1. All About Thumbnails Peter Ferrie Principal Anti-virus Researcher 11 March, 2011 1

2. It Started With A Public Disclosure... December 2010, Moti and Xu Hao present at POC2010 "A Vulnerability in My Heart" Bug #1: In shimgvw.ConvertDIBSECTIONToThumbnail  5CB1FBA1 mov esi,[ebp+0C] ;number of colours... 5CB1FBF4 cmp esi,00000008 5CB1FC0F ja SHIMGVW.5CB1FC9B ;only for 8-bit colour mode... 5CB1FC24 mov ecx,[edx+20] ;copy size, user-defined... 5CB1FC2D cmp ecx,00000100 5CB1FC33 jg SHIMGVW.5CB1FCF0 ;bug is here: signed comparison ;accepts >= 2Gb copy size 5CB1FC39 lea esi,[edx+28] 5CB1FC3C lea edi,[ebp-00000408] 5CB1FC42 rep movsd ;copy from file to stack ;until exception occurs 2 Peter Ferrie, Microsoft Corporation

3. That Made Me Look Closer Stepped through shimgvw.ConvertDIBSECTIONToThumbnail Interested in other code paths, just in case... Short routine, did not take long... 3 Peter Ferrie, Microsoft Corporation

4. That Made Me Look Closer Stepped through shimgvw.ConvertDIBSECTIONToThumbnail Interested in other code paths, just in case... Short routine, did not take long......to find something 4 Peter Ferrie, Microsoft Corporation

5. That Made Me Look Closer Does this code contain a bug?  5CB1EFFD mov eax,[esi+0C] ;height from file 5CB1F000 imul eax,[esi] 5CB1F003 lea eax,[eax+2*eax] ;multiply by 3 5CB1F006 push eax 5CB1F007 call SHIMGVW.5CB17483 ;? 5 Peter Ferrie, Microsoft Corporation

6. That Made Me Look Closer Yes, this code contains a bug:  5CB1EFFD mov eax,[esi+0C] ;height from file 5CB1F000 imul eax,[esi] ;we can mostly control this 5CB1F003 lea eax,[eax+2*eax] ;multiply by 3 5CB1F006 push eax 5CB1F007 call SHIMGVW.5CB17483 ;malloc... Bug #2: Integer overflow in height calculation Completely different! Multiply-then-malloc() is a common problem Returns heap memory pointer, not stack pointer This buffer receives file content Set height to 0x55555556 or larger to overflow it Heap corruption is special because no exception occurs 6 Peter Ferrie, Microsoft Corporation

7. That Made Me Look Even Closer Tried some larger values and it stopped working It turns out that height is signed  5CB200FD xor ecx,ecx... 5CB20102 mov eax,[ebx+08] 5CB20105 cmp eax,ecx... 5CB2010F jnl SHIMGVW.5CB2011D 5CB20111 neg eax 5CB20113 mov [ebx+08],eax This is abs() which changes the allowed range Potential values are still 0x55555556-0xffffffff, but not all values work 7 Peter Ferrie, Microsoft Corporation

8. Closer Still... Problem if height * 0x3e8 >= 0x80000000  5CB1F9F9 mov edi,[ecx+0C] ;height 5CB1F9FC mov ebx,[ebx+04] ;0x60 5CB1F9FF imul edi,000003E8 ;might become signed... 5CB1FA08 mov eax,edi 5CB1FA0A cdq 5CB1FA0B idiv ebx ;and still signed... 5CB1FA0D cmp [ebp+0C],eax... 5CB1FA13 jle SHIMGVW.5CB1FA3E ;taken if width < height 5CB1FA15 mov esi,[ebp+08] ;otherwise 5CB1FA18 mov eax,[esi] ;0x60 is used 5CB1FA1A mov [ecx+08],eax ;instead of 1 in earlier slide Multiply-then-malloc() value is affected if result here is signed Multiply might not overflow anymore 8 Peter Ferrie, Microsoft Corporation

9. Another Code Path That covers the possibilities for height How about width?  5CB1F4F5 mov ax,[edi+0E] ;number of colours 5CB1F4F9 cmp ax,0010... 5CB1F500 je SHIMGVW.5CB1F50C ;16-bit colour 5CB1F502 cmp ax,0020 5CB1F506 jne SHIMGVW.5CB1F5A1 ;8- or 24-bit colour... ;32-bit colour here also works 5CB1F5B6 cmp ax,0018... 5CB1F5C0 jne SHIMGVW.5CB1F62F ;anything except 24-bit colour... 5CB1F62F lea eax,[edx+2*edx+03] ;width, this time 5CB1F633 and eax,FFFFFFFC 5CB1F636 push eax 5CB1F637 call SHIMGVW.5CB17483 ;malloc again Yes, bug #3, different location, same problem Any value in the range 0x55555555-0xffffffff can be used here 9 Peter Ferrie, Microsoft Corporation

10. File Size Check Width * height should fit within file Unlike bug #1 copy size 10 Peter Ferrie, Microsoft Corporation

11. File Size Check Width * height should fit within file Unlike bug #1 copy size There is a trick to bypass this check 11 Peter Ferrie, Microsoft Corporation

12. File Size Check Width * height should fit within file Unlike bug #1 copy size There is a trick to bypass this check I am not going to tell you what it is 12 Peter Ferrie, Microsoft Corporation

