Re: about zlib vulnerability - Microsoft products

["Forrest J Cavalier III" <forrest () mibsoftware com>]

> Microsoft is also using zlib in a couple of products.  MS Office, IE, Front
> Page, DirectX (dunno what versions yet), MSN Messenger, and the next gen GDI
> on XP.  Vulnerability? : "Microsoft representatives said that the software
> giant's security response team is investigating the zlib flaw and that some
> Microsoft applications use code from that compression library. However, the
> team hasn't yet determined which applications use the library and whether
> those applications are vulnerable." (From Cnet's News.Com article -
> http://news.com.com/2100-1001-860328.html )

The following C program scans files for the cplens table (used for
inflate.)  

I expect the code below is portable.  It was tested on Windows.

It might run faster than the perl script posted earlier.  (I
suppose it risks more false positives too.)  

Caveats: 
-------
The appearance of the pattern is not proof of zlib
and even if it is zlib, the malloc implementation
may prevent exploits.

Preliminary Results on Windows
------------------------------
When run on Windows SYSTEMDIR programs and DLLs on my
machine, it reports a match in a number of items I expected
(installers, uninstallers, png DLLs,) and some I did not
expect (like URLMON.DLL, version.dll)  

QuickTime.qts also reports a match.  (Makes sense there
is an inflation routine in QuickTime)  The file extension
indicates that searching only .dll and .exe may not be
adequate.

Forrest Cavalier
Mib Software


/* NO WARRANTY.  Forrest Cavalier is the original author. (c) 2002
   Permission granted for copying, modification, and use,
   with or without fee, provided that this notice is preserved.
 */
#include <stdio.h>
#include <memory.h>

/*  This table appears in zlib/inftrees.c, we search for
    just the pattern 17, 19, 23.  Code below should work for
    big and little endian platforms 16, 32, and 64 bit
    integer sizes.
 */
const int cplens[31] = { /* Copy lengths for literal codes 257..285 */
        3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31,
        35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258, 0, 0};

int main(int argc, char **argv)
{
#define CBPATTERN 64
  FILE *f;
  char buf[8192+CBPATTERN];
  int cnt;
  const char *ptr;
  int ind;
  int wsize;

  if (argc != 2) {
      exit(1);
  }

  f = fopen(argv[1],"rb");
  if (!f) {
      exit(1);
  }

  while(1) {
      cnt = fread(buf+CBPATTERN,1,sizeof(buf)-CBPATTERN,f);
      if (cnt <= 0) {
          break;
      }
      ptr = buf;
      while(1) {
          ptr = memchr(ptr,'\x11',buf+cnt+CBPATTERN-ptr);
          if (!ptr || (ptr+CBPATTERN > buf+cnt+CBPATTERN)) {
              /* Not found, or tests will pass end of buffer */
              break;
          }
          /* Look for pattern from middle of table */
          for(wsize = 2;wsize <= 8;wsize *= 2) {
            if (ptr &&
                (ptr[wsize] == '\x13')&&
                (ptr[wsize*2] == '\x17')&&
                (ptr[wsize*3] == '\x1b')) {
                break;
            }
          }
          if (wsize <= 8) {
              ind = 1;
              while(ind < wsize) { /* Ensure intervening bytes are zero */
                  if (ptr[ind]||
                      ptr[wsize+ind]||
                      ptr[wsize*2+ind]||
                      ptr[wsize*3+ind]) {
                      break; /* Non-zero. */
                  }
                  ind++;
              }
              if (ind == wsize) {
                  printf("Found cplens pattern in %s\n",argv[1]);
              }
          }
          ptr++;
      }
      /* Copy end of buffer down, to catch patterns which
         go over a read boundary
       */
      memmove(buf,buf+cnt,CBPATTERN);
  }
  fclose(f);
  return 0;
}