An in depth analysis of CVE

Slides:



Advertisements
Similar presentations
By Hiranmayi Pai Neeraj Jain
Advertisements

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
The past, the present and the future of software exploitation techniques Nikita Tarakanov, Moscow, Russia ZeroNights st of November 2014.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Business Technology Applications Computer Basics.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Image File Format Only focused in TIFF-Tag Image File Format Grayscale 8 bit Purpose-interchange of digital image data Goals: Extensibility-capable to.
1 Real Time Polymorphic Shellcode Detection Evgeny Pinchuk Radware SOC Team.
1 Friday, July 07, 2006 “Vision without action is a daydream, Action without a vision is a nightmare.” - Japanese Proverb.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Defeating public exploit protections (EMET v5.2 and more)
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
CA III Publisher Lessons 1 and 2 © 2009 M and K Solutions, LLC -- All Rights Reserved.
2 New Security Bulletins and AdvisoriesNew Security Bulletins and Advisories –1 New Security Advisory –1 New Critical Bulletin –1 New Moderate Bulletin.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Copyright © 2008 Pearson Prentice Hall. All rights reserved. 1 Exploring Microsoft Office Word 2007 Chapter 8 Word and the Internet Robert Grauer, Keith.
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.
Bobby Bodenheimer CS 258 Introduction to Graphics Fall 2003 The Tiff Image Specification.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Collaborate on Documents Microsoft Word Introduction Word 2010 makes it easy for groups of people to edit one document. You can easily edit documents.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
Introduction to web development and HTML MGMT 230 LAB.
Anatomy of a Sound File v © Allan C. Milne Abertay University.
Conducting Security Assessments Dan Elder Security Engineer Novacoast Eron Howard Manager Development Services Novacoast.
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
Semantics for Cybersecurity and Privacy Tim Finin, UMBC Joint work with Anupam Joshi, Karuna Joshi, Zareen Syed andmany UMBC graduate students
Forms and Server Side Includes. What are Forms? Forms are used to get user input We’ve all used them before. For example, ever had to sign up for courses.
Telecommunications Networking II Lecture 41f Viruses and Worms.
Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis Carsten Willems 1, Thorsten Holz 1, Felix Freiling 2 1 Ruhr-University.
VistA Imaging Workstation Configuration. October The information in this documentation includes functionality of the software after the installation.
File Formats Different applications (programs) store data in different formats. Applications support some file formats and not others. Open…, Save…, Save.
Finding Diversity in Remote Code Injection Exploits Justin Ma, John Dunagan, Helen J. Wang, Stefan Savage, Geoffrey M. Voelker *University of California,
Network Programming and Network Security Lane Thames Graduate Research Assistant.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Part 4 November 15,  Click MS Access 2013  On the MS Access Screen Pane, select Blank Database  Create a name that will reserve as your file.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 2.
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
MULTIMEDIA Multimedia is the field concerned with the computer- controlled integration of text, graphics, drawings, still and moving images (Video), animation,
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)
MALICIOUS SOFTWARE Rishu sihotra TE Computer
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Virus Infections By: Lindsay Bowser. Introduction b What is a “virus”? b Brief history of viruses b Different types of infections b How they spread b.
By: Chuqing He. Android Overview - Purchased by Google in First Android Phone was sold in Oct Linux-based - Holds 75% of the worldwide.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.
WannaCry/WannaCrypt Ransomware
Yingfang Zhang Department of Computer Science UCCS
Exploring Microsoft Word 2000
InterLaser Basic requirements.
Chap 10 Malicious Software.
A Distributed DoS in Action
Scan to USB.
UNIT IV.
Security.
Lesson 5: Multimedia on the Web
Chap 10 Malicious Software.
CMSC 491/691 Malware Analysis
Loaders and Linkers.
Types of Software Mrs. S. Palmer Office Administration.
DocumentParser: November, 2013.
Outline Introduction Memory protection Buffer overflows
Outline Introduction Memory protection Buffer overflows
Week 3: Format String Vulnerability
Static Analysis Methods for Detection of Microsoft Office Exploits
Presentation transcript:

An in depth analysis of CVE-2013-3906 Frank Boldewin

GDI+ integer overflow in Microsoft Windows Vista SP2 Server 2008 SP2 CVE-2013-3906 Description GDI+ integer overflow in Microsoft Windows Vista SP2 Server 2008 SP2 Office 2003 SP3 Office 2007 SP3 Office 2010 SP1 and SP2 Allows remote attackers to execute arbitrary code via a crafted TIFF image embedded in a Word document First seen exploited in the wild in October 2013 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3906

Infection via mail with MS Office attachment

Opened docx file looks harmless

Unzipped docx file – cyrillic characters give hints to its origin Unzipped docx file – evil TIFF image causing the integer overflow

Unzipped docx file – ActiveX directory

ActiveX heap-spraying New technique introducted for the first time in CVE-2013-3906 Winword performs heap-spray, so no extra code is needed As usual shellcode is sprayed multiple times in memory by activex.bin Shellcode uses decryption loop to avoid detection by known patterns

Officemalscanner decryption loop detection

Short introduction to the TIFF file format Created by Aldus and Microsoft in 1986 Widely supported by publishing and page layout applications for: Faxing Scanning Word processing Character recognition TIFF files are organized into three sections Image File Header (IFH) Image File Directory (IFD) Bitmap data

Short introduction to the TIFF file format Each IFD contains one or more data structures called tags Tags are identified by its values, e.g. ImageWidth = 256 Each tag has a 12-bytes record, containing infos about the bitmapped data, e.g. Compression type X+Y Resolution StripByteCounts (Important for exploitation!) JPEGInterchangeFormat (Important for exploitation!) JPEGInterchangeFormatLength (Important for exploitation!)

Integer Overflow to 0 by adding StripByteCounts values + JPEGInterchangeFormatLength (0x1484) together

Modified JFIF inside TIFF File (Length 0x1484) Take note of the large amount of 08 values !!!

Exploit Trace – Calculation and 0-Bytes allocation

Exploit Trace Memcpy of JFIF to 0-Bytes allocated HEAP-memory Overwritten vftable from evil JFIF points to address 0x08080808

Vftable before and after corruption

ROP Stage with MSCOMCTL.OCX code to bypass DEP

Payload decryption in shellcode inside activeX1.bin Encrypted payload Decrypted payload

Cheers to Elia Florio EP_X0FF Aleks Matrosov Thug4lif3

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.