publication of this
advisory was
    coordinated by Joaquín Rodríguez Varela from the Core Advisories
Team in close coordination
    with the US-CERT.


7. *Technical Description / Proof of Concept Code*

    The library 'VCL.Graphics', may be used by
    applications developed using Embarcadero's Delphi and C++ Builder
    to process BMP files [4]. This library is
    vulnerable to a buffer overflow attack when a specially crafted BMP
file
    with specific values in the 'BITMAPINFOHEADER.biClrUsed'
    field are used. This allows the crafted BMP to potentially execute
arbitrary code.


7.1. *Proof of Concept*

    Given that fixing affected applications may require recompiling them
with the fixed library
    by the vendor, Core Security Technologies has decided not to release
proof of concept code publicly at this time in order to
    provide affected companies with additional time for patching.
    Core Security Technologies is willing to collaborate with affected
parties that need assistance in understanding
    the vulnerability. For additional questions please email
advisories-questions@coresecurity.com.


8. *Report Timeline*

. 2014-05-29:
    Core Security Technologies attempts to contact Embarcadero.

. 2014-06-03:
    Core Security Technologies asks for a reply.

. 2014-06-09:
    Core Security Technologies attempts to contact vendor again.

. 2014-06-12:
    Core Security Technologies contacts the US-CERT for assistance in
order to coordinate the
    "coordinated disclosure" of the advisory.

. 2014-06-16:
    US-CERT answers assigning the following tracking code to the report:
VU#646748.

. 2014-06-30:
    First release date missed.

. 2014-07-10:
    US-CERT informs that they were able to contact the vendor and that a
public bug tracking
    link [5] was published by Embarcadero.

. 2014-07-10:
    Core Security Technologies contacts the US-CERT asking for vendor's
contact information and
    informs them that the Embarcadero's bug tracking entry forces us to
    publish the advisory because the vulnerability details are now public.

. 2014-07-28:
    Core Security Technologies receives a reply from Embarcadero stating
they expect to have
    a tentative date for a fix the week of July 28,2014.

. 2014-07-29:
    Core Security Technologies replies to Embarcadero that considering
there is a public bug tracking report link [5],
    we would like to publish the advisory as soon as possible in order
to help to protect the users.

. 2014-08-04:
    Embarcadero informs Core Security Technologies that they have a fix
ready which is currently under
    internal review. They hope to give Core Security Technologies an
expected release date by the end of the week.

. 2014-08-08:
    Expected release date (or reply) not received from Embarcadero,
    Core Security Technologies writes again asking for an update.

. 2014-08-11:
    Core Security Technologies notices the status of the public bug
tracking report [5] was changed to "fixed".
    Core Security Technologies emails the Embarcadero asking for
clarification about the new status.
    Two questions are submitted to the Embarcadero (1) Core Security
Technologies asks Embarcadero to confirm whether the new status means
    the fix was made public and (2) in case the fix is still not public,
Core Security Technologies requests the tentative release date.

. 2014-08-11:
    Embarcadero informs Core Security Technologies that they are testing
the fix internally and that they are
    planning to release it publicly on August 15, 2014.

. 2014-08-11:
    Core Security Technologies requests Embarcadero link to the fix so
it can be include in the coordinated advisory
    report.

. 2014-08-11:
    Embarcadero replies to Core Security Technologies stating that the
link will be delivered
    August 15, 2014.

. 2014-08-12:
    Core Security Technologies requests the estimated time when the fix
will be public on August 15, 2014.

. 2014-08-12:
    Embarcadero replies that they estimate the fix will be released on
August 15, 2014, at 3 p.m. PDT.

. 2014-08-14:
    Core Security Technologies requests Embarcadero to postpone the fix
release day to August 18, 2014 in order to give users time to patch
their software and avoid giving a two-day head start
    to potential malicious parties. Core Security Technologies informs
Embarcadero that it will release the advisory on August 19, 2014 if they
accept the postponement. Additionally, Core Security Technologies offers
help in
    contacting third parties affected by this vulnerability.

