jurczyk windows metafile_pacsec_v2
TRANSCRIPT
Windows Metafiles AnAnalysisoftheEMFA1ackSurface&RecentVulnerabili;es
Mateusz“j00ru”Jurczyk
PacSec,Tokyo2016
PS> whoami
• ProjectZero@Google
• Low-levelsecurityresearcherwithinterestinallsortsofvulnerabilityresearchandsoQwareexploita;on
• h1p://j00ru.vexillium.org/
• @j00ru
Agenda
• WindowsMetafileprimer,GDIdesign,a1ackvectors.
• Hacking:• InternetExplorer(GDI)
• WindowsKernel(ATMFD.DLL)
• MicrosoQOffice(GDI+)
• VMwarevirtualiza;on(PrintSpooling)
• Finalthoughts.
Windows GDI & Metafile primer
Windows GDI
• GDIstandsforGraphicsDeviceInterface.
• Enablesuser-modeapplica;onstousegraphicsandforma1edtextonvideo
displaysandprinters.
• MajorpartofthesystemAPI(nearly300documentedfunc;ons).
• PresentintheOSsincetheverybeginning(Windows1.0releasedin1985).
• Oneoftheoldestsubsystems,withmostofitsoriginalcodes;llrunning31yearslater.
• Concidentally(?)alsooneofthemostbuggycomponents.
How to draw
1. GrabahandletoaDeviceContext(HDC).• Iden;fiesapersistentcontainerofvariousgraphicalseings(pens,brushes,
pale1esetc.).
• Canbeusedtodrawtoascreen(mosttypically),aprinter,orametafile.
• Mosttrivialexample:
HDChdc=GetDC(NULL);
(obtainsaHDCfortheen6rescreen)
How to draw
2. Useadrawingfunc;on.
Ellipse(hdc,100,100,500,300); RoundRect(hdc,100,100,500,500,100,100);
Windows GDI – simplified architecture
app1.exe app3.exe app4.exeapp2.exe
GDI+(gdiplus.dll)
User-modeGDI(gdi32.dll)
Kernel-modeGDI(win32k.sys)
NTOSKernel PrinterDrivers FontDriversDisplayDrivers
ring-3
ring-0
User to kernel API mappings
Mostuser-modeGDIfunc;onshavetheirdirectcounterpartsinthe
kernel:
GDI32.DLL win32k.sysAbortDoc NtGdiAbortDoc
AbortPath NtGdiAbortPath
AddFontMemResourceEx NtGdiAddFontMemResourceEx
AddFontResourceW NtGdiAddFontResourceW
AlphaBlend NtGdiAlphaBlend
... ...
Windows Metafiles
Coreidea:
StoreimagesaslistsofrecordsdirectlydescribingGDIcalls.
Windows Metafiles
• Pros:• requiresli1lecomputa;onworkfromtherasterizeritself,asitonlyhastocallGDIfunc;ons
withthesuppliedparameters.
• providesanofficialwayofserializingsetsofGDIopera;onsintoreproducibleimages.
• canworkasavectorformat,raster,orboth.
• Cons:• onlyworksonWindows,unlessfullimplementa;onofthesupportedgraphicalGDI
opera;onsisimplementedexternally.
First version: WMF
• Theoriginalmetafiles(WMF=WindowsMetaFiles).
• IntroducedwithWindows3.0in1990.
• NotasancientasGDIitself,butalmostso.
• Ini;allydocumentedinWindows3.1SDK(1994,volume4).
• Arevised,morecompletespecifica;onwasreleasedin2006,andhasbeen
maintainedsincethen.
• Adescrip;onofallrecordsandstructurescanbefoundintheMS-WMFdocument.
WMF files – 60 supported API funcIons AnimatePaletteArcBitBltChordCreateBrushIndirectCreateDIBPatternBrushCreateFontIndirectCreatePaletteCreatePatternBrushCreatePenIndirectDeleteObjectEllipseEscapeExcludeClipRectExtFloodFillExtTextOutFillRgnFloodFillFrameRgnIntersectClipRectInvertRgn
LineToMoveToExOffsetClipRgnOffsetViewportOrgExOffsetWindowOrgExPaintRgnPatBltPiePolygonPolylinePolyPolygonRealizePaletteRectangleResizePaletteRestoreDCRoundRectSaveDCScaleViewportExtExScaleWindowExtExSelectClipRgnSelectObject
SelectPaletteSetBkColorSetBkModeSetDIBitsToDeviceSetMapModeSetMapperFlagsSetPaletteEntriesSetPixelSetPolyFillModeSetROP2SetStretchBltModeSetTextAlignSetTextCharacterExtraSetTextColorSetTextJustificationSetViewportOrgExSetWindowExtExSetWindowOrgExStretchBltStretchDIBitsTextOut
Some seemingly interesIng ones AnimatePaletteArcBitBltChordCreateBrushIndirectCreateDIBPatternBrushCreateFontIndirectCreatePaletteCreatePatternBrushCreatePenIndirectDeleteObjectEllipseEscapeExcludeClipRectExtFloodFillExtTextOutFillRgnFloodFillFrameRgnIntersectClipRectInvertRgn
LineToMoveToExOffsetClipRgnOffsetViewportOrgExOffsetWindowOrgExPaintRgnPatBltPiePolygonPolylinePolyPolygonRealizePaletteRectangleResizePaletteRestoreDCRoundRectSaveDCScaleViewportExtExScaleWindowExtExSelectClipRgnSelectObject
SelectPaletteSetBkColorSetBkModeSetDIBitsToDeviceSetMapModeSetMapperFlagsSetPaletteEntriesSetPixelSetPolyFillModeSetROP2SetStretchBltModeSetTextAlignSetTextCharacterExtraSetTextColorSetTextJustificationSetViewportOrgExSetWindowExtExSetWindowOrgExStretchBltStretchDIBitsTextOut
WMF: there’s more!
• Theformatalsosupportsanumberofrecordswhichdonotdirectly
correspondtoGDIfunc;ons.
• Headerwithmetadata.
• EmbeddedEMF.
• Recordsdirectlyinterac;ngwiththeprinterdriver/outputdevice.
• End-of-filemarker.
• ...
WMF: there’s more!
• Generally,themostinteres;ngrecordscanbefoundintwosec;ons:
Windows Metafile – example
...R0003:[017]META_SETMAPMODE(s=12){iMode(8=MM_ANISOTROPIC)}R0004:[011]META_SETVIEWPORTEXTEX(s=16){szlExtent(1920,1200)}R0005:[009]META_SETWINDOWEXTEX(s=16){szlExtent(1920,1200)}R0006:[010]META_SETWINDOWORGEX(s=16){ptlOrigin(-3972,4230)}R0007:[009]META_SETWINDOWEXTEX(s=16){szlExtent(7921,-8462)}R0008:[049]META_CREATEPALETTE(s=960){ihPal(1)LOGPAL[ver:768,entries:236]}R0009:[048]META_SELECTPALETTE(s=12){ihPal(Tableobject:1)}R0010:[052]META_REALIZEPALETTE(s=8)R0011:[039]META_CREATEBRUSHINDIRECT(s=24){ihBrush(2),style(0=BS_SOLID,color:0x00FFFFFF)}R0012:[037]META_SELECTOBJECT(s=12){Tableobject:2=OBJ_BRUSH.(BS_SOLID)}R0013:[037]META_SELECTOBJECT(s=12){Stockobject:8=OBJ_PEN.(PS_NULL)}R0014:[019]META_SETPOLYFILLMODE(s=12){iMode(1=ALTERNATE)}R0015:[086]META_POLYGON16(s=320){rclBounds(89,443,237,548),nbPoints:73,P1(-2993,398)-Pn(-2993,398)}R0016:[038]META_CREATEPEN(s=28){ihPen(3),style(0=PS_SOLID|COSMETIC),width(0),color(0x00000000)}...
WMF: sIll very obsolete
• Eventhoughalreadyquitecomplex,theformatdidn’tturnouttobe
verywellthought-outformodernusage.
• It’ss;llsupportedbyGDI,andthereforesomeofitsclients(e.g.
MicrosoQOffice,Paint,somedefaultWindowsapps).
• Hasbeenbasicallyforgo1eninanyreal-worlduse-casesforthelastdecadeormore.
WMF: discouraged from use
• EvenMicrosoQgivesalotofreasonsnottouseitanymore:
Next up: EMF (Enhanced MetaFiles)
• Alreadyin1993,MicrosoQreleasedanimprovedrevisionoftheimageformat,calledEMF.
• DocumentedintheofficialMS-EMFspecifica;on.
• SurpassesWMFinamul;tudeofways:• uses32-bitdata/offsetwidth,asopposedtojust16bits.• deviceindependent.• supportsanumberofnewGDIcalls,whilemaintainingbackwardcompa;bilitywith
oldrecords.
Enhanced Metafile – example
...R0121:[039]EMR_CREATEBRUSHINDIRECT(s=24){ihBrush(2),style(1=BS_NULL)}R0122:[037]EMR_SELECTOBJECT(s=12){Tableobject:2=OBJ_BRUSH.(BS_NULL)}R0123:[040]EMR_DELETEOBJECT(s=12){ihObject(1)}R0124:[090]EMR_POLYPOLYLINE16(s=44){rclBounds(128,-256,130,-254),nPolys:1,nbPoints:2,P1(386,-765)-Pn(386,-765)}R0125:[019]EMR_SETPOLYFILLMODE(s=12){iMode(1=ALTERNATE)}R0126:[039]EMR_CREATEBRUSHINDIRECT(s=24){ihBrush(1),style(0=BS_SOLID,color:0x00A86508)}R0127:[037]EMR_SELECTOBJECT(s=12){Tableobject:1=OBJ_BRUSH.(BS_SOLID)}R0128:[040]EMR_DELETEOBJECT(s=12){ihObject(2)}R0129:[058]EMR_SETMITERLIMIT(s=12){Limit:0.000}R0130:[091]EMR_POLYPOLYGON16(s=60){rclBounds(127,-259,138,-251),nPolys:1,nbPoints:6,P1(384,-765)-Pn(384,-765)}R0131:[040]EMR_DELETEOBJECT(s=12){ihObject(1)}R0132:[040]EMR_DELETEOBJECT(s=12){ihObject(3)}R0133:[014]EMR_EOF(s=20){nPalEntries:0,offPalEntries:16,nSizeLast:20}...
EMF: interesIng records at first glance
EMF: interesIng records at first glance
EMF: interesIng records at first glance
EMF: current support
• Despitebeingonly3yearsyoungerthanWMF,EMFhasremainedin
currentusageun;ltoday.
• Notasamainstreamimageformat,buts;llavalida1ackvector.
• Avarietyofa1ackvectors:• Win32GDIclients–mostnotablyInternetExplorer.
• GDI+clients–mostnotablyMicrosoQOffice.
• Printerdrivers,includingthoseusedinvirtualiza;ontechnology.
Toolset – examinaIon (EMFexplorer)
Toolset – examinaIon (MetafileExplorer)
Toolset – reading & wriIng (pyemf)
#!/usr/bin/envpythonimportosimportpyemfimportsysdefmain(argv):iflen(argv)!=2:print"Usage:%s/path/to/poc.emf"%argv[0]sys.exit(1)emf=pyemf.EMF(width=100,height=100,density=1)emf.CreateSolidBrush(0x00ff00)emf.SelectObject(1)emf.Polygon([(0,0),(0,100),(100,100),(100,0)])emf.save(argv[1])if__name__=="__main__":main(sys.argv)
The latest: EMF+
• GDIhadallthefundamentalprimi;ves,butlackedmanycomplexfeatures
(an;-aliasing,floa;ngpointcoords,supportforJPEG/PNGetc.).
• WindowsXPintroducedamoreadvancedlibrarycalledGDI+in2001.
• Builtasauser-modegdiplus.dlllibrary,mostlyontopofregularGDI(gdi32.dll).
• Provideshigh-levelinterfacesforC++and.NET,thereforeismucheasiertouse.
• GDI+itselfiswri1eninC++,soallthetypicalmemorycorrup;onbugss;llapply.
The latest: EMF+
• Sincethereisanewinterface,theremustalsobeanewimageformatwithits
serializedcalls.
• SayhitoEMF+!
• BasicallysameasEMF,butrepresen;ngGDI+calls.
• Comeintwoflavours:EMF+OnlyandEMF+Dual.
• „Only”containsexclusivelyGDI+records,andcanonlybedisplayedwithGDI+.
• „Dual”storesthepicturewithtwosetsofrecords,compa;blewithbothGDI/GDI+clients.
Formats and implementaIons in Windows
• Threeformatsintotaltoconsider:WMF,EMF,EMF+.
• Threelibraries:GDI,GDI+andMF3216.
• MF3216.DLLisasystemlibrarywithjustonemeaningfulexportedfunc;on:
ConvertEmfToWmf.
• Usedfortheautoma;cconversionbetweenWMF/EMFformatsintheWindows
clipboard.
• „Synthesized”formatsCF_METAFILEPICTandCF_ENHMETAFILE.
• Nobugsfoundthere.L
Formats and implementaIons in Windows
Library Supportedformats
GDI WMF,EMF
GDI+ WMF,EMF,EMF+
MF3216 EMF
Inthistalk,we’llfocusonaudi;ngandexploi;ngtheEMFparts,asthis
iswherethemost(interes;ng)issueswerediscovered.
AUack scenario
• Inallcases,Metafilesareprocessedintheuser-modecontextoftherendererprocess,inthecorrespondingDLL.
• GDI,GDI+andMF3216iteratethroughallinputrecordsandtranslatethemintoGDI/GDI+calls.
• Memorycorrup;onbugswillresultinarbitrarycodeexecu;oninthatcontext.
• Important:MetafilesdirectlyoperateontheGDIcontextoftherenderer.
• Cancreate,delete,changeandusevariousGDIobjectsonbehalfoftheprocess.
• Intheory,itshouldonlyhaveaccesstoitsownobjectsandbeself-contained.
• However,anybugsintheimplementa;oncouldenableaccesstoexternalgraphicsobjectsusedbytheprogram.
• Apeculiarcaseof„privilegeescala;on”.
AUack scenario: GDI context priv. escal.
renderer.exeGDIobjects EMF#2GDIobjects EMF#3GDIobjects
EMF#1file
EMF#1GDIobjects
processGDIcontext
EMF#2file EMF#3file
securityboundaries
AUack scenario: GDI context priv. escal.
renderer.exeGDIobjects EMF#2GDIobjects EMF#3GDIobjects
EMF#1file
EMF#1GDIobjects
processGDIcontext
securityboundaries
Types of Metafile bugs
1. MemorycorrupConbugs
• Bufferoverflowsetc.duetomishandlingspecificrecords.
• Poten;allyexploitableinanytypeofrenderer.
• Impact:typicallyRCE.
2. Memorydisclosurebugs
• Renderingunini;alizedorout-of-boundsheapmemoryasimagepixels.
• Exploitableonlyincontextswheredisplayedimagescanbereadback(webbrowsers,remoterenderers).
• Impact:informa;ondisclosure(stealingsecretinforma;on,defea;ngASLRetc.).
3. InvalidinteracConwiththeOSandGDIobjectmismanagement.
• Impact,exploitability=???,dependingonthespecificnatureofthebug.
Let’s get started!
• Earlierthisyear,Istartedmanuallyaudi;ngtheavailableEMFimplementa;ons.
• Thishasresultedin10CVEsfromMicrosoQand3CVEsfromVMware(covering
severaldozenofactualbugs).
• Let’slookintotherootcausesandexploita;onofthemostinteres;ngones.
• ExamplesareshownbasedonWindows732-bit,butmostoftheresearchappliestoboth
bitnessesandversionsuptoWindows10.
AudiIng GDI
GeXng started
• Togetsomegeneralideaofwherethefunc;onalityinques;onis
implementedandwhattypesofbugswerefoundinthepast,it
makessensetocheckpriorart.
• A„wmfvulnerability”queryyieldsjustoneresult:
theSetAbortProcbug!
SetAbortProc WMF bug (CVE-2005-4560)
• DiscoveredonDecember27,2005.FixedonJanuary5,2006.
• Cri;calbug,allowed100%reliableRCEwhileusingGDItodisplaytheexploit(e.g.inInternetExplorer).
• Called„WindowsMetafilevulnerability”,wonPwnieAward2007.
• Nomemorycorrup;oninvolved,onlydocumentedfeaturesofWMF.
• Sowhatwasthebug?
The GDI API...
func;onpointer
... and the WMF counterpart
In essence...
...theformatitselfsupportedcalling:
SetAbortProc(hdc,(ABORTPROC)"controlleddata");
andhavingthefunc;onpointercalledaQerwards.
Codeexecu;onbydesign.
Lessons learned
1. Theformatmay(un)officiallyproxycallstointeres;ng/dangerous
APIcalls,sotheseman;csofeachfunc;onanditsparameters
shouldbecheckedforunsafebehavior.
2. ThehandlingofWMFtakesplaceinagiantswitch/casein
gdi32!PlayMetaFileRecord.
What about EMF bugs?
• Searchingfor„emfvulnerability”yieldsmorediverseresults.
• Mostrecentone:„YetAnotherWindowsGDIStory”byHosseinLoQi.
• FixedinApril2015aspartofMS15-035,assignedCVE-2015-1645.
• Aheap-basedbufferoverflowduetoanuncheckedassump;onaboutan
input„size”fieldinoneoftherecords(SETDIBITSTODEVICE).
• Inlargepartaninspira;ontostartlookingintoEMFsecuritymyself.
Lessons learned
• Mainfunc;onforplayingEMFrecordsisgdi32!
PlayEnhMetaFileRecord.
• Eachrecordtypehasitsownclasswithtwomethods:
• ::bCheckRecord()–checkstheinternalintegrityandcorrectnessoftherecord.
• ::bPlay()–performstheac;onsindicatedintherecord.
GDI32 ::bCheckRecord array
GDI32 ::bPlay array
That’sastar;ngpoint.
Impact: FileExistenceInforma;onDisclosure
Record: EMR_CREATECOLORSPACE,EMR_CREATECOLORSPACEW
Exploitablein: InternetExplorer
CVE: CVE-2016-0168
google-security-researchentry: 722
Fixed: MS16-055,10May2016
CVE-2016-0168
Minor bug #1 in EMR_CREATECOLORSPACEW
• Thequalityofthecodecanbeimmediatelyrecognizedbyobservingmanysmall,but
obviousbugs.
• MRCREATECOLORSPACEW::bCheckRecord()checksthatthesizeoftherecordis≥0x50
byteslong:.text:7DB01AEFmoveax,[esi+4].text:7DB01AF2cmpeax,50h.text:7DB01AF5jbshortloc_7DB01B1E
• Thenimmediatelyproceedstoreada.cbDatafieldatoffset0x25C:.text:7DB01AF7movecx,[esi+25Ch]
• Result:out-of-boundsreadby0x20Cbytes.
Minor bug #2 in EMR_CREATECOLORSPACEW
• Then,the.cbDatafrominvalidoffset0x25Cisusedtoverifytherecord
length:.text:7DB01AF7movecx,[esi+25Ch].text:7DB01AFDaddecx,263h.text:7DB01B03andecx,0FFFFFFFCh.text:7DB01B06cmpeax,ecx.text:7DB01B08jashortloc_7DB01B1E
• Theabovetranslatesto:if(...&&record.length<=((record->cbData+0x263)&~3)&&...){
//Recordvalid.
}
Minor bug #2 in EMR_CREATECOLORSPACEW
• Twoissueshere:
1. Obviousintegeroverflowmakingalarge.cbDatapassthecheck.
2. Whywouldtherecordlengthbesmallerthenthedatadeclaredwithin?It
shouldbelarger!
• Italldoesn’tma1eranyway,sincethedataisnotusedinanyfurtherprocessing.
Minor bug #3 in EMR_CREATECOLORSPACEW
• The.lcsFilenamebufferoftheuser-definedLOGCOLORSPACEWstructureisnotverifiedtobenul-terminated.
• Mayleadtoout-of-boundreadswhileaccessingthestring.
• Asclearlyvisible,therearelotsofuncheckedassump;onsinthe
implementa;on,eventhoughonlyminorsofar.
• Keepsourhopesupforsomethingmoresevere.
The file existence disclosure
• Backtothefunc;onalityofEMR_CREATECOLORSPACE[W]records:allthey
doiscallCreateColorSpace[W]withafullycontrolled
LOGCOLORSPACEstructure:typedefstructtagLOGCOLORSPACE{DWORDlcsSignature;DWORDlcsVersion;DWORDlcsSize;LCSCSTYPElcsCSType;LCSGAMUTMATCHlcsIntent;CIEXYZTRIPLElcsEndpoints;DWORDlcsGammaRed;DWORDlcsGammaGreen;DWORDlcsGammaBlue;TCHARlcsFilename[MAX_PATH];}LOGCOLORSPACE,*LPLOGCOLORSPACE;
Inside CreateColorSpaceW
• Thefunc;onbuildsacolorprofilefilepathusinginternalgdi32!BuildIcmProfilePath.
• iftheprovidedfilenameisrela;ve,itisappendedtoasystemdirectorypath.
• otherwise,absolutepathsareleQas-is.
• Allpathsareaccepted,exceptforthosestar;ngwithtwo"/"or"\"characters:
if((pszSrc[0]=='\\'||pszSrc[0]=='/')&&(pszSrc[1]=='\\'||pszSrc[1]=='/')){//Pathdenied.}
Inside CreateColorSpaceW
• ThisissupposedlytopreventspecifyingremoteUNCpathsstar;ng
withthe"\\"prefix,e.g.\\192.168.1.13\C\Users\test\profile.icc.
• However,JamesForshawnotedthatthischeckisnoteffec;ve,asthe
prefixcanbealsorepresentedas"\??\UNC\".
• Thecheckiseasilybypassablewith:
\??\UNC\192.168.1.13\C\Users\test\profile.icc
CreateColorSpaceInternalW: last step
• AQerthepathisformed,butbeforeinvokingtheNtGdiCreateColorSpace
systemcall,thefunc;onopensthefileandimmediatelyclosesittoseeifit
exists:
HANDLEhFile=CreateFileW(&FileName,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);if(hFile==INVALID_HANDLE_VALUE){GdiSetLastError(2016);return0;}CloseHandle(hFile);
Consequences
• Inresult,wecanhaveCreateFileW()calledoveranychosenpath.• Ifitsucceeds,thecolorspaceobjectiscreatedandthefunc;onreturnssuccess.
• Ifitfails,theGDIobjectisnotcreatedandthehandlerreturnsfailure.
• Soundslikeinforma;ondisclosurepoten;al.
• Howdoweapproachexploita;one.g.inInternetExplorer?
IntuiIve way: leaking the return value
• SincethereturnvalueofCreateFileW()determinesthesuccessof
therecordprocessing,wecouldmaybeleakthisbit?
• Ini;alidea:useEMR_CREATECOLORSPACEasthefirstrecord,followedbya
drawingopera;on.
• Ifthedrawingisneverexecuted(whichcanbedeterminedwiththe<canvas>
tag),thecallfailed.
IntuiIve way: leaking the return value
• Unfortunatelyimpossible.
• Thegdi32!_bInternalPlayEMFfunc;on(calledbyPlayEnhMetaFile
itself)doesn’tabortimageprocessingwhenonerecordfails.
• A„success”flagissettoFALSE,andthefunc;onproceedstofurtheropera;ons.
• Allrecordsarealwaysexecuted,andthereturnvalueisaflagindica;ngifatleastoneoftherecordsfailedduringtheprocess.
Can’t we leak the final return value?
• No,notreally.
• ThereturnvalueofPlayEnhMetaFileisdiscardedbyInternetExplorerinmshtml!CImgTaskEmf::Decode:
.text:64162B49callds:__imp__PlayEnhMetaFile@12
.text:64162B4Fordwordptr[ebx+7Ch],0FFFFFFFFh
.text:64162B53leaeax,[esp+4C8h+var_49C]
Other disclosure opIons
• Theotherindicatorcouldbethecrea;onofacolorspaceobjectviaNtGdiCreateColorSpace.
• Leakingitdirectlyisnoteasy(ifatallpossible),butmaybethereis
somesidechannel?
Using the GDI object limit
• EveryprocessinWindowsislimitedtomax.10,000GDIobjectsbydefault.
• Thenumbercanbeadjustedintheregistry,butisn’tforIE.
• Ifweuse10,000EMR_CREATECOLORSPACEWrecordswiththefilepathwewanttocheck,then:
• Ifthefileexists,we’llhave10,000colorspaceobjects,reachingtheper-processlimit.
• Ifitdoesn’t,wewon’thaveanycolorspacesatall.
• We’renoweitheratthelimit,ornot.Ifwethencreateabrush(onemoreobject)andtry
topaint,then:
• Ifthefileexists,thebrushcrea;onwillfailandthedefaultbrushwillbeused.
• Ifitdoesn’t,thebrushwillbecreatedandusedforpai;ng.
GDI object limit as oracle illustrated
BitmapFontPale1e
ColorspaceColorspaceColorspaceColorspace
...ColorspaceColorspaceColorspaceColorspaceColorspaceColorspaceColorspace
Limit
Brush
BrushBitmapFontPale1e
Brush
Brush
Fileexists: Filedoesn’texist:
DEMO
Vulnerability impact
• Arbitraryfileexistencedisclosure,usefulformanypurposes:
• RecognizingspecificsoQware(andversions)thattheuserhasinstalled,fortarge1eda1acks.
• Trackingusers(bycrea;ngprofilesbasedonexis;ngfiles).
• Trackingtheopening;mesofofflinedocuments(e.g.eachopeningin
MicrosoQOfficecouldtriggerapingtoremoteserverviaSMB).
• Blindlyscanningnetworksharesavailabletotheuser.
Impact: Memorydisclosure
Record: Mul;plerecords(10)
Exploitablein: InternetExplorer
CVE: CVE-2016-3216
google-security-researchentry: 757
Fixed: MS16-074,14June2016
CVE-2016-3216
Device Independent Bitmaps (DIBs)
InWindowsGDI,rasterbitmapsare
usuallystoredinmemoryintheformof
DIBs:
• Shortheadercontainingbasicmetadata
abouttheimage,followedbyop;onal
pale1e.
• Theimagedataitself.
BITMAPINFO
BITMAPINFOHEADER
RGBQUADbmiColors[...];
Bitmapdata1114221114221114221114221114221114221114221114221114221114221114221114221114221114221114221114221013211013211013211013211013211013211013211013210F12200F12200F12200F12200F12200F12200F12200
.BMP files are just DIBs, too.
BITMAPINFO
BITMAPINFOHEADER
RGBQUADbmiColors[...];
Bitmapdata1114221114221114221114221114221114221114221114221114221114221114221114221114221114221114221114221013211013211013211013211013211013211013211013210F12200F12200F12200F12200F12200F12200F12200
BITMAPFILEHEADERtypedefstructtagBITMAPFILEHEADER{WORDbfType;DWORDbfSize;WORDbfReserved1;WORDbfReserved2;DWORDbfOffBits;}BITMAPFILEHEADER;
bfOffBits
BITMAPINFOHEADER, the trivial header
typedefstructtagBITMAPINFOHEADER{DWORDbiSize;LONGbiWidth;LONGbiHeight;WORDbiPlanes;WORDbiBitCount;DWORDbiCompression;DWORDbiSizeImage;LONGbiXPelsPerMeter;LONGbiYPelsPerMeter;DWORDbiClrUsed;DWORDbiClrImportant;}BITMAPINFOHEADER;
• Shortandsimplestructure.
• 40bytesinlength(intypicalform).
• Only8meaningfulfields.
Is it really so trivial to handle?
• biSizeneedstobesani;zed(canonlybeafewvalidvalues).
• biWidth,biHeight,biPlanes,biBitCountcancauseintegeroverflows(oQenmul;pliedwieheachother).
• biHeightcanbenega;vetoindicatebo1om-upbitmap.
• biPlanesmustbe1.
• biBitCountmustbeoneof{1,2,4,8,16,24,32}.
• ForbiBitCount<16,acolorpale1ecanbeused.
• Thesizeofthecolorpale1eisalsoinfluencedbybiClrUsed.
Is it really so trivial to handle?
• biCompressioncanbeBI_RGB,BI_RLE8,BI_RLE4,BI_BITFIELDS,...• Eachcompressionschememustbehandledcorrectly.
• biSizeImagemustcorrespondtotheactualimagesize.
• Thepale1emustbesufficientlylargetocontainallentries.
• Thepixeldatabuffermustbesufficientlylargetodescribeallpixels.
• Encodedpixelsmustcorrespondtothevaluesinheader(e.g.notexceedthepale1esizeetc.).
Many potenIal problems
1. ThedecisiontreeforcorrectlyhandlingaDIBbasedonitsheaderisverycomplex.
2. Lotsofcornercasestocoverandimplementa;onbugstoavoid.
3. Aconsistenthandlingacrossvariouspartsofcodeisrequired.
GDI funcIons operaIng on DIB (directly)
pointertoimagedata
pointertoDIBheader
GDI funcIons operaIng on DIB (indirectly)
Data saniIzaIon responsibility
• Inallcases,itistheAPIcaller’sresposibilitytomakesuretheheaders
anddataarecorrectandadequate.
• Passinginfullyuser-controlledinputdataissomewhatproblema;c,
astheapplica;oncodewouldhaveto„clone”GDI’sDIBhandling.
• Guesswhat?EMFsupportsmul;plerecordswhichcontainembedded
DIBs.
EMF records containing DIBs
• EMR_ALPHABLEND• EMR_BITBLT• EMR_MASKBLT• EMR_PLGBLT• EMR_STRETCHBLT• EMR_TRANSPARENTBLT• EMR_SETDIBITSTODEVICE• EMR_STRETCHDIBITS• EMR_CREATEMONOBRUSH• EMR_EXTCREATEPEN
The common scheme
• Twopairsof(offset,size)forboththeheaderandthebitmap:
Necessary checks in the EMF record handlers
• IneachhandlerdealingwithDIBs,therearefournecessaryconsistencychecks:
1. cbBmiSrcisadequatelylargefortheheadertofitin.
2. (offBmiSrc,offBmiSrc+cbBmiSrc)residesfullywithintherecord.
3. cbBitsSrcisadequatelylargeforthebitmapdatatofitin.
4. (offBitsSrc,offBitsSrc+cbBitsSrc)residesfullywithintherecord.
Checks were missing in many combinaIons
Recordhandlers Missingchecks
MRALPHABLEND::bPlayMRBITBLT::bPlayMRMASKBLT::bPlayMRPLGBLT::bPlayMRSTRETCHBLT::bPlayMRTRANSPARENTBLT::bPlay
#1,#2
MRSETDIBITSTODEVICE::bPlay #3
MRSTRETCHDIBITS::bPlay #1,#3
MRSTRETCHDIBITS::bPlayMRCREATEMONOBRUSH::bPlayMREXTCREATEPEN::bPlay
#1,#2,#3,#4
*ThiswasjustaQeracursorylook;MicrosoQmighthavefixedmore.
The consequence
• Duetomissingchecks,partsoftheimagedescrip;oncouldbeloadedfrom
otherpartsoftheprocessaddressspace(e.g.adjacentheapalloca;ons):
• DIBheader
• Colorpale1e
• Pixeldata
• Unini;alizedorout-of-boundheapmemorycouldbedisclosedwiththe
pale1eorpixeldata.
Proof of concept
• IhackedupaPoCfilewithanEMR_STRETCHBLTrecord,containingan8-bppDIBwithpale1eentriesgoingbeyondthefile.
• Result:garbagebytesbeingdisplayedasimagepixels.
• Thesamepicturebeingdisplayedthree;mesinarowinIE:
• ThedatacanbereadbackusingHTML5,inordertoleakmoduleaddressesandothersensi;ve
data.
DEMO
AudiIng ATMFD.DLL Outof;me,pleaseseethefullslidedeckreleasedaQertheconference.
AudiIng GDI+
GDI+ as a viable target
• GDI+supportsbothEMFandEMF+.
• Mostoftheimplementa;onisindependent,butforsomepartsofthe
format,itfallsbacktoGDIcode.
• Hence,someGDIbugscouldalsoaffectGDI+clients.
• MostprominentclientofGDI+istheMicrosoQOfficesuite.
• Onceagain,let’smanuallyaudittheen;retyofEMFrecordhandlers.
AUack surface easy to find
AUack surface easy to find
Let’shavealookatsomespecificbugs.
Impact: Write-what-where
Record: Allrecordsopera;ngonDIBs
Exploitablein: MicrosoQOffice
CVE: CVE-2016-3301
google-security-researchentry: 824
Fixed: MS16-097,9August2016
CVE-2016-3301
RLE-compressed bitmaps in EMFs
• Aspreviouslymen;oned,mul;pleEMFrecordsincludeDIBs.
• DIBscanbecompressedwithsimpleschemes,suchas4-and8-bitRun
LengthEncoding.
• DenotedbythebiCompressionfieldintheheaders.
• Whenreadingthroughthecodeofsomehandlers,Idiscoveredthat8-bit
RLEissupportedinGDI+.
• RLEdecompressionhashistoricallybeenaveryfrequentsourceofbugs.
Reaching the code
DecodeCompressedRLEBitmap
CopyOnWriteBitmap::CopyOnWriteBitmap
CopyOnWriteBitmap::Create
GpBitmap::GpBitmap
CEmfPlusEnumState::PlgBlt CEmfPlusEnumState::RenderBlt
Inside DecodeCompressedRLEBitmap()
• Twovaluesarecalculated:columns=abs(biHeight)
bytes_per_row=abs(biWidth*(((biPlanes*biBitCount+31)&0xFFFFFFE0)/8))
• Theoutputbufferisallocatedfromtheheapwithsize
columns*bytes_per_row.
