Presentation is loading. Please wait.

Presentation is loading. Please wait.

An in depth analysis of CVE

Published byBrandi Burkitt Modified over 9 years ago

Similar presentations

Presentation on theme: "An in depth analysis of CVE"— Presentation transcript:

1 An in depth analysis of CVE-2013-3906
Frank Boldewin

2 GDI+ integer overflow in Microsoft Windows Vista SP2 Server 2008 SP2
CVE Description GDI+ integer overflow in Microsoft Windows Vista SP2 Server 2008 SP2 Office 2003 SP3 Office 2007 SP3 Office 2010 SP1 and SP2 Allows remote attackers to execute arbitrary code via a crafted TIFF image embedded in a Word document First seen exploited in the wild in October 2013

3 Infection via mail with MS Office attachment

4 Opened docx file looks harmless

5 Unzipped docx file – cyrillic characters give hints to its origin
Unzipped docx file – evil TIFF image causing the integer overflow

6 Unzipped docx file – ActiveX directory

7 ActiveX heap-spraying
New technique introducted for the first time in CVE Winword performs heap-spray, so no extra code is needed As usual shellcode is sprayed multiple times in memory by activex.bin Shellcode uses decryption loop to avoid detection by known patterns

8 Officemalscanner decryption loop detection

9 Short introduction to the TIFF file format
Created by Aldus and Microsoft in 1986 Widely supported by publishing and page layout applications for: Faxing Scanning Word processing Character recognition TIFF files are organized into three sections Image File Header (IFH) Image File Directory (IFD) Bitmap data

10 Short introduction to the TIFF file format
Each IFD contains one or more data structures called tags Tags are identified by its values, e.g. ImageWidth = 256 Each tag has a 12-bytes record, containing infos about the bitmapped data, e.g. Compression type X+Y Resolution StripByteCounts (Important for exploitation!) JPEGInterchangeFormat (Important for exploitation!) JPEGInterchangeFormatLength (Important for exploitation!)

11 Integer Overflow to 0 by adding StripByteCounts values + JPEGInterchangeFormatLength (0x1484) together

12 Modified JFIF inside TIFF File (Length 0x1484)
Take note of the large amount of 08 values !!!

13 Exploit Trace – Calculation and 0-Bytes allocation

14 Exploit Trace Memcpy of JFIF to 0-Bytes allocated HEAP-memory
Overwritten vftable from evil JFIF points to address 0x

15 Vftable before and after corruption

16 ROP Stage with MSCOMCTL.OCX code to bypass DEP

17 Payload decryption in shellcode inside activeX1.bin
Encrypted payload Decrypted payload

18 Cheers to Elia Florio EP_X0FF Aleks Matrosov Thug4lif3

Download ppt "An in depth analysis of CVE"

Similar presentations

By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
The past, the present and the future of software exploitation techniques Nikita Tarakanov, Moscow, Russia ZeroNights 2014 13st of November 2014.

The past, the present and the future of software exploitation techniques Nikita Tarakanov, Moscow, Russia ZeroNights st of November 2014.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Business Technology Applications Computer Basics.

Business Technology Applications Computer Basics.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Image File Format Only focused in TIFF-Tag Image File Format Grayscale 8 bit Purpose-interchange of digital image data Goals: Extensibility-capable to.

Image File Format Only focused in TIFF-Tag Image File Format Grayscale 8 bit Purpose-interchange of digital image data Goals: Extensibility-capable to.
1 Real Time Polymorphic Shellcode Detection Evgeny Pinchuk Radware SOC Team.

1 Real Time Polymorphic Shellcode Detection Evgeny Pinchuk Radware SOC Team.
1 Friday, July 07, 2006 “Vision without action is a daydream, Action without a vision is a nightmare.” - Japanese Proverb.

1 Friday, July 07, 2006 “Vision without action is a daydream, Action without a vision is a nightmare.” - Japanese Proverb.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Defeating public exploit protections (EMET v5.2 and more)

Defeating public exploit protections (EMET v5.2 and more)
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
CA III Publisher Lessons 1 and 2 © 2009 M and K Solutions, LLC -- All Rights Reserved.

CA III Publisher Lessons 1 and 2 © 2009 M and K Solutions, LLC -- All Rights Reserved.
2 New Security Bulletins and AdvisoriesNew Security Bulletins and Advisories –1 New Security Advisory –1 New Critical Bulletin –1 New Moderate Bulletin.

2 New Security Bulletins and AdvisoriesNew Security Bulletins and Advisories –1 New Security Advisory –1 New Critical Bulletin –1 New Moderate Bulletin.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Copyright © 2008 Pearson Prentice Hall. All rights reserved. 1 Exploring Microsoft Office Word 2007 Chapter 8 Word and the Internet Robert Grauer, Keith.

Copyright © 2008 Pearson Prentice Hall. All rights reserved. 1 Exploring Microsoft Office Word 2007 Chapter 8 Word and the Internet Robert Grauer, Keith.
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG 12 30 th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

Similar presentations

Ads by Google