Post on 19-Dec-2015
IBM Global Services
© Copyright IBM Corporation 2007
IBM Internet Security SystemsAhead of the threat.™
© 2005 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Media Frenzy: Attacking the Windows Media Framework
CansecWest 2008
Mark Dowd, John McDonaldIBM ISS X-Force R&D
March 2008
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
INTRODUCTION
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Media Software
Why worry about media software?
Multimedia content is at an all-time high– Internet Stealing - Movies / TV shows / mp3’s– Streaming media (http://www.di.fm and the like)– Podcasts, VOIP– Video clips (YouTube, http://videos.google.com, etc…) – Embedded content in documents, web pages, emails, etc…
Everyone uses media software– Ubiquitous client-side vector
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Media Software Security
Is media software secure?– Almost definitely maybe (probably)
Ok, no.
Contributing factors– Changes fast, with new technologies and rapid
expansion– Content is nearly always untrusted
Few people worry about getting owned while watching video
– Note: Microsoft code is officially Internet Not Horrible™ Third party code FTW!
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Media Software Security
Large, nuanced attack surface– Media file formats are often containers for arbitrary data streams– Complex data flow
Processing handed off to any number of possible codecs– Extensive set of codecs available on a default system
Example: MPEG1, MPEG2, MP3, MP4S, SAMI, many others…– Most users install additional ones
Example: DivX/XviD, AAC, ffdshow
Not enough security research into this topic– Existing research focuses on file-formats and fuzzing– Prior work by David Thiel, at Blackhat 2007
(https://www.blackhat.com/presentations/bh-usa-07/Thiel/Presentation/bh-usa-07-thiel.pdf)
– Easy for fuzzers to miss large chunks of functionality– Discovering attack surface and codecs is non-trivial
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Our Focus
What we will cover– Media software built for Windows
Focusing on DirectShow
– Enumeration of registered codecs on a given system– How to audit a typical codec
What we won’t cover– Video For Windows, DMO, MF, Silverlight (sorry, not enough time!)– Playback software/codecs for Unix, VLC, Quicktime– Fuzz-testing– Databases– Diabetes– The Hanseatic League circa 1432
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
DIRECTSHOW
"Pwn" -- security slang for compromising, or owning, a computer system -- is pronounced like the "pon" in pony.
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
DirectShow Overview Media processing framework for Windows
– Playing Media Files– Conversion between Formats– Media Capture– Central Registry
Supports multiple A/V compression and file formats– Easily extended to add support for new types of media– AVI, WMF, ASF, MPEG2, etc…
Internally uses DirectSound/DirectDraw/Direct3D/etc..– Interfaces with various hardware
Modular Architecture– built on COM
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
DirectShow Overview II
Basic building block – Filter– COM object that implements IFilter interface
You link filters together to perform various tasks– Create a filter graph
Filters have input pins and output pins– Connect output pins to input pins
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
DirectShow Overview II – Media File Exposure
Source FilterVideo Codec
Filter
Audio Codec Filter
Video Rendering
Filter
Audio Rendering
Filter
Splitter Filter
Media File
Exposed Code
Exposed Code
Graphic File
Graphic Parser
Exposed Code
Exposure:Standard Graphic Files
vs Media Files
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Filters
Data enters the filter graph through a Source Filter– Provides input data from a file, url, or device– Typically one output pin
Data leaves the filter graph through a Renderer Filter Deliver data to the user or a device or file– Typically one input pin
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Filters III
Media files are typically parsed by a Splitter Filter A Splitter Filter, or Demultiplexor, takes input data and
splits it into multiple separate output streams– Typically one input pin and two or more output pins
A Mux Filter, or multiplexor, is the logical opposite Takes separate constituent streams and joins them together into a
single output Used to create media files
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Transform Filters
Transform Filters do the rest of the data processing– exactly one input and one output
Codec Filters– Used for compressing or decompressing data with codecs
Conversion Filters– Takes data in one format and outputs data in another format– Color schemes or image scaling
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Data Flow
Data flows downstream from an output pin to an input pin
Two models for data flow between pins: push and pull
Push – upstream filter prepares a buffer full of data and then delivers it to the downstream filter
– useful when there is a linear stream of data going from one filter to the next– Default model, more complicated
Pull – the downstream filter directly requests certain data from its upstream filter
Used when a downstream filter needs random access to the upstream’s data Generally used for splitter filters that need to parse files
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
graphedt and the Filter Graph
Graphedt.exe (in windows sdk)– Lets you experiment with filter graphs– Instantiate and connect filters installed on your system– See the filters chosen to render a given file
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Filter Graph Manager
The Filter Graph Manager controls all of the filters, and is responsible for:
– Choosing, Initializing, and Connecting the filters (More on this later)
– Maintaining a reference clock All of the filters use the clock to stay in lockstep
– Synchronizing the filter actions. start, pause, and stop
Apps call the Filter Graph Manager– which sets up and calls the filters
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
FINDING TARGETS
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
How do codecs get selected, anyway?