. 2014-08-14:
    Embarcadero agrees with suggested release approach and will postpone
    the publishing of the fix until August 18, 2014 at 10 a.m. PDT. They
also state they are internally discussing how they will notify their
customers.

. 2014-08-15:
    Core Security Technologies requests Embarcadero deliver the support
article and fix so it can be verified.

. 2014-08-15:
    Embarcadero sends Core Security Technologies a copy of the support
article.

. 2014-08-15:
    Upon review of the proposed fix, Core Security Technologies informs
Embarcadero that the fix seems incorrect.

. 2014-08-15:
    Embarcadero indicates they will investigate based on that assessment
of the fix, and says they will need to delay the publishing of the fix
until the issue is resolved.

. 2014-08-15:
    Embarcadero confirms a problem with the proposed fix was included in
the support article and indicates they have a fixed the problem. Embarcadero
    requests confirmation from Core Security Technologies regarding the
new article that includes the updated fix.

. 2014-08-18:
    Embarcadero informs Core Security Technologies of updated content in
the article, and proposes publishing the same day.

. 2014-08-18:
    Core Security Technologies didn't reply due to a national holiday
affecting their Buenos Aires offices, but
    Embarcadero publishes the fix and an accompanying support article.

. 2014-08-19:
    Core Security Technologies requests the fix from Embarcadero to
update the advisory and verify it.

. 2014-08-19:
    Embarcadero replies sending Core Security Technologies a link to the
fix. Due to the fact that the fix was released
    on August 18, 2014 Core Security Technologies schedules the advisory
publication for August 20, 2014, leaving the fix analysis task
    for post-advisory release.

. 2014-08-20:
    Advisory CORE-2014-0004 published.


9. *References*
    [1] http://www.embarcadero.com/.
    [2] http://support.microsoft.com/kb/2458544.
    [3] https://github.com/CoreSecurity/sentinel.
    [4]
http://docwiki.embarcadero.com/Libraries/XE5/en/Vcl.Graphics.TPicture
    [5] http://qc.embarcadero.com/wc/qcmain.aspx?d=126004
    [6] http://support.embarcadero.com/article/44015

10. *About CoreLabs*

    CoreLabs, the research center of Core Security Technologies, is
charged with anticipating
    the future needs and requirements for information security
technologies.
    We conduct our research in several important areas of computer security
    including system vulnerabilities, cyber attack planning and simulation,
    source code auditing, and cryptography. Our results include problem
    formalization, identification of vulnerabilities, novel solutions and
    prototypes for new technologies. CoreLabs regularly publishes security
    advisories, technical papers, project information and shared software
    tools for public use at:
    http://corelabs.coresecurity.com.


11. *About Core Security Technologies*

    Core Security Technologies enables organizations to get ahead of threats
    with security test and measurement solutions that continuously identify
    and demonstrate real-world exposures to their most critical assets. Our
    customers can gain real visibility into their security standing, real
    validation of their security controls, and real metrics to more
    effectively secure their organizations.

    Core Security's software solutions build on over a decade of trusted
    research and leading-edge threat expertise from the company's Security
    Consulting Services, CoreLabs and Engineering groups. Core Security
    Technologies can be reached at +1 (617) 399-6980 or on the Web at:
    http://www.coresecurity.com.


12. *Disclaimer*

    The contents of this advisory are copyright
    (c) 2014 Core Security Technologies and (c) 2014 CoreLabs,
    and are licensed under a Creative Commons
    Attribution Non-Commercial Share-Alike 3.0 (United States) License:
    http://creativecommons.org/licenses/by-nc-sa/3.0/us/


13. *PGP/GPG Keys*

    This advisory has been signed with the GPG key of Core Security
Technologies
    advisories team, which is available for download at
   
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.