13. Are We Done Yet? No!  When width and height are 0x60, no scaling is required A new code path is reached  5CB1FB2C mov eax,[ecx+08] 5CB1FB2F cdq 5CB1FB30 mov esi,eax 5CB1FB32 movzx eax,word ptr [ecx+0E] ;number of colours 5CB1FB36 xor esi,edx 5CB1FB38 sub esi,edx 5CB1FB3A movzx edx,word ptr [ecx+0C] ;number of bitplanes 5CB1FB3E imul eax,edx 5CB1FB41 imul eax,[ecx+04] 5CB1FB45 add eax,0000001F 5CB1FB48 and eax,FFFFFFE0 5CB1FB4B cdq 5CB1FB4C push 00000008 5CB1FB4E pop ecx 5CB1FB4F idiv ecx 5CB1FB51 imul eax,esi Calculates size of DIB section 13 Peter Ferrie, Microsoft Corporation

14. Are We Done Yet? Looks okay, but the first time this is called...  5CB1FB2C mov eax,[ecx+08] 5CB1FB2F cdq 5CB1FB30 mov esi,eax 5CB1FB32 movzx eax,word ptr [ecx+0E] ;number of colours 5CB1FB36 xor esi,edx 5CB1FB38 sub esi,edx 5CB1FB3A movzx edx,word ptr [ecx+0C] ;hard-coded! Not all data are taken from the file Number of colours is Number of bitplanes is not Bitplanes value is constant of 1 14 Peter Ferrie, Microsoft Corporation

15. Are We Done Yet? Result is passed to a memory allocation function  5CB1FC9B push ebx 5CB1FC9C push ebx 5CB1FC9D lea eax,[ebp+10] ;receives memory pointer 5CB1FCA0 push eax 5CB1FCA1 push ebx 5CB1FCA2 lea eax,[ebp-00000430] 5CB1FCA8 push eax 5CB1FCA9 push dword ptr [ebp-04] 5CB1FCAC call [SHIMGVW.5CB01084] ;GDI32.CreateDIBSection Still okay so far 15 Peter Ferrie, Microsoft Corporation

16. Are We Done Yet? Until it is called again...  5CB1FB2C mov eax,[ecx+08] 5CB1FB2F cdq 5CB1FB30 mov esi,eax 5CB1FB32 movzx eax,word ptr [ecx+0E] ;number of colours 5CB1FB36 xor esi,edx 5CB1FB38 sub esi,edx 5CB1FB3A movzx edx,word ptr [ecx+0C] ;number of bitplanes 5CB1FB3E imul eax,edx 5CB1FB41 imul eax,[ecx+04] 5CB1FB45 add eax,0000001F 5CB1FB48 and eax,FFFFFFE0 5CB1FB4B cdq 5CB1FB4C push 00000008 5CB1FB4E pop ecx 5CB1FB4F idiv ecx 5CB1FB51 imul eax,esi 16 Peter Ferrie, Microsoft Corporation

17. Are We Done Yet? Until it is called again...  5CB1FB2C mov eax,[ecx+08] 5CB1FB2F cdq 5CB1FB30 mov esi,eax 5CB1FB32 movzx eax,word ptr [ecx+0E] ;number of colours 5CB1FB36 xor esi,edx 5CB1FB38 sub esi,edx 5CB1FB3A movzx edx,word ptr [ecx+0C] ;number of bitplanes 5CB1FB3E imul eax,edx 5CB1FB41 imul eax,[ecx+04] 5CB1FB45 add eax,0000001F 5CB1FB48 and eax,FFFFFFE0 5CB1FB4B cdq 5CB1FB4C push 00000008 5CB1FB4E pop ecx 5CB1FB4F idiv ecx 5CB1FB51 imul eax,esi...using data taken directly from the file 17 Peter Ferrie, Microsoft Corporation

18. Are We Done Yet? Number of bitplanes is user-defined Result is passed to memcpy()  5CB20213 mov esi,[ebp-04] 5CB20216 mov edi,[ebp+10] ;returned by CreateDIBSection 5CB20219 mov ecx,eax ;user-defined size 5CB2021B shr ecx,02 5CB2021E rep movsd 5CB20220 mov ecx,eax 5CB20222 and ecx,00000003 5CB20225 rep movsb Specify more than one bitplane Bug #4: Copy size > allocated size 18 Peter Ferrie, Microsoft Corporation

19. All Patched...? Yes and no Signed check (bug #1) is fixed Some code also added to ConvertDIBSECTIONToThumbnail()  Protects against CreateDIBSection() (bug #4) problem Additional checks added to earlier routine Catches bad values while calculating aspect ratio, stops bugs #2 and #3 However...  5CB1F36F mov eax,[esi+0C] 5CB1F372 imul eax,[esi] 5CB1F375 and dword ptr [esi+10],0 5CB1F379 lea eax,[eax+eax*2] 5CB1F37C push eax 5CB1F37D call SHIMGVW.5CB1F37D ;malloc... Bad code is still there, relying on earlier checks to prevent exploitation So don't call ConvertDIBSECTIONToThumbnail() directly Otherwise you will still be vulnerable 19 Peter Ferrie, Microsoft Corporation

20. Thank you Check me out: http://pferrie.tripod.com Questions? 20 Peter Ferrie, Microsoft Corporation