18 Jul

Analysis of CVE-2011-0041 vulnerability in GDI+

Posted by shahin in advisory, Exploits / BUG Decryption, reversing | Tags :BA, binary analysis, Bounty, CVE-2011-0044, exploit, GDI+, metasploit, MSF, VUPEN | Comments Off

Abysssec Research

we tried for other case in exploit bounty this time for a 500$ one .

no luck for successful exploitation and to be honest we didn’t tried so hard . at least we got a PoC and here is our analysis for this cool bug.

1) Advisory information

Title : GDI+ CreateDashedPath Integer overflow in gdiplus.dll

Discovery : Nicolas july from vupen

Analysis : Abysssec.com

Vendor : http://www.microsoft.com

Impact : High

Contact : info [at] abysssec.com

Twitter : @abysssec

CVE : CVE-2011-0041

2) Vulnerable version

Gdiplus.dll 5.2.6001.22319

3) Vulnerability information

Class

1-Integer overflow

Impact

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of vulnerable application or cause denial-of-service conditions.

Remotely Exploitable

Yes

Locally Exploitable

Yes

4) Vulnerabilities detail

The vulnerability exists in gdiplus!GpPath::CreateDashedPath function of gdiplus.dll that is responsible for bitmap drawing and other 2d graphic rendering. EMF+ file is one of the image file format that is rendered by the library. And the vulnerability is based on some floating point calculation of an EMF+ path object.

We made the following proof of concept to trigger the issues and it will be explained more:

A little taste of file format we simply put a EMF_COMMENT record (id = 0×00000046) and embed and emf+ geraphic object ( id = 0×00004008 ) . For simplicity we ripped out a valid graphic object from another file and started to play with it. The record have two important area that we highlighted them in the above picture.

Here is the faulty code:

.text:4ECFCBAD loc_4ECFCBAD:

.text:4ECFCBAD mov eax, esi

.text:4ECFCBAF shl eax, 3

.text:4ECFCBB2 cmp [ebp+lpMem], 0

.text:4ECFCBB6 push eax ; dwBytes

.text:4ECFCBB7 jz short loc_4ECFCBCE

.text:4ECFCBB9 push [ebp+lpMem] ; lpMem

.text:4ECFCBBC call GpRealloc(x,x)

.text:4ECFCBC1 test eax, eax

.text:4ECFCBC3 jz loc_4ECFCCDB

.text:4ECFCBC9 mov [ebp+lpMem], eax

.text:4ECFCBCC jmp short loc_4ECFCBDE

.text:4ECFCBCE ; —————————————————————————

.text:4ECFCBCE

.text:4ECFCBCE loc_4ECFCBCE:

.text:4ECFCBCE call GpMalloc(x)

.text:4ECFCBD3 test eax, eax

.text:4ECFCBD5 mov [ebp+lpMem], eax

.text:4ECFCBD8 jz loc_4ECFCCDB

The above code uses the eax register as arguments to the GpMalloc function. GpMalloc is simply a gdi version of heapAlloc function. The value of eax register is based on various floating point calculation that is not simple to examine at first look.

But I traced the value of eax register and it seems the calculations are based on our values mentioned earlear in the file. And it doesn’t bound checked well, by changing the path value tricky it is possible when the “shl eax, 3” instruction multiply the value by 8 we get an integer overflow and in turn a faulty heap allocation.

I dynamically traced the values with my proof of concept file. Eax register is equall to eax + [ebp-38] * 10 and as there are a lot of values and calculations before that, for better consideration I made the following diagram:

It took a lot of time explanation of all of the variables above but, the important one is the GpPath object that is in the code a clone of the object is made to later be manipulated for drawings.

.text:4ECFC9D9 loc_4ECFC9D9: ; CODE XREF: GpPath::CreateDashedPath(DpPen const *,GpMatrix const *,float,float,float,int)+1AAj

.text:4ECFC9D9 fld dword ptr [esi+eax*4]

.text:4ECFC9DC fmul [ebp+arg_0]

.text:4ECFC9DF fstp dword ptr [esi+eax*4]

.text:4ECFC9E2 inc eax

.text:4ECFC9E3 cmp eax, [ebp+arg_4]

.text:4ECFC9E6 jl short loc_4ECFC9D9

.text:4ECFC9E8

.text:4ECFC9E8 loc_4ECFC9E8:

.text:4ECFC9E8 mov ecx, [ebp+var_18] ; Src

.text:4ECFC9EB call GpPath::Clone(void)

.text:4ECFC9F0 mov edi, eax

.text:4ECFC9F2 test edi, edi

.text:4ECFC9F4 jz loc_4ECFCDBA

.text:4ECFC9FA mov eax, [edi]

.text:4ECFC9FC mov ecx, edi

.text:4ECFC9FE call dword ptr [eax+4]

After calling the clone, it checks whether it is a valid clone or not at address 4ECFC9FE.