We need to define attack surface before auditing– Enumerating codecs on a system– Determining which codecs are reachable through remote vectors
(such as malicious AVI files)– Knowing which codec will be selected upon collision
DirectShow Filters are looked up in the registry by CLSID– Filters are organized by category– Quite a few categories available
(http://msdn2.microsoft.com/en-us/library/ms783347(VS.85).aspx)– Only interesting category for us is “DirectShow Filters” (CLSID_LegacyAMFilterCategory)– Location in the registry is HKEY_CLASSES_ROOT\<Category CLSID>\Instance– The “Instance” subkey contains a collection of CLSID subkeys corresponding to registered
filters
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
How do codecs get selected, anyway?
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
How do codecs get selected, anyway?
Each input pin for a filter accepts data of a certain media type
– Filters instantiated one by one– Pins queried using CBasePin::CheckMediaType() – Filters are sorted in order of priority (“merit value”)– Some filters don’t participate in this process at all (merit <=
MERIT_DO_NOT_USE)– Once filter is connected successfully to the filter graph, the process starts again– The connected filter will create 0 or more output pins, This media type is
retrieved with CBasePin::GetMediaType()
Media type used for negotiation is done with AM_MEDIA_TYPE structures
– Data structure that fully describes a media type for a given stream– Uses GUIDs for distinguishing both the media type and additional information
pertaining to that type– Typing information might be implicit (such as MPEG2 Video for MPEG files), or
user specified (streams in an AVI file)
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
struct _AM_MEDIA_TYPE
majortype – general type of data (e.g. video – MEDIATYPE_Video, audio, opaque stream, text, etc..)
subtype – specific type of data (e.g DIVX, MP4S, audioone)
bFixedSizeSamples, lSampleSize– for fixed sample sizes
bTemporalCompression– interframe compression
Formattype, cbFormat, pbFormat – Type, Length, and Ptr for format block
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Format Block Examples
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Type Codes
Media types use FourCC Codes– Many container formats identify streams with FourCC codes instead of GUIDs– Typically located in a stream header– DWORD for video streams is 4 ASCII characters that represent the stream type– For audio streams, integer is used– GUID is derived by adding constant “0000-0010-800000AA00389B71”– Eg. “divx” = {64697678-0000-0010-800000AA00389B71}– Common FourCC codes available at http://www.fourcc.org
Example FourCC codes (taken from http://www.fourcc.org)
FourCC Owner Description
3ivx 3IVX MPEG-4 based codec
H264 Intel H264 video codec
MJPG Microsoft Motion-JPEG codec
WMVx Microsoft Windows Media Video x
Xvid Xvid.org MPEG-4 based decoder
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Matching the media types yourself…
Enumerating available codecs involves identifying those with media types accessible to you
– FourCC-based media types can all be reached from AVI files– Examining the CheckInputType() function for an input pin can determine what types a
codec will accept– The “FilterData” key present for many codecs also gives this valuable information away
A more precise method: programmatically querying the registry– Programmatic method for enumerating filters based on various properties– Achieved with the FilterMapper2 COM object
(http://msdn2.microsoft.com/en-us/library/ms787861(VS.85).aspx) – Select filters by merit, input/output pin count, input/output pin types and more– Can also enumerate pins by category using the device enumerator using the
SystemDeviceEnum COM object (http://msdn2.microsoft.com/en-us/library/ms787871(VS.85).aspx)
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
AUDITING DIRECTSHOW
“Hey, I’m just the doctor – I don’t make the needles sharp.”
- Alan Johnson, Peep Show
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Auditing Overview
Attacking media software– Attack Surface– Data Flow
Auditing Direct Show components– Source Filters– Splitter Filters– Transform Filters
Complex attacks– Desynchronization Attacks– Dynamic Format Changes– Exploitation
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Media File Attack Surface
How do you attack media software?– Provide a malicious file– Embed media content
Web pages, flash, OLE, etc..
What’s in a media file?– Streams
Video, audio, text(subtitles), or other data– Media data
Raw or compressed, split among various types of frames: key and interpositional
– Meta-information Describes how to parse, decompress, navigate, and render the media
data
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Media File Attack Surface
Meta-information is your primary target
– Header information for the file as a whole– Record and layout information for the file– Header information for each stream
Length, Width, Bit depth, Sample Size, Bitrate, Buffer Size, Allocation Size
– Meta-information for each media sample– Index information– Chronological information for changes in format and
synchronization– Actual compression meta-data
Various levels, pertinent to different filters
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Example of Propagation -> AVI
Your primary task as an auditor will be tracing the flow of meta-information data throughout the system.
