Watch, Follow, &
Connect with Us
Public Report
Report From: Delphi-BCB/VCL/Graphics    [ Add a report in this area ]  
Report #:  126004   Status: Closed
Delphi and C++ Builder VCL library Buffer Overflow
Project:  Delphi Build #:  20.0.15596.9843
Version:    20.0 Submitted By:   Art Manion
Report Type:  Crash / Data loss / Total failure Date Reported:  7/9/2014 2:00:39 PM
Severity:    Serious / Highly visible problem Last Updated: 9/3/2014 5:14:05 AM
Platform:    All versions Internal Tracking #:   52558
Resolution: Fixed (Resolution Comments) Resolved in Build: : XE7
Duplicate of:  None
Voting and Rating
Overall Rating: No Ratings Yet
0.00 out of 5
Total Votes: None
Description
Vulnerability Description

Delphi and C++ Builder [1] developments are prone to a security vulnerability when processing BMP files. A vulnerability has been found in the VCL library in charge of processing BMP files, allowing an attacker to create a crafted BMP file that produces a buffer overflow and therefore allows it to execue arbitrary code performing a client side attack.

Vulnerable packages

- Embarcadero C++Builder XE6 Version 20.0.15596.9843
- Embarcadero Delphi XE6 Version 20.0.15596.9843

NOTE: Windows 32 bits compiled projects are only affected.
      
The following versions are probably affected too, but they were not checked:
      
- Delphi XE5 / C++Builder XE5 (Delphi:Win32) (C++Builder:Win32)
- Delphi XE4 / C++Builder XE4 (Delphi:Win32) (C++Builder:Win32)
- Delphi XE3 / C++Builder XE3 (Delphi:Win32) (C++Builder:Win32)
- Delphi XE2 / C++Builder XE2 (Delphi:Win32) (C++Builder:Win32)
- Delphi XE / C++Builder XE (Win32)
- Delphi 2010 / C++Builder 2010 (Win32)
- Delphi 2009 / C++Builder 2009 (Win32)
- Delphi 2007 / C++Builder 2007 for Win32
- Delphi 2006 / C++Builder 2006 (Win32) and Delphi/C++Builder 2007 for Win32
- Delphi 2005 (Win32)
- Delphi 7 (and 7.1)
- Delphi 6 / C++Builder 6
- Delphi 5 / C++Builder 5
- C++Builder 4
- Delphi 4

Other versions may be affected but were not tested.

The vulnerability was discovered and researched by Marcos Accossatto from Core Security. Coordination by Joaqu?n Rodr?guez Varela from Core Security Advisories Team.
Steps to Reproduce:
Using Embarcadero RAD Studio XE6 build for win32 the Graphex
sample program. You can find it in the following paths (C++ and Delphi):

Delphi: \Samples\Object Pascal\VCL\Graphex
Builder C++: \Samples\CPP\VCL\Graphex

Then open the attached proof-of-concept BMP file. Contact the CERT Coordination Center for the ZIP password.

412-268-7090
cert@cert.org
amanion@cert.org

Please reference case number VU#646748.
Workarounds
None
Attachment
None
Comments

Art Manion at 7/9/2014 2:03:40 PM -
unable to upload attachment

Tomohiro Takahashi at 7/9/2014 5:56:37 PM -
Please use Windows native QC client to attach a relatively small zip file to your existing report.
The standalone client(QualityCentral.exe) is included in Delphi/C++Builder.

Michael Devery at 7/10/2014 10:22:39 AM -
You can also download the Quality Central Windows Client from http://qc.codegear.com/qualitycentral.zip.

Server Response from: ETNACODE01