Your SlideShare is downloading. ×
Microsoft GDI+ JPEG Integer Underflow Vulnerability
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Microsoft GDI+ JPEG Integer Underflow Vulnerability

2,919
views

Published on

This presentation is about what buffer overflows are, what heap overflows are and how they are exploited. Specifically, focus is on how this is used to exploit jpeg images im Microsoft Windows …

This presentation is about what buffer overflows are, what heap overflows are and how they are exploited. Specifically, focus is on how this is used to exploit jpeg images im Microsoft Windows Systems.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,919
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Principles Of Secure Coding JPEG Integer Underflow Microsoft Security Bulletin MS04-028 Ashish Malik 1731110017
  • 2. Microsoft JPEG VulnerabilityJpegs themselves are not the problem however. Problem lies inthe application that reads this information and displays thepictures on screen.The exploit triggers an overflow in a common windowscomponent called the GDI+ Jpeg Decoder.Vulnerability specifically resides in “gdiplus.dll”.These attack images are not technically a virus.Different windows applications frequently distribute their ownversions of GDI+.
  • 3. Buffer OverflowApplication fails to check the size of input data before copying itto memory.Two types of buffer overflows :Stack OverflowHeap OverflowStack and Heap are memory regions used by a process for storingvarious types of data.
  • 4. Stack OverflowWhen a process makes a function call, the address of the nextinstruction, known as the return pointer, or RET is pushed ontostack.Function call parameters are pushed on after RET.Execution then jumps to the address of the called function.
  • 5. Stack Overflow
  • 6. Stack Overflow
  • 7. Heap OverflowRegion of memory used by a process for accommodating data ofsizes unknown at compile time.Created within a processs virtual address space.OS is responsible for heap management. Malloc() or HeapAlloc()Standard heap contains an array called Free List, used to trackthe locations of free heap blocks.
  • 8. Heap Overflow
  • 9. Heap Overflow
  • 10. Heap Overflow
  • 11. Heap Overflow
  • 12. GDI+ Jpeg VulnerabilityJpeg format defines a no. of headers.The vulnerability described in MS04-028 lies in how GDI+handles the comment header.Each header segment begins with a 2-bytes ID.Comment header consist of COM marker(0xFFFE)GDI+ calculates the comment length by 2 from the value oflength field.
  • 13. GDI+ Jpeg VulnerabilityIf length field specifies a comment length of 0 or 1, the GDI+calculation results in a negative value. 1 – 2 = -1 ≡ 0xFFFFFFFF ≡ 4GB - 1It is interpreted as a positive integer in excess of 4 billion.Unsigned integer of 32 bit is used to store the length of thecomment data.
  • 14. GDI+ Jpeg VulnerabilityThe GDI+ routine for copying the comment data to the heap is : rep mov [edi], [esi]The ECX register is used as the counter.GDI+ allows excessively large counter value.GDI+ handles access violation by requesting additional heapspace to continue with rep movHeapAlloc() returns pointers to heap locations, which containsthe JPEG data.
  • 15. GDI+ Jpeg VulnerabilityThe exploit takes advantage of this to overwrite the UnhandledException Filter Pointer.Exploits may also use some form of win32_reverse shellcodefrom of Metasploit Project Shellcode Repository.
  • 16. Q&AThank You