GDI+ - CreateDashedPath Integer Overflow in gdiplus.dll

2011-07-18T00:00:00
ID EDB-ID:17544
Type exploitdb
Reporter Abysssec
Modified 2011-07-18T00:00:00

Description

GDI+ - CreateDashedPath Integer Overflow in gdiplus.dll. CVE-2011-0041. Dos exploit for windows platform

                                        
                                            Abysssec Research

1) Advisory information

  Title             :  GDI+ CreateDashedPath Integer overflow in
gdiplus.dll
  Discovery         :  Nicolas july from vupen
  Analysis          :  Abysssec.com
  Vendor            :  http://www.microsoft.com
  Impact            :  High
  Contact           :  info  [at] abysssec.com
  Twitter           : @abysssec
  CVE               : CVE-2011-0041


2) Vulnerable version
Gdiplus.dll 5.2.6001.22319

3) Vulnerability information

Class
        1-Integer overflow
Impact

Successfully exploiting this issue allows remote attackers to execute
arbitrary code in the context of vulnerable application or cause
denial-of-service conditions.

Remotely Exploitable
Yes
Locally Exploitable
Yes

4) Vulnerabilities detail

The vulnerability exists in gdiplus!GpPath::CreateDashedPath function of
gdiplus.dll that is responsible for bitmap drawing and other 2d graphic
rendering.
EMF+ file is one of the image file format that is rendered by the
library. And the vulnerability is based on some floating point
calculation of an EMF+ path object.
We made the following proof of concept to trigger the issues and it will
be explained more:
A little taste of file format we simply put a EMF_COMMENT record (id =
0x00000046) and embed and emf+ geraphic object ( id = 0x00004008 ) .
For simplicity we ripped out a valid graphic object from another file
and started to play with it. The record have two important area that we
highlighted them in the above picture.

Here is the faulty code:
.text:4ECFCBAD loc_4ECFCBAD:
.text:4ECFCBAD                 mov     eax, esi
.text:4ECFCBAF                 shl     eax, 3
.text:4ECFCBB2                 cmp     [ebp+lpMem], 0
.text:4ECFCBB6                 push    eax             ; dwBytes
.text:4ECFCBB7                 jz      short loc_4ECFCBCE
.text:4ECFCBB9                 push    [ebp+lpMem]     ; lpMem
.text:4ECFCBBC                 call    GpRealloc(x,x)
.text:4ECFCBC1                 test    eax, eax
.text:4ECFCBC3                 jz      loc_4ECFCCDB
.text:4ECFCBC9                 mov     [ebp+lpMem], eax
.text:4ECFCBCC                 jmp     short loc_4ECFCBDE
.text:4ECFCBCE ;
---------------------------------------------------------------------------
.text:4ECFCBCE
.text:4ECFCBCE loc_4ECFCBCE:
.text:4ECFCBCE                 call    GpMalloc(x)
.text:4ECFCBD3                 test    eax, eax
.text:4ECFCBD5                 mov     [ebp+lpMem], eax
.text:4ECFCBD8                 jz      loc_4ECFCCDB

The above code uses the eax register as arguments to the GpMalloc
function. GpMalloc is simply a gdi version of heapAlloc function. The
value of eax register is based on various floating point calculation
that is not simple to examine at first look.But I traced the value of
eax register and it seems the calculations are based on our values
mentioned earlear in the file.
And it doesn�t bound checked well, by changing the path value tricky it
is possible when the �shr 	eax, 3� instruction multiply the value by 8
we get an integer overflow and in turn a faulty heap allocation.
I dynamically traced the values with my proof of concept file. Eax
register is equall to eax + [ebp-38] * 10 and as there are a lot of
values and calculations before that, for better consideration
I made the following diagram:


It took a lot of time explanation of all of the variables above but, the
important one is the GpPath object that is in the code a clone of the
object is made to later be manipulated for drawings.

