Abysssec Research. 1) Advisory information. 2) Vulnerable version

Similar documents
Abysssec Research. 1) Advisory information. 2) Vulnerable version

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

Return-oriented programming without returns

64-Bit NASM Notes. Invoking 64-Bit NASM

Software Fingerprinting for Automated Malicious Code Analysis

Heap-based Buffer Overflow Vulnerability in Adobe Flash Player

Analysis of Win32.Scream

How To Hack The Steam Voip On Pc Orchesterian Moonstone 2.5 (Windows) On Pc/Robert Kruber (Windows 2) On Linux (Windows 3.5) On A Pc

Assembly Language: Function Calls" Jennifer Rexford!

esrever gnireenigne tfosorcim seiranib

Off-by-One exploitation tutorial

Application-Specific Attacks: Leveraging the ActionScript Virtual Machine

Buffer Overflows. Security 2011

Software Vulnerabilities

Systems Design & Programming Data Movement Instructions. Intel Assembly

CVE Adobe Flash Player Integer Overflow Vulnerability Analysis

A Tiny Guide to Programming in 32-bit x86 Assembly Language

Computer Organization and Assembly Language

Introduction. Figure 1 Schema of DarunGrim2

x64 Cheat Sheet Fall 2015

Bypassing Windows Hardware-enforced Data Execution Prevention

The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014

Syscall Proxying - Simulating remote execution Maximiliano Caceres <maximiliano.caceres@corest.com> Copyright 2002 CORE SECURITY TECHNOLOGIES

Reverse Engineering and Computer Security

Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection

Hotpatching and the Rise of Third-Party Patches

CS61: Systems Programing and Machine Organization

For a 64-bit system. I - Presentation Of The Shellcode

Microsoft Patch Analysis

Fighting malware on your own

Violating Database - Enforced Security Mechanisms

1. General function and functionality of the malware

INTRODUCTION TO MALWARE & MALWARE ANALYSIS

Stack Overflows. Mitchell Adair

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Inside a killer IMBot. Wei Ming Khoo University of Cambridge 19 Nov 2010

Windows XP SP3 Registry Handling Buffer Overflow

Attacking x86 Windows Binaries by Jump Oriented Programming

Practical taint analysis for protecting buggy binaries

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich

Instruction Set Architecture

Packers Models. simple. malware. advanced. allocation. decryption. decompression. engine loading. integrity check. DRM Management

Packers. (5th April 2010) Ange Albertini Creative Commons Attribution 3.0

The Leader in Cloud Security SECURITY ADVISORY

What Happens In Windows 7 Stays In Windows 7

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z)

Administration. Instruction scheduling. Modern processors. Examples. Simplified architecture model. CS 412 Introduction to Compilers

Harnessing Intelligence from Malware Repositories

Diving into a Silverlight Exploit and Shellcode - Analysis and Techniques

Using MMX Instructions to Convert RGB To YUV Color Conversion

TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com

Bypassing Memory Protections: The Future of Exploitation

There s a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research

Vigilante: End-to-End Containment of Internet Worms

Disassembly of False Positives for Microsoft Word under SCRAP

Performance monitoring with Intel Architecture

A Museum of API Obfuscation on Win32

Test Driven Development in Assembler a little story about growing software from nothing

CS:APP Chapter 4 Computer Architecture Instruction Set Architecture. CS:APP2e

Where s the FEEB? The Effectiveness of Instruction Set Randomization

CPU performance monitoring using the Time-Stamp Counter register

TECHNICAL BULLETIN [ 1 / 5 ]

Removing Sentinel SuperPro dongle from Applications and details on dongle way of cracking Shub-Nigurrath of ARTeam Version 1.

Introduction to Reverse Engineering

OpenBSD Remote Exploit

Using the RDTSC Instruction for Performance Monitoring

Self Protection Techniques in Malware

Intel 8086 architecture

Evaluating a ROP Defense Mechanism. Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis Columbia University

High-speed image processing algorithms using MMX hardware

Enterprise Mobility Report 06/2015. Creation date: Vlastimil Turzík

Securing software by enforcing data-flow integrity

2013 Ruby on Rails Exploits. CS 558 Allan Wirth

MWR InfoSecurity Advisory. Interwoven Worksite ActiveX Control Remote Code Execution. 10 th March Contents

Using fuzzing to detect security vulnerabilities

X86-64 Architecture Guide

Overview of IA-32 assembly programming. Lars Ailo Bongo University of Tromsø

Phoenix Technologies Ltd.

Reversing C++ Paul Vincent Sabanal. Mark Vincent Yason

WLSI Windows Local Shellcode Injection. Cesar Cerrudo Argeniss (

PCI Vulnerability Validation Report

Static detection of C++ vtable escape vulnerabilities in binary code

Exploiting nginx chunked overflow bug, the undisclosed attack vector

EU FP6 LOBSTER. personal view on the future of ero-day Worm Containment. European Infrastructure for accurate network monitoring

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

Encryption Wrapper. on OSX

Structural Comparison of Executable Objects

GREEN HOUSE DATA. Services Guide. Built right. Just for you. greenhousedata.com. Green House Data 340 Progress Circle Cheyenne, WY 82007

Vulnerability Scan. January 6, 2015

Adobe Flash Player and Adobe AIR security

Hacking the Preboot execution Environment

Where we are CS 4120 Introduction to Compilers Abstract Assembly Instruction selection mov e1 , e2 jmp e cmp e1 , e2 [jne je jgt ] l push e1 call e

White paper: August Marcin Icewall Noga

Transcription:

Abysssec Research 1) Advisory information Title Version Discovery Vendor Impact Contact Twitter CVE : Apple QuickTime FlashPix NumberOfTiles Remote Code Execution Vulnerability : QuickTime player 7.6.5 : http://www.abysssec.com : http://www.apple.com : Med/High : shahin [at] abysssec.com, info [at] abysssec.com : @abysssec : CVE- 2010-0519 2) Vulnerable version Apple QuickTime Player 7.6.5 Apple QuickTime Player 7.6.4 Apple QuickTime Player 7.6.2 Apple QuickTime Player 7.6.1 Apple QuickTime Player 7.6 Apple Mac OS X Server 10.6.2 Apple Mac OS X Server 10.6.1 Apple Mac OS X Server 10.6 Apple Mac OS X 10.6.2 Apple Mac OS X 10.6.1 Apple Mac OS X 10.6

3) Vulnerability information Class 1- Code execution Impact Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. Remotely Exploitable Yes Locally Exploitable Yes 4) Vulnerabilities detail Integer overflow: The FlashPix file format structure is similar to a system file in which the whole file consists of storages and streams. A storage is similar to a folder in a system file and a stream is analogous to a file. Every storage can contain other storages and streams in exactly the same way that every folder can contain folders and files in a system file. The image below shows the concept: One of the various streams that exist in the file format is SubImage. The SubImage steam consists of a Header and Data where the Header is responsible for Data details and Data contains image information.