AVI Filestrf FmtBlk
MediaTypestrf FmtBlk
Media Type
Dim
Allocator Properties
Media Sample
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Propagation of data
Filter to Filter (push model)– Data handed over in media samples
Typically fixed sized buffers– Size decided on negotiation
Allocator– They choose and configure an allocator
Upstream gets empty Media Sample from allocator– Fills out data, sets the used length, ships it
Downstream gets Media Sample– Extracts data and processes it
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Media Samples Core concept: Media Samples
Generic encapsulation object– Implements IMediaSample
Abstraction used because data can live somewhere “complicated”
– Video memory, dma, sound card buffers, etc.
A media sample has:– underlying data– a time stamp– a media type
(if there is a change)
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Media Samples
Upstream Media Sample Downstream
SetTime()SetMediaTime() ->
Times that the sample covers GetTime()<-GetMediaTime()
SetMediaType() Media Type, if there is a change in format
GetMediaType()
GetPointer() Underlying Buffer GetPointer()
GetSize() Size of Buffer GetSize()
SetActualDataLength() Actual size of data in Buffer GetActualDataLength()
SetDiscontinuity()SetPreroll()SetSyncPoint()
Special Sample Characteristics IsDiscontinuity()IsPreroll()IsSyncPoint()
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Worst Diagram Ever made
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Source Filters
Responsible for providing data from media source– Typically a file or URL
Upstream to a splitter filter– Output pin implements IAsyncReader– Typically uses pull model for random access
General Dataflow (pull model)
1. The splitter decides what it needs to read next
2. It allocates or resizes a buffer locally, if necessary (no formal allocator)
3. Splitter calls SyncRead() on the upstream output pin.
4. Splitter processes the data placed into its local buffer by the upstream filter.
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Source Filters
Load()– Loads media (called by filter graph manager)– Audit protocol parsing code
Low-level parsing issues
Output Pin – implements IAsyncReader– Async
Request() / WaitForNext() with a MediaSample
– Sync SyncRead()/SyncReadAligned() with local memory
Look for design problems– Requests across security domains
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Splitter Filters
Parses media file and extracts streams– Pass them to downstream filters
File Parsing– Typically have constructions susceptible to numeric issues, such as length prefixed blocks,
etc.– Look for underflows, wraps, etc– AVI/WAV recently had such an issue
(http://www.microsoft.com/technet/security/Bulletin/MS07-064.mspx) – ISS X-Force disclosed such a bug also
(http://www.microsoft.com/technet/security/Bulletin/MS07-068.mspx)– Discovered by Alex Wheeler and Ryan Smith (internet partners in crime)
Dynamic Format Changes– Attaching media type to media sample
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
File Parsing Example – AVI Splitter
File parsing bug in super-index processing– Undisclosed, but innocuous
AVI Files have indexes– Offset/length pairs, and flags
They can have super-indexes– Point to all the indexes in the file– Offset/length pairs
Validity of offset/length never checked– Internal validity of super index and sub-index entry checked
Length can be pathologically small
Causes existing memory contents to be parsed as index
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Splitter Filter – Media Type Construction
Splitter filters construct a media type– Communicate format of data for downstream filters
Derived from meta-information in media file– Possibly read verbatim (AVI strf)
Some high-level validation typically performed– Constraints on our attacks on transform filters– AVI – performed on BMI format blocks, but not others– Private data after BMI is not validated
Consider effects of mixing and matching (codec-hell)– Different splitter that performs less or different validation– Different downstream that assumes different validation
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Splitter Filter – AVI Splitter Validation
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Transform Filters
Transform Filters are your most common target– Single input stream and single output stream– Usually decompressing a compressed stream– Most codecs you download are of this type (DivX, AAC, AC3, M4S…)
The CTransformFilter class is used to simplify codec development– Source is in Windows SDK (samples\Multimedia\DirectShow\BaseClasses\
transfrm.h)– Handles pin negotiation – Moves processing into various functions in CTransformFilter – Developer overrides/implements these functions
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Transform Filters II – Areas of Interest
Input MediaType Processing/Validation– CheckInputType()– Gotcha: Negative Height
Output MediaType Processing/Validation– CheckTransform()
Allocator Configuration– DecideBufferSize()
Main Data Processing– Transform()
SetActualDataLength()
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Transform Filters – