This presentation is about what buffer overflows are, what heap overflows are and how they are exploited. Specifically, focus is on how this is used to exploit jpeg images im Microsoft Windows Systems.
Microsoft GDI+ JPEG Integer Underflow Vulnerability
Principles Of Secure Coding JPEG Integer Underflow Microsoft Security Bulletin MS04-028 Ashish Malik 1731110017
Microsoft JPEG VulnerabilityJpegs themselves are not the problem however. Problem lies inthe application that reads this information and displays thepictures on screen.The exploit triggers an overflow in a common windowscomponent called the GDI+ Jpeg Decoder.Vulnerability specifically resides in “gdiplus.dll”.These attack images are not technically a virus.Different windows applications frequently distribute their ownversions of GDI+.
Buffer OverflowApplication fails to check the size of input data before copying itto memory.Two types of buffer overflows :Stack OverflowHeap OverflowStack and Heap are memory regions used by a process for storingvarious types of data.
Stack OverflowWhen a process makes a function call, the address of the nextinstruction, known as the return pointer, or RET is pushed ontostack.Function call parameters are pushed on after RET.Execution then jumps to the address of the called function.
Heap OverflowRegion of memory used by a process for accommodating data ofsizes unknown at compile time.Created within a processs virtual address space.OS is responsible for heap management. Malloc() or HeapAlloc()Standard heap contains an array called Free List, used to trackthe locations of free heap blocks.
GDI+ Jpeg VulnerabilityJpeg format defines a no. of headers.The vulnerability described in MS04-028 lies in how GDI+handles the comment header.Each header segment begins with a 2-bytes ID.Comment header consist of COM marker(0xFFFE)GDI+ calculates the comment length by 2 from the value oflength field.
GDI+ Jpeg VulnerabilityIf length field specifies a comment length of 0 or 1, the GDI+calculation results in a negative value. 1 – 2 = -1 ≡ 0xFFFFFFFF ≡ 4GB - 1It is interpreted as a positive integer in excess of 4 billion.Unsigned integer of 32 bit is used to store the length of thecomment data.
GDI+ Jpeg VulnerabilityThe GDI+ routine for copying the comment data to the heap is : rep mov [edi], [esi]The ECX register is used as the counter.GDI+ allows excessively large counter value.GDI+ handles access violation by requesting additional heapspace to continue with rep movHeapAlloc() returns pointers to heap locations, which containsthe JPEG data.
GDI+ Jpeg VulnerabilityThe exploit takes advantage of this to overwrite the UnhandledException Filter Pointer.Exploits may also use some form of win32_reverse shellcodefrom of Metasploit Project Shellcode Repository.