.text:4ECFC9D9 loc_4ECFC9D9:                           ; CODE XREF:
GpPath::CreateDashedPath(DpPen const *,GpMatrix const
*,float,float,float,int)+1AAj
.text:4ECFC9D9                 fld     dword ptr [esi+eax*4]
.text:4ECFC9DC                 fmul    [ebp+arg_0]
.text:4ECFC9DF                 fstp    dword ptr [esi+eax*4]
.text:4ECFC9E2                 inc     eax
.text:4ECFC9E3                 cmp     eax, [ebp+arg_4]
.text:4ECFC9E6                 jl      short loc_4ECFC9D9
.text:4ECFC9E8
.text:4ECFC9E8 loc_4ECFC9E8:
.text:4ECFC9E8                 mov     ecx, [ebp+var_18] ; Src
.text:4ECFC9EB                 call    GpPath::Clone(void)
.text:4ECFC9F0                 mov     edi, eax
.text:4ECFC9F2                 test    edi, edi
.text:4ECFC9F4                 jz      loc_4ECFCDBA
.text:4ECFC9FA                 mov     eax, [edi]
.text:4ECFC9FC                 mov     ecx, edi
.text:4ECFC9FE                 call    dword ptr [eax+4]

After calling the clone, it checks whether it is a valid clone or not at
address 4ECFC9FE.
The offset +34h of the object contains a pointer to our 4byte path
object values.

0:000> dd ecx
0e03ca50  4ec67e58 68745031 00000000 00000000
0e03ca60  0e03ca74 0e03ca74 00000010 00000010
0e03ca70  00000002 00000100 00000000 00000000
0e03ca80  00000000 0e03ca98 0e03ca98 00000010
0e03ca90  00000010 00000002 449a8eab 458ac500
0e03caa0  449a8eab 4e0000fe 00000000 00000000
0e03cab0  00000000 00000000 00000000 00000000
0e03cac0  00000000 00000000 00000000 00000000

Our floating point values in the file format:
0e03ca98  449a8eab 458ac500 449a8eab 4e0000fe
0e03caa8  00000000 00000000 00000000 00000000

But there are some modifications on our values before we get the faulty
code. First after the clone is performed GpPath::Flatten function made
some changes
to our values based on a transform matrix in the file. So this is cause
of the highlighted 6 DWORDs in the file.���

.text:4ECFC9FE                 call    dword ptr [eax+4]
.text:4ECFCA01                 test    eax, eax
.text:4ECFCA03                 jz      loc_4ECFCDBA
.text:4ECFCA09                 fld     ds:flt_4ECB80FC
.text:4ECFCA0F                 push    ecx             ; float
.text:4ECFCA10                 lea     eax, [ebp+var_F8]
.text:4ECFCA16                 fstp    [esp+108h+var_108]
.text:4ECFCA19                 push    eax             ; int
.text:4ECFCA1A                 mov     ecx, edi
.text:4ECFCA1C                 call    GpPath::Flatten(GpMatrix const
*,float)
.text:4ECFCA21                 cmp     [ebp+var_2C], 0

Flattened GpPath object values:
0:000> dd poi(edi+34)
0e03cd18  449a7eab 458ac100 449a7eab 4e0000fd
0e03cd28  00000000 00000000 00000000 00000000

And after that our changed GpPath object is sent to
calculateGradiantArray and some array of floating point values are made
based on its calculation.
There are many other default floating point values has effects on the
value of the overflowing size for GpMalloc that are not so interesting
and I�ve just shown them on the diagram.
After the calculation integer wrapped, the heap allocated by the
gpMalloc function is not big enough to hold our data. So in next uses of
the wrapped allocated heap the corruption occurs.
But it seems there is not a straight way of exploiting such heap
corruptions using a standalone file. .

 feel free to contact us at : info [at] abysssec.com

PoC link   : http://abysssec.com/files/GDI_PoC.zip
PoC Mirror : https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/17544.zip (GDI_PoC.zip)