• Highdegreeofcontroloverthebufferlength.
• Interpreta;onandexecu;onoftheRLE„program”begins.
„End of Line” opcode
• Movestheoutputpointertothenextline(atthesameoffset).
„End of Line” opcode
• InGDI+,implementedasfollows:
out_ptr+=bytes_per_row;if(out_ptr>output_buffer_end){//Bailout.}
• Boundscheckingimplementedtopreventanykindofout-of-boundsaccess.
• Happenstoworkcorrectlyon64-bitpla�orms,butisthecondi;onreally
sufficient?
Insufficient validaIon
Endofprocessaddressspace0xffffffff
Outputbuffer
Tricky pointer arithmeIc
• Forverywidebitmaps,thedistancefromthecurrentoutputpointertothe
endoftheaddressspacecanbesmallerthanthescanlinewidth.
• Theexpression:
out_ptr+=bytes_per_row;
canoverflow,whichwillcausethesubsequentchecktohavenoeffect.
• Asaresult,itispossibletosettheoutputpointertoalargelycontrolledaddress.
Example
• biWidth=0x05900000
• biHeight=0x00000017
• biPlanes=0x0001
• biBitCount=0x0008
• Asaresult,columns=0x17andbytes_per_row=0x590000.
• Totalbuffersize=0x7FF00000(almost2GB).
• Examplealloca;onaddress:0x7FFFF0020,end:0xFFEF0020.
Memory address space layout
0x00000000 0xFFFFFFFF
0x7FFF0020
Memory address space layout (EOL #1)
0x00000000 0xFFFFFFFF
0x858F0020
Memory address space layout (EOL #2)
0x00000000 0xFFFFFFFF
0x8B1F0020
Memory address space layout (EOL #3-22)
0x00000000 0xFFFFFFFF
…
Memory address space layout (EOL #23)
0x00000000 0xFFFFFFFF
0xFFEF0020
Memory address space layout (EOL #24)
0x00000000 0xFFFFFFFF
0x057F0020
(3434.194):Accessviolation-codec0000005(firstchance)
Firstchanceexceptionsarereportedbeforeanyexceptionhandling.
Thisexceptionmaybeexpectedandhandled.
eax=0011015eebx=ffef0020ecx=000000feedx=057f01ccesi=057f0020edi=0011a6f0
eip=6b090e5aesp=0037f290ebp=0037f2aciopl=0nvupeiplnznapecy
cs=0023ss=002bds=002bes=002bfs=0053gs=002befl=00010207
gdiplus!DecodeCompressedRLEBitmap+0x195:
6b090e5a8816movbyteptr[esi],dlds:002b:057f0020=??
0:000>kb
ChildEBPRetAddrArgstoChild
0037f2ac6b091124057f0020cc11012c0037f2ccgdiplus!DecodeCompressedRLEBitmap+0x195
0037f6f46b092c7a001100f80011012c00000000gdiplus!CopyOnWriteBitmap::CopyOnWriteBitmap+0x96
0037f7086b0932cc001100f80011012c00000000gdiplus!CopyOnWriteBitmap::Create+0x23
0037f7206b0c1e8b001100f80011012c00000000gdiplus!GpBitmap::GpBitmap+0x32
0037f8046b0c7ed10000004f00143a300000a67cgdiplus!CEmfPlusEnumState::PlgBlt+0x92
…
Summary
• Requirement:32-bitprocesswithPAEenabled.
• Full4GBaddressspacemustbeavailabletotheprogram.
• Outcome:awrite-what-wherecondi;on,withaveryhighdegreeofcontrolover
the„where”.
• Besidesachievingaspecificvalue,theoverwri1enregionmustalsobebelowtheoriginal
outputbuffer.
• Exploita;onreliabilityhighlydependsonthestateoftheaddressspaceatthe;meofloadingtheimage.
Impact: Heap-basedbufferoverflow
Record: EMR_EXTTEXTOUTA,EMR_POLYTEXTOUTA
Exploitablein: MicrosoQOffice
CVE: CVE-2016-3304
google-security-researchentry: 828
Fixed: MS16-097,9August2016
CVE-2016-3304
ExtTextOutA() and PolyTextOutA()
The Dx array in EMF records
Trivial bug in the funcIon
• TheDxarrayissupposedtohaveNelements,whereNisthenumber
ofcharactersbeingdisplayed.
• Belowistherecordsizevalida;oncheck:
if(record_size-offString>=nChars&&(!nChars||record_size-4>=record->emrtext.offDx)){//Validationpassed,continueprocessingtherecord.}
• Seeanythingmissing?
Trivial bug in the funcIon
• ThecodechecksthattheDxarraymayhold4bytes.
• Whatshouldreallybeverifiedisifitcanhold4×Nbytes.
• Typicalhumanerrorinthesanitycheck.
• Sowhat?Thisshouldonlyleadtoanout-of-boundsread,sinceit’sa
problemwithinputbuffervalida;on,right?
• Yes,ifnotfortheextralogiclaterinthecode.
Extended funcIon logic
• A1empttoconvertthestringtowide-char,using
MultiByteToWideChar().
• Thecodepageistheonespecifiedinthemostrecentlyselectedfont.
• Ifallcharactersareconverted,CEmfPlusEnumState::PlayExtTextOut()iscalledasnormal.
• Butotherwise…
DBCS (Double-byte character sets) handling
• Basicallymeansrepresen;ngcharactersbymeansofmorethan1
byteincertainencodingswhichsupportit.
• Thehandlingisimplementedasfollows:
• AnexactcopyoftheEMFrecordisallocated(ofthesamesize).
• Dxarrayitemsarerewri1enfromtheoriginalrecordtothenewone,
ommiingentriesfor„leadbytes”(IsDBCSLeadByteEx()returnsTRUE).
• Thenewrecordisprocessednormallyfromnowon.
Reaching the code path
• Afontwithacodepagesuppor;ngDBCSmustbeselectedfirst.
• TypicallyCJK(Chinese,Japanese,Korean)codepages,e.g.SHIFTJIS_CHARSET.
• Then,oneoftheaffectedrecordsmustbeused,includingatleastone„leadbyte”.
• Theoutcomeisatypicalheap-basedbufferoverflow,withdatareadfrom
beyondtheboundsofanotheralloca;on.
• Withsomeheapmassaging,thisshouldallowforamostlycontrolledoverwrite.
Heap overflow scheme
OriginalrecordNewrecord
Heapregion
Heap overflow scheme
OriginalrecordNewrecord
Heapregion
Dxarrayrewri;ng
(2a8c.2bd8):Breakinstructionexception-code80000003(firstchance)eax=00000000ebx=00000000ecx=772336abedx=0022cb85esi=03bd0000edi=1171ffc0eip=7728e815esp=0022cdd8ebp=0022ce50iopl=0nvupeiplnznapenccs=0023ss=002bds=002bes=002bfs=0053gs=002befl=00200206ntdll!RtlReportCriticalFailure+0x29:7728e815ccint30:000>kbChildEBPRetAddrArgstoChild0022ce507728f749c0000374772c42700022ce94ntdll!RtlReportCriticalFailure+0x290022ce607728f8290000000264dc132603bd0000ntdll!RtlpReportHeapFailure+0x210022ce947724ab460000000c03bd00001171ffc0ntdll!RtlpLogHeapFailure+0xa10022cf84771f3431000002580000026003bd00c4ntdll!RtlpAllocateHeap+0x7b20022d008695071ec03bd00000000000000000258ntdll!RtlAllocateHeap+0x23a0022d01c6951bbf100000258116b510403bdd558gdiplus!GpMalloc+0x160022d03069557185116b50e0116b50e003bdd558gdiplus!GpGraphics::Save+0x110022d4b069557bdc116b50e0116b5104116b30d8gdiplus!CEmfPlusEnumState::PlayExtTextOut+0xda0022d4ec69557f250000005303bdae0000006044gdiplus!CEmfPlusEnumState::ExtTextOutA+0x1360022d500695286ca00000053000060440d67b568gdiplus!CEmfPlusEnumState::ProcessRecord+0x13b0022d51c69528862000000530000000000006044gdiplus!GdipPlayMetafileRecordCallback+0x6c0022d544768155f49d211b170d5671800d67b568gdiplus!EnumEmfDownLevel+0x6e0022d5d06952aa369d211b17403581b3695287f4GDI32!bInternalPlayEMF+0x6a3
Impact: Heapmemorydisclosure
Record: AllrecordshandlingDIBs
Exploitablein: MicrosoQOfficeOnline
CVE: ?
google-security-researchentry: 825,829
Fixed: MS16-???,11October2016(?)
GDI+ informaIon disclosure bugs
GDI+ versus DIB
• NotunlikeGDI,GDI+didn’tavoidinforma;ondisclosurebugsrelatedtothehandlingofbitmaps.
• Specifically:1. IfthedatastreamofaRLE-compressedbitmapbeginswithan„Endofbitmap”
marker,theen;retyoftheimage’soutputbufferremainsunini;alized(containsjunkheapdata).
2. Nochecksareperformedtoensurethatthebitmappale1efitsen;relywithintheEMFrecord.
Bugs clearly visible
• Whenloadingproof-of-conceptpicturesintoWord,it’sclearlyvisible
thatjunkdataisdisplayedaspixels.
Remote exploitability?
• Displayingheapmemoryisnotaseriouscondi;onifthepixelscannotberetrievedbacksomehow.
• TheonlyobvioustargetsforthebugsareOfficeprograms,wherenointerac;on
isavailable.
• S;llreportedtoMicrosoQtogettheirviewonseverityandpossibleexploita;on
paths.
• MSRCclosedouttheissuesas„vNext”(won’tbepatchedinabulle;n,candidate
foranext-versionfix).
Severity assessment
• Iagreedwiththedecision,asitwasinlinewithmyownunderstandingofthe
exposure.
• P0bugs#825and#829werederestrictedonJuly26andAugust9,respec;vely.
• AtthebeginningofAugust,IvanFratricmen;onedduringachatthatGDI+/EMF
bugsmayalsobeexploitableremotely,inOfficeOnline.
• Ihadnoideatheprogramevenexisted.
• Especiallyinteres;ngforGDI+memorydisclosurebugs,whicharenototherwiseexploitable.
• EMFimagescannotbeinsertedintodocuments,butexis;ng.docxwithembeddedEMFcan.
Office Online
• Iverifiedthisafewweekslater,and…
Office Online
• TheEMFimageswererendereddifferentlyeach;me.
• ApparentremotememorydisclosurefromtherendererprocessonMicrosoQ’sservers.
• Sentthenewinforma;ontoMSRCforreconsidera;on.
• Theyadmi1edtheOfficeOnlinescenariohadnotbeenconsideredbefore,anditmakesthebugsfix-worthy.
• Theyshouldhavebeenfixed,aspertheOctoberPatchTuesday.
Hacking VMware WorkstaIon
EMF in print spooling
• EMFfilesarealsousedheavilyinprintspooling.
• Thisopensupmoreformat-relateda1acksvectors,intheformof
printerdrivers(andotherrelatedsoQware).
• OnesuchfeasibletargetisVMwareWorksta;on.
Virtual printers
• Afeaturewhichallowsavirtualmachinetoprintdocumentstoprintersavailableonthehost(basicallyprintersharing).
• AfeasibleVMescapea1ackvector.
• Tomybestknowledge,itwasenabledbydefaultin2015,butit’snolongerthecase
(likelythankstobugsreportedbyKostyaKortchinsky).
• S;llafrequentlyusedop;on.
Architecture
VM#3 VM#2 VM#3poc.exe
VirtualMachines
vmware.exe
COM1
vprintproxy.exe
WindowsNamedPipes
Architecture
• Thea1ackedprocessisvprintproxy.exerunningonthehost.• Receivesalmostverba;mdatasentbyanunprivilegedprocessinaguest
system.
• Quiteacommunica;onchannel.
• ThedataissentintheformofEMFSPOOLfiles.
• SimilartoEMF,withtheextraop;ontoembedfontsinvariousformats.
TPView
• Morespecifically,themostinteres;ngEMFhandlingtakesplaceinTPview.dll.
• Togetherwithsomeotherprinter-relatedlibraries,theyallseemtobedevelopedbyathird
party,ThinPrint.
• MostlyjustfallsbacktoGDI,butalsoperformsspecializedhandlingofseveral
recordtypes.
• Usedtobefullofsimplebugs,butKostyafound(nearly)allofthem!
• Tookanotherlook,discoveredadouble-freeandout-of-boundsmemset(),butthat’sall(issues#848and#849).
JPEG2000 decoding
• TherewasonelastcustomEMFrecordwhichseemedcompletely
unexplored.
• ID=0x8000.
• Basedondebugstrings,itwasclearthatitwasrelatedtoJPEG2000decoding.
• IamnoexpertatJPEG2K,andthecodedoesn’tseemtobe
convenientformanualaudi;ng.
• Let’sfuzzit?
Approaching the fuzzing
• Bestfuzzing:onLinux,atscale,withAddressSani;zerandcoveragefeedback.
• AQersomeresearch,itturnsoutthattheJPEG2000decoderisauthoredby
yetanothervendor,LuraTech.
• Commerciallicense,sourcecodenotfreelyavailable.
• So,arewestuckwithTPview.dllwrappedbyVMwareWorksta;on?
• S;llfeasible,butmorecomplex,slower,andlessadvanced.
More research
• AQersomemoredigging,Ifoundoutthatthesamevendorreleaseda
freewareJPEG2000decodingpluginforthepopularIrfanViewprogram.
• JPEG2000.DLL.
• Cursoryanalysisshowsthatthisisthesameoraverysimilarcodebase.
• Theplugininterfaceisanextremelysimpletouse,andresemblesthe
followingdefini;on.
HGLOBALReadJPG2000(INPCHARlpFilename,INDWORDdwUnknown,OUTPCHARlpStatus,OUTPCHARlpFormat,OUTLPDWORDlpWidth,OUTLPDWORDlpHeight);
GeXng there...
• Thankstothis,wecanalreadyquicklyfuzz-testtheimplementa;onin
asingleprocessonWindows,withoutrunningVMwareatall.
• AwrapperprogramforloadingtheDLLandcallingtherelevantfunc;onis
<50LOClong.
• However,I’dreallyprefertohavethisonLinux...
Fuzzing DLL on Linux
• Whynot,really?
• Thepreferredbaseaddressis0x10000000,whichisavailableintheaddressspace.• Reloca;onsnotrequired;sec;onsmustbemappedwithrespec;veaccessrights.
• Otherac;ons:• Resolvenecessaryimports.
• Obtaintheaddressoftheexportedfunc;on.• Callittoexecutethedecoding.
• Shouldwork!
Resolving imports
• TheImportTablemaybetheonlytroublesomepart.
• WinAPIfunc;onsnotavailableonLinux.
• TheDLLimportsfromADVAPI32,KERNEL32,MSVCRT,SHELL32and
USER32.
• CRun;meimportscanbedirectlyredirectedtolibc.
• Alltheotheroneswouldhavetoberewri1enoratleaststubbed-out.
KERNEL32 imports
• ThreeWinAPIfunc;onsusedindecoding:GlobalAlloc,GlobalLockandGlobalUnlock:
void*GlobalAlloc(uint32_tuFlags,uint32_tdwBytes)__attribute__((stdcall));void*GlobalAlloc(uint32_tuFlags,uint32_tdwBytes){void*ret=malloc(dwBytes);if(ret!=NULL){memset(ret,0,dwBytes);}returnret;}void*GlobalLock(void*hMem)__attribute__((stdcall));void*GlobalLock(void*hMem){returnhMem;}boolGlobalUnlock(void*hMem)__attribute__((stdcall));boolGlobalUnlock(void*hMem){returntrue;}
Missing libc imports
• TwoMSVCRT-specificimportswerefound,whichhadtobe
reimplemented:
longlong_ftol(doubleval)__attribute__((cdecl));longlong_ftol(doubleval){return(longlong)val;}double_CIpow(doublex,doubley)__attribute__((cdecl));double_CIpow(doublex,doubley){returnpow(x,y);}
It works!
$./loaderJPEG2000.dlltest.jp2[+]Successfullyloadedimage(9b74ba8),format:JPEG2000-Wavelet,width:4,height:4
Running the fuzzing
• AninternallyavailableJPEG2000inputfilecorpuswasused.
• Themuta;onstrategywasadjustedtohitthe50/50success/failure
rate.
• LeQthedumbfuzzerrunningforafewdays,and...
• ...186crasheswithuniquestacktraceswerefound.
Crash reproducIon
• Keepinmindthecrashesares;llinthepluginDLL,notVMware
Worksta;on.
• vprintproxy.exeisveryconvenienttouse:createsanamedpipeand
readsexactlythesamedatathatiswri1entoCOM1.
• Onceagainwecanchecktestcaseswithoutstar;ngupanyactualVMs.
• PageHeapenabledforbe1erbugdetec;onanddeduplica;on.
Final results
InstrucCon Reasonadd[eax+edx*4],edi Heapbufferoverflowcmp[eax+0x440],ebx Heapout-of-boundsreadcmp[eax+0x8],esi Heapout-of-boundsreadcmp[edi+0x70],ebx Heapout-of-boundsreadcmp[edi],edx Heapout-of-boundsreadcmpdword[eax+ebx*4],0x0Heapout-of-boundsreadcmpdword[esi+eax*4],0x0Heapout-of-boundsreaddivdword[ebp-0x24] Divisionbyzerodivdword[ebp-0x28] Divisionbyzeroflddword[edi] NULLpointerdereferenceidivebx Divisionbyzeroidivedi Divisionbyzeroimulebx,[edx+eax+0x468] Heapout-of-boundsreadmov[eax-0x4],edx Heapbufferoverflowmov[ebx+edx*8],eax Heapbufferoverflowmov[ecx+edx],eax Heapbufferoverflowmoval,[esi] Heapout-of-boundsreadmovbx,[eax] NULLpointerdereferencemoveax,[ecx] NULLpointerdereferencemoveax,[edi+ecx+0x7c] Heapout-of-boundsread
InstrucCon Reasonmoveax,[edx+0x7c] Heapout-of-boundsreadmovdqa[edi],xmm0 Heapbufferoverflowmovqmm0,[eax] NULLpointerdereferencemovqmm1,[ebx] NULLpointerdereferencemovqmm2,[edx] NULLpointerdereferencemovzxeax,byte[ecx-0x1] Heapout-of-boundsreadmovzxeax,byte[edx-0x1] Heapout-of-boundsreadmovzxebx,byte[eax+ecx] Heapout-of-boundsreadmovzxecx,byte[esi+0x1] Heapout-of-boundsreadmovzxecx,byte[esi] Heapout-of-boundsreadmovzxedi,word[ecx] NULLpointerdereferencemovzxesi,word[edx] NULLpointerdereferencepushdword[ebp-0x8] Stackoverflow(deep/infiniterecursion)pushebp Stackoverflow(deep/infiniterecursion)pushebx Stackoverflow(deep/infiniterecursion)pushecx Stackoverflow(deep/infiniterecursion)pushedi Stackoverflow(deep/infiniterecursion)pushesi Stackoverflow(deep/infiniterecursion)repmovsd Heapbufferoverflow,Heapout-of-boundsread
Final results
• Crashesat39uniqueinstruc;ons.• Manyoccurringatvariouspointsofgenericfunc;onssuchasmemcpy(),so
notthemostaccuratemetric.
• Quickclassifica;on:18lowseverity,15mediumseverity,6highseverity.
• AllreportedtoVMwareonJune15.
• FixedaspartofVMSA-2016-0014onSeptember13(within90days).
Closing thoughts
Closing thoughts
• Metafilesarecomplexandinteres;ngfiles,certainlyworthresearchingfurther.
• Supportedbyavarietyofvalida1ackvectors.
• TheycaneventeachyouthingsaboutthesystemAPI(i.e.theNamedEscapeinterface).
• Asusual,theolderandmoreobscuretheformat/implementa;on–thebe1erforthebughunter.
• Inspira;onwithpriorworkpaysoffagain.
• Therighttoolfortherightjob–manualcodeaudi;ngvsfuzzing.