In this file format, the image is divided to 64pix*64pix tiles and the number of tiles are stored in the SubImage stream header. The QuickTime Player software reads the number of tiles from the NumberOfTiles field of the header, multiplies it by 16, and allocates the required heap memory based on the result of the multiplication. In the next stage, the app copies the information to the allocated memory based on the number of tiles. In cases where the result of the multiplication is more than 32bits, the allocated memory will be less than the length of the NumberOfTiles in the file and we can write to the heap with the size of the substitution of these two numbers. Now we are going to explain the binary based on the discussed material:.text:67adb6f0 push ecx.text:67adb6f1 push esi.text:67adb6f2 push edi.text:67adb6f3 xor edi, edi.text:67adb6f5 mov esi, ecx.text:67adb6f7 cmp [esi+56h], edi.text:67adb6fa mov [esp+0ch+var_4], edi.text:67adb6fe jnz loc_67adb7dd.text:67adb704 mov eax, [esi+22h].text:67adb707 shl eax, 4.text:67ADB70A push eax.text:67adb70b call sub_67b6fdb0.text:67adb710 add esp, 4.text:67ADB713 cmp eax, edi.text:67adb715 mov [esi+56h], eax.text:67adb718 jnz short loc_67adb721.text:67adb71a lea eax, [edi- 6Ch].text:67ADB71D pop edi.text:67adb71e pop esi.text:67adb71f pop ecx.text:67adb720 retn This flaw exists in the QuickTimeImage.qtx file. The above code first shows that at address 67ADB704, the value of NumberOfTiles is stored in the EAX register. This value is then multiplied by 16 with a shift left instruction at address 67ADB707 and the result is passed to QuickT_B.67B6FDB0 for allocating memory without bounds checking. For example, if we put 41414141 in this field, the result would be 14141410 after the instruction which is less than 41414141. In the next section, the values will be copied to memory in a loop that is controlled by NumberOfTiles..text:67ADB740 mov ecx, [esi+5eh]

.text:67adb743 mov edx, [ecx].text:67adb745 mov eax, [edx+8].text:67adb748 push 0.text:67ADB74A push ebx.text:67adb74b call eax.text:67adb74d test al, al.text:67adb74f jz short loc_67adb7bf.text:67adb751 mov eax, [esi+56h].text:67adb754 mov ecx, [esi+5eh].text:67adb757 mov eax, [eax].text:67adb759 mov edx, [ecx].text:67adb75b mov edx, [edx+1ch].text:67adb75e add eax, edi.text:67adb760 push eax.text:67adb761 call edx.text:67adb763 test al, al.text:67adb765 jz short loc_67adb7bf.text:67adb767 mov edx, [esi+56h].text:67adb76a mov ecx, [esi+5eh].text:67adb76d mov edx, [edx].text:67adb76f mov eax, [ecx].text:67adb771 mov eax, [eax+1ch].text:67adb774 lea edx, [edx+edi+4].text:67adb778 push edx.text:67adb779 call eax.text:67adb77b test al, al.text:67adb77d jz short loc_67adb7bf.text:67adb77f mov eax, [esi+56h].text:67adb782 mov ecx, [esi+5eh].text:67adb785 mov eax, [eax].text:67adb787 mov edx, [ecx].text:67adb789 mov edx, [edx+1ch].text:67adb78c lea eax, [eax+edi+8].text:67adb790 push eax.text:67adb791 call edx.text:67adb793 test al, al.text:67adb795 jz short loc_67adb7bf.text:67adb797 mov edx, [esi+56h].text:67adb79a mov ecx, [esi+5eh].text:67adb79d mov edx, [edx].text:67adb79f mov eax, [ecx].text:67adb7a1 mov eax, [eax+1ch]

.text:67adb7a4 lea edx, [edx+edi+0ch].text:67adb7a8 push edx.text:67adb7a9 call eax.text:67adb7ab test al, al.text:67adb7ad jz short loc_67adb7bf.text:67adb7af add ebx, [esi+36h].text:67adb7b2 add ebp, 1.text:67ADB7B5 add edi, 10h.text:67ADB7B8 cmp ebp, [esi+22h].text:67adb7bb jb short loc_67adb740.text:67adb7bd jmp short loc_67adb7c7 The value of NumberOfTiles which exists in esi+22h is checked against the EBP register as a counter at address 67ADB7B8 and in if the counter is less than NumberOfTiles, the execution flow will be moved to the beginning of the loop. At the next stage, EBP will be incremented by 1 and 16 will be added to the EDI register where EDI is the index of reading memory..text:668e27e8 mov eax, [esi+ecx*4-4] ; Microsoft VisualC 2-9/net runtime.text:668e27ec mov [edi+ecx*4-4], eax.text:668e27f0 lea eax, ds:0[ecx*4].text:668e27f7 add esi, eax.text:668e27f9 add edi, eax If we change the first NumberOfTiles value to 41414141 at address 668E27EC, an Access violation error occurs.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information