Microsoft GDI+ JPEG Integer Underflow Vulnerability


Published on

This presentation is about what buffer overflows are, what heap overflows are and how they are exploited. Specifically, focus is on how this is used to exploit jpeg images im Microsoft Windows Systems.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Microsoft GDI+ JPEG Integer Underflow Vulnerability

  1. 1. Principles Of Secure Coding JPEG Integer Underflow Microsoft Security Bulletin MS04-028 Ashish Malik 1731110017
  2. 2. Microsoft JPEG VulnerabilityJpegs themselves are not the problem however. Problem lies inthe application that reads this information and displays thepictures on screen.The exploit triggers an overflow in a common windowscomponent called the GDI+ Jpeg Decoder.Vulnerability specifically resides in “gdiplus.dll”.These attack images are not technically a virus.Different windows applications frequently distribute their ownversions of GDI+.
  3. 3. Buffer OverflowApplication fails to check the size of input data before copying itto memory.Two types of buffer overflows :Stack OverflowHeap OverflowStack and Heap are memory regions used by a process for storingvarious types of data.
  4. 4. Stack OverflowWhen a process makes a function call, the address of the nextinstruction, known as the return pointer, or RET is pushed ontostack.Function call parameters are pushed on after RET.Execution then jumps to the address of the called function.
  5. 5. Stack Overflow
  6. 6. Stack Overflow
  7. 7. Heap OverflowRegion of memory used by a process for accommodating data ofsizes unknown at compile time.Created within a processs virtual address space.OS is responsible for heap management. Malloc() or HeapAlloc()Standard heap contains an array called Free List, used to trackthe locations of free heap blocks.
  8. 8. Heap Overflow
  9. 9. Heap Overflow
  10. 10. Heap Overflow
  11. 11. Heap Overflow
  12. 12. GDI+ Jpeg VulnerabilityJpeg format defines a no. of headers.The vulnerability described in MS04-028 lies in how GDI+handles the comment header.Each header segment begins with a 2-bytes ID.Comment header consist of COM marker(0xFFFE)GDI+ calculates the comment length by 2 from the value oflength field.
  13. 13. GDI+ Jpeg VulnerabilityIf length field specifies a comment length of 0 or 1, the GDI+calculation results in a negative value. 1 – 2 = -1 ≡ 0xFFFFFFFF ≡ 4GB - 1It is interpreted as a positive integer in excess of 4 billion.Unsigned integer of 32 bit is used to store the length of thecomment data.
  14. 14. GDI+ Jpeg VulnerabilityThe GDI+ routine for copying the comment data to the heap is : rep mov [edi], [esi]The ECX register is used as the counter.GDI+ allows excessively large counter value.GDI+ handles access violation by requesting additional heapspace to continue with rep movHeapAlloc() returns pointers to heap locations, which containsthe JPEG data.
  15. 15. GDI+ Jpeg VulnerabilityThe exploit takes advantage of this to overwrite the UnhandledException Filter Pointer.Exploits may also use some form of win32_reverse shellcodefrom of Metasploit Project Shellcode Repository.
  16. 16. Q&AThank You
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.