1 / 20

All About Thumbnails

All About Thumbnails. Peter Ferrie Principal Anti-virus Researcher 11 March, 2011. 1. It Started With A Public Disclosure. December 2010, Moti and Xu Hao present at POC2010 "A Vulnerability in My Heart" Bug #1: In shimgvw.ConvertDIBSECTIONToThumbnail

teenie
Download Presentation

All About Thumbnails

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. All About Thumbnails Peter Ferrie Principal Anti-virus Researcher 11 March, 2011 1

  2. It Started With A Public Disclosure... December 2010, Moti and XuHao present at POC2010 "A Vulnerability in My Heart" Bug #1: In shimgvw.ConvertDIBSECTIONToThumbnail 5CB1FBA1 movesi,[ebp+0C] ;number of colours...5CB1FBF4 cmp esi,000000085CB1FC0F ja SHIMGVW.5CB1FC9B ;only for 8-bit colourmode...5CB1FC24 movecx,[edx+20] ;copy size, user-defined...5CB1FC2D cmp ecx,000001005CB1FC33 jg SHIMGVW.5CB1FCF0 ;bug is here: signed comparison ;accepts >= 2Gb copy size5CB1FC39 lea esi,[edx+28]5CB1FC3C lea edi,[ebp-00000408]5CB1FC42 rep movsd ;copy from file to stack ;until exception occurs 2 Peter Ferrie, Microsoft Corporation

  3. That Made Me Look Closer Stepped through shimgvw.ConvertDIBSECTIONToThumbnail Interested in other code paths, just in case... Short routine, did not take long... 3 Peter Ferrie, Microsoft Corporation

  4. That Made Me Look Closer Stepped through shimgvw.ConvertDIBSECTIONToThumbnail Interested in other code paths, just in case... Short routine, did not take long... ...to find something 4 Peter Ferrie, Microsoft Corporation

  5. That Made Me Look Closer Does this code contain a bug? 5CB1EFFD moveax,[esi+0C] ;height from file5CB1F000 imuleax,[esi]5CB1F003 lea eax,[eax+2*eax] ;multiply by 35CB1F006 push eax5CB1F007 call SHIMGVW.5CB17483 ;? 5 Peter Ferrie, Microsoft Corporation

  6. That Made Me Look Closer Yes, this code contains a bug: 5CB1EFFD moveax,[esi+0C] ;height from file5CB1F000 imuleax,[esi] ;we can mostly control this5CB1F003 lea eax,[eax+2*eax] ;multiply by 35CB1F006 push eax5CB1F007 call SHIMGVW.5CB17483 ;malloc... Bug #2: Integer overflow in height calculation Completely different! Multiply-then-malloc() is a common problem Returns heap memory pointer, not stack pointer This buffer receives file content Set height to 0x55555556 or larger to overflow it Heap corruption is special because no exception occurs 6 Peter Ferrie, Microsoft Corporation

  7. That Made Me Look Even Closer Tried some larger values and it stopped working It turns out that height is signed 5CB200FD xorecx,ecx...5CB20102 moveax,[ebx+08]5CB20105 cmpeax,ecx...5CB2010F jnl SHIMGVW.5CB2011D5CB20111 negeax5CB20113 mov[ebx+08],eax This is abs() which changes the allowed range Potential values are still 0x55555556-0xffffffff, but not all values work 7 Peter Ferrie, Microsoft Corporation

  8. Closer Still... Problem if height * 0x3e8 >= 0x80000000 5CB1F9F9 movedi,[ecx+0C] ;height5CB1F9FC movebx,[ebx+04] ;0x605CB1F9FF imul edi,000003E8 ;might become signed...5CB1FA08 moveax,edi5CB1FA0A cdq5CB1FA0B idivebx ;and still signed...5CB1FA0D cmp[ebp+0C],eax...5CB1FA13 jle SHIMGVW.5CB1FA3E ;taken if width < height5CB1FA15 movesi,[ebp+08] ;otherwise5CB1FA18 moveax,[esi] ;0x60 is used5CB1FA1A mov[ecx+08],eax ;instead of 1 in earlier slide Multiply-then-malloc() value is affected if result here is signed Multiply might not overflow anymore 8 Peter Ferrie, Microsoft Corporation

  9. Another Code Path That covers the possibilities for height How about width? 5CB1F4F5 movax,[edi+0E] ;number of colours5CB1F4F9 cmp ax,0010...5CB1F500 je SHIMGVW.5CB1F50C ;16-bit colour5CB1F502 cmp ax,00205CB1F506 jne SHIMGVW.5CB1F5A1 ;8- or 24-bit colour... ;32-bit colour here also works5CB1F5B6 cmp ax,0018...5CB1F5C0 jne SHIMGVW.5CB1F62F ;anything except 24-bit colour...5CB1F62F lea eax,[edx+2*edx+03] ;width, this time5CB1F633 and eax,FFFFFFFC5CB1F636 push eax5CB1F637 call SHIMGVW.5CB17483 ;mallocagain Yes, bug #3, different location, same problem Any value in the range 0x55555555-0xffffffff can be used here 9 Peter Ferrie, Microsoft Corporation

  10. File Size Check Width * height should fit within file Unlike bug #1 copy size 10 Peter Ferrie, Microsoft Corporation

  11. File Size Check Width * height should fit within file Unlike bug #1 copy size There is a trick to bypass this check 11 Peter Ferrie, Microsoft Corporation

  12. File Size Check Width * height should fit within file Unlike bug #1 copy size There is a trick to bypass this check I am not going to tell you what it is 12 Peter Ferrie, Microsoft Corporation

  13. Are We Done Yet? No!  When width and height are 0x60, no scaling is required A new code path is reached 5CB1FB2C moveax,[ecx+08]5CB1FB2F cdq5CB1FB30 movesi,eax5CB1FB32 movzxeax,wordptr [ecx+0E] ;number of colours5CB1FB36 xoresi,edx5CB1FB38 sub esi,edx5CB1FB3A movzxedx,wordptr [ecx+0C] ;number of bitplanes5CB1FB3E imuleax,edx5CB1FB41 imuleax,[ecx+04]5CB1FB45 add eax,0000001F5CB1FB48 and eax,FFFFFFE05CB1FB4B cdq5CB1FB4C push 000000085CB1FB4E pop ecx5CB1FB4F idivecx5CB1FB51 imuleax,esi Calculates size of DIB section 13 Peter Ferrie, Microsoft Corporation

  14. Are We Done Yet? Looks okay, but the first time this is called... 5CB1FB2C moveax,[ecx+08]5CB1FB2F cdq5CB1FB30 movesi,eax5CB1FB32 movzxeax,wordptr [ecx+0E] ;number of colours5CB1FB36 xoresi,edx5CB1FB38 sub esi,edx5CB1FB3A movzxedx,wordptr [ecx+0C] ;hard-coded! Not all data are taken from the file Number of colours is Number of bitplanes is not Bitplanes value is constant of 1 14 Peter Ferrie, Microsoft Corporation

  15. Are We Done Yet? Result is passed to a memory allocation function 5CB1FC9B push ebx5CB1FC9C push ebx5CB1FC9D lea eax,[ebp+10] ;receives memory pointer5CB1FCA0 push eax5CB1FCA1 push ebx5CB1FCA2 lea eax,[ebp-00000430]5CB1FCA8 push eax5CB1FCA9 push dwordptr [ebp-04]5CB1FCAC call [SHIMGVW.5CB01084] ;GDI32.CreateDIBSection Still okay so far 15 Peter Ferrie, Microsoft Corporation

  16. Are We Done Yet? Until it is called again... 5CB1FB2C moveax,[ecx+08]5CB1FB2F cdq5CB1FB30 movesi,eax5CB1FB32 movzxeax,wordptr [ecx+0E] ;number of colours5CB1FB36 xoresi,edx5CB1FB38 sub esi,edx5CB1FB3A movzxedx,wordptr [ecx+0C] ;number of bitplanes5CB1FB3E imuleax,edx5CB1FB41 imuleax,[ecx+04]5CB1FB45 add eax,0000001F5CB1FB48 and eax,FFFFFFE05CB1FB4B cdq5CB1FB4C push 000000085CB1FB4E pop ecx5CB1FB4F idivecx5CB1FB51 imuleax,esi 16 Peter Ferrie, Microsoft Corporation

  17. Are We Done Yet? Until it is called again... 5CB1FB2C moveax,[ecx+08]5CB1FB2F cdq5CB1FB30 movesi,eax5CB1FB32 movzxeax,wordptr [ecx+0E] ;number of colours5CB1FB36 xoresi,edx5CB1FB38 sub esi,edx5CB1FB3A movzxedx,wordptr [ecx+0C] ;number of bitplanes5CB1FB3E imuleax,edx5CB1FB41 imuleax,[ecx+04]5CB1FB45 add eax,0000001F5CB1FB48 and eax,FFFFFFE05CB1FB4B cdq5CB1FB4C push 000000085CB1FB4E pop ecx5CB1FB4F idivecx5CB1FB51 imuleax,esi ...using data taken directly from the file 17 Peter Ferrie, Microsoft Corporation

  18. Are We Done Yet? Number of bitplanes is user-defined Result is passed to memcpy() 5CB20213 movesi,[ebp-04]5CB20216 movedi,[ebp+10] ;returned by CreateDIBSection5CB20219 movecx,eax ;user-defined size5CB2021B shr ecx,025CB2021E rep movsd5CB20220 movecx,eax5CB20222 and ecx,000000035CB20225 rep movsb Specify more than one bitplane Bug #4: Copy size > allocated size 18 Peter Ferrie, Microsoft Corporation

  19. All Patched...? Yes and no Signed check (bug #1) is fixed Some code also added to ConvertDIBSECTIONToThumbnail() Protects against CreateDIBSection() (bug #4) problem Additional checks added to earlier routine Catches bad values while calculating aspect ratio, stops bugs #2 and #3 However... 5CB1F36F moveax,[esi+0C]5CB1F372 imuleax,[esi]5CB1F375 and dwordptr [esi+10],05CB1F379 lea eax,[eax+eax*2]5CB1F37C push eax5CB1F37D call SHIMGVW.5CB1F37D ;malloc... Bad code is still there, relying on earlier checks to prevent exploitation So don't call ConvertDIBSECTIONToThumbnail() directly Otherwise you will still be vulnerable 19 Peter Ferrie, Microsoft Corporation

  20. Thank you Check me out: http://pferrie.tripod.com Questions? 20 Peter Ferrie, Microsoft Corporation

More Related