The offset +34h of the object contains a pointer to our 4byte path object values.

0:000> dd ecx

0e03ca50 4ec67e58 68745031 00000000 00000000

0e03ca60 0e03ca74 0e03ca74 00000010 00000010

0e03ca70 00000002 00000100 00000000 00000000

0e03ca80 00000000 0e03ca98 0e03ca98 00000010

0e03ca90 00000010 00000002 449a8eab 458ac500

0e03caa0 449a8eab 4e0000fe 00000000 00000000

0e03cab0 00000000 00000000 00000000 00000000

0e03cac0 00000000 00000000 00000000 00000000

Our floating point values in the file format:

0e03ca98 449a8eab 458ac500 449a8eab 4e0000fe

0e03caa8 00000000 00000000 00000000 00000000

But there are some modifications on our values before we get the faulty code. First after the clone is performed GpPath::Flatten function made some changes to our values based on a transform matrix in the file. So this is cause of the highlighted 6 DWORDs in the file.

.text:4ECFC9FE call dword ptr [eax+4]

.text:4ECFCA01 test eax, eax

.text:4ECFCA03 jz loc_4ECFCDBA

.text:4ECFCA09 fld ds:flt_4ECB80FC

.text:4ECFCA0F push ecx ; float

.text:4ECFCA10 lea eax, [ebp+var_F8]

.text:4ECFCA16 fstp [esp+108h+var_108]

.text:4ECFCA19 push eax ; int

.text:4ECFCA1A mov ecx, edi

.text:4ECFCA1C call GpPath::Flatten(GpMatrix const *,float)

.text:4ECFCA21 cmp [ebp+var_2C], 0

Flattened GpPath object values:

0:000> dd poi(edi+34)

0e03cd18 449a7eab 458ac100 449a7eab 4e0000fd

0e03cd28 00000000 00000000 00000000 00000000

And after that our changed GpPath object is sent to calculateGradiantArray and some array of floating point values are made based on its calculation.

There are many other default floating point values has effects on the value of the overflowing size for GpMalloc that are not so interesting and I’ve just shown them on the diagram.

After the calculation integer wrapped, the heap allocated by the gpMalloc function is not big enough to hold our data. So in next uses of the wrapped allocated heap the corruption occurs. But it seems there is not a straight way of exploiting such heap corruptions using a standalone file. .

PoC link   : http://abysssec.com/files/GDI_PoC.zip

1 Sep

MOAUB – Day by Day

Posted by shahin in advisory, Exploits / BUG Decryption, news, reversing, security | Tags :0day, binary analysis, exploit, exploit-db, metasploit, microsoft, MOAUB, shahin, shahin ramezany | Comments Off

Yes ! finally MOAUB (Month of Abysssec Undisclosed Bugs) started and finished as well.

Month of all User Bugs

Good Or Bad we released lots of 0days and binary analyses during a month (September) and you can use these info for owning websites UN-patched clients or writing more secure applications .

here is summary:

Day1:

Binary Analysis:

MOAUB #1 – Adobe Acrobat Reader and Flash Player “newclass” invalid pointer

MOAUB #1 – Adobe Acrobat Reader and Flash Player “newclass” invalid pointer – Binary Analysis

0day:

MOAUB #1 – Cpanel PHP Restriction Bypass Vulnerability 0day

———————————————————————————–

Day2:

Binary Analysis:

MOAUB #2 – Apple QuickTime FlashPix NumberOfTiles Remote Code Execution Vulnerability

MOAUB #2 – Apple QuickTime FlashPix NumberOfTiles Vulnerability – Binary Analysis

0day:

MOAUB #2 – Rainbowportal Multiple Remote Vulnerabilities

MOAUB #2 – Rainbowportal Multiple Remote Vulnerabilities – 0day

———————————————————————————–

Day3:

Binary Analysis:

MOAUB #3 – Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution

MOAUB #3 – Trend Micro Internet Security Pro 2010 ActiveX extSetOwner – Binary Analysis

0day:

MOAUB #3 – Visinia 1.3 Multiple Vulnerabilities

MOAUB #3 – Visinia CMS Multiple Vulnerabilities – 0day

———————————————————————————–

Day4:

Binary Analysis:

MOAUB #4 – Movie Maker Remote Code Execution (MS10-016)

MOAUB #4 – Movie Maker Remote Code Execution (MS10-016) – Binary Analysis

0day:

MOAUB #4 – syndeocms 2.8.02 Multiple Vulnerabilities

MOAUB #4 – Syndeocms 2.8.02 Multiple Vulnerabilities – 0day

———————————————————————————–

Day5:

Binary Analysis:

MOAUB #5 – Microsoft MPEG Layer-3 Remote Command Execution Exploit

MOAUB #5 – Microsoft MPEG Layer-3 Remote Command Execution – Binary Analysis

0day:

MOAUB #5 – IfNuke Multiple Remote Vulnerabilities 0day

———————————————————————————–

Day6:

Binary Analysis:

MOAUB #6 – HP OpenView NNM webappmon.exe execvp_nc Remote Code Execution

MOAUB #6 – HP OpenView NNM webappmon execvp_nc Remote Code Execution – Binary Analysis

0day:

MOAUB #6 – InterPhoto Gallery Multiple Remote Vulnerabilities

MOAUB #6 – InterPhoto Gallery Multiple Remote Vulnerabilities – 0day

———————————————————————————–

Day7:

Binary Analysis:

MOAUB #7 – Novell Netware NWFTPD RMD/RNFR/DELE Argument Parsing Buffer overflow

0day:

MOAUB #7 – DynPage <= v1.0 Multiple Remote Vulnerabilities – 0day

———————————————————————————–

Day8:

Binary Analysis:

MOAUB #8 – Microsoft Office Visio DXF File Stack based Overflow

MOAUB #8 – Microsoft Office Visio DXF File Stack based Overflow – Binary Analysis

0day:

MOAUB #8 – Sirang Web-Based D-Control Multiple Remote Vulnerabilities

MOAUB #8 – Sirang Web-Based D-Control Multiple Remote Vulnerabilities – 0 day

———————————————————————————–

Day9:

Binary Analysis:

MOAUB #9 – Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability

0day:

FestOS CMS 2.3b Multiple Remote Vulnerabilities

MOAUB #9 – FestOS CMS 2.3b Multiple Remote Vulnerabilities

———————————————————————————–

Day10:

Binary Analysis:

MOAUB #10 – Excel RTD Memory Corruption

0day:

MOAUB #10 – aradBlog Multiple Remote Vulnerabilities

———————————————————————————–

Day11:

Binary Analysis:

MOAUB #11 – Microsoft Office Word 2007 sprmCMajority Buffer Overflow

0day:

MOAUB #11 – ASP Nuke SQL Injection Vulnerability

MOAUB #11 – ASP Nuke Sql Injection Vulnerability

———————————————————————————–

Day12:

Binary Analysis:

MOAUB #12 – Adobe Acrobat and Reader “pushstring” Memory Corruption

0day:

MOAUB #12 – eshtery CMS SQL Injection Vulnerability

———————————————————————————–

Day13:

Binary Analysis:

MOAUB #13 – RealPlayer FLV Parsing Integer Overflow

0day:

MOAUB #13 – Luftguitar CMS Vulnerability: Upload Arbitrary File

———————————————————————————–

Day14:

Binary Analysis:

MOAUB #14 – Novell iPrint Client Browser Plugin ExecuteRequest debug Parameter Stack Overflow

MOAUB #14 – Novell iPrint Client Browser Plugin ExecuteRequest debug Stack Overflow

0day:

MOAUB #14 – FreeDiscussionForums v1.0 Multiple Remote Vulnerabilities

———————————————————————————–

Day15:

Binary Analysis:

MOAUB #15 – Ipswitch Imail Server List Mailer Reply-To Address Memory Corruption

0day:

MOAUB #15 – PHP MicroCMS 1.0.1 Multiple Remote Vulnerabilities

———————————————————————————–

Day16:

Binary Analysis:

MOAUB #16 – Microsoft Excel HFPicture Record Parsing Remote Code Execution Vulnerability

0day:

MOAUB #16 – mojoportal Multiple Remote Vulnerabilities

———————————————————————————–

Day17:

Binary Analysis:

MOAUB #17 – Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution

0day:

MOAUB #17 – phpmyfamily Multiple Remote Vulnerabilities

———————————————————————————–

Day18:

Binary Analysis:

MOAUB #18 – Apple QuickTime FLI LinePacket Remote Code Execution Vulnerability

0day:

MOAUB #18 – CMSimple XSRF Vulnerability

MOAUB #18- CMSimple XSRF Vulnerability

———————————————————————————–

Day19:

Binary Analysis:

MOAUB #19 – Novell iPrint Client Browser Plugin call-back-url Stack Overflow

0day:

MOAUB #19 – JMD-CMS Multiple Remote Vulnerabilities

———————————————————————————–

Day20:

Binary Analysis:

MOAUB #20 – Java CMM readMabCurveData Stack Overflow

0day:

MOAUB #20 – VWD-CMS CSRF Vulnerability

———————————————————————————–

Day21:

Binary Analysis:

MOAUB #21 – Microsoft Excel WOPT Record Parsing Heap Memory Corruption

0day:

MOAUB #21 – Personal.Net Portal Multiple Vulnerabilities

———————————————————————————–

Day22:

Binary Analysis:

MOAUB #22 – Adobe Shockwave Director tSAC Chunk Memory Corruption

0day:

MOAUB #22 – gausCMS Multiple Vulnerabilities

———————————————————————————–

Day23:

Binary Analysis:

MOAUB #23 – Adobe Acrobat Reader and Flash ‘newfunction’ Remote Code Execution Vulnerability

0day:

MOAUB #23 – Microsoft Excel HFPicture Record Parsing Memory Corruption (0day)

———————————————————————————–

Day24:

Binary Analysis:

MOAUB #24 – Microsoft Excel OBJ Record Stack Overflow

0day:

MOAUB #24 – Microsoft MPEG Layer-3 Audio Decoder Division By Zero

———————————————————————————–

Day25:

Binary Analysis:

MOAUB #25 – Mozilla Firefox CSS font-face Remote Code Execution Vulnerability

0day:

MOAUB #25 – VisualSite CMS v1.3 Multiple Vulnerabilities

———————————————————————————–

Day26:

Binary Analysis:

MOAUB #26 – Microsoft Cinepak Codec CVDecompress Heap Overflow

0day:

MOAUB #26 – Zenphoto Config Update and Command Execute Vulnerability

———————————————————————————–

Day27:

Binary Analysis:

MOAUB #27 – Microsoft Internet Explorer MSHTML Findtext Processing Issue

0day:

MOAUB #27 – ndCMS Sql Injection Vulnerability

———————————————————————————–

Day28:

0day:

MOAUB #28 – JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability

0day:

MOAUB #28 – AtomatiCMS Upload Arbitrary File Vulnerability

———————————————————————————–

Day29:

Binary Analysis:

MOAUB #29 – Microsoft Excel SxView Record Parsing Heap Memory Corruption

Day30:

Binary Analysis:

MOAUB #30 – Microsoft Unicode Scripts Processor Remote Code Execution

0day:

MOAUB #30 – ASPMass Shopping Cart Vulnerability File Upload CSRF

———————————————————————————–

Press :

Exploit-Database

Dark-Reading

NetworkAsia

ITBusinessedge

ComputerWorld

Theinquirer

And …

———————————————————————————–

PS : during these project and maybe we made some technical and non-technical mistakes due to complexly and compaction of this work and we hope we can fix some of them.

at end we are happy with result and your kind feedback.

for sure we will have really more interesting projects soon as soon possible and we think you will like them as well .

please follow me on twitter with @abysssec for other news projects and stay tunned for more projects .

as always finally if you have any question feel free to contact :

shahin [at] abysssec.com

info [at] abysssec.com

17 Aug

Month of Abysssec Undisclosed bugs coming !

Posted by shahin in news | Tags :0day, binary analysis, exploit, exploit-db, metasploit, microsoft, MOAUB, shahin, shahin ramezany | Comments Off

hello to all after a while we have big surprise for you .

We are about to unleash our Month Of Abysssec Undisclosed Bugs on exploit-db. Starting on the 1st of September, we will release a collection of 0days, web application vulnerabilities, and detailed binary analysis (and pocs) for recently released advisories by vendors such as Microsoft, Mozilla, Sun, Apple, Adobe, HP, Novel, etc. The 0day collection includes PoCs and Exploits for Microsoft Excel, Internet Explorer,Microsoft codecs, Cpanel and others. The MOAUB will be hosted on the Exploit Database, and will be updated on a daily basis. Get your hard-hats on, your VM’s and debugging tools organized – it’s gonna be a an intensive ride!

this is link on exploit-db :

http://www.exploit-db.com/moaub-0days-binary-analysis-exploit-pocs/

Follow Abysssec twitter to keep updated!

stay tunned .

Abysssec Security Research

Analysis of CVE-2011-0041 vulnerability in GDI+

1) Advisory information

CVE : CVE-2011-0041

2) Vulnerable version

3) Vulnerability information

4) Vulnerabilities detail

MOAUB – Day by Day

Month of Abysssec Undisclosed bugs coming !

Categories

Blogroll

June 2013
M	T	W	T	F	S	S
« Jan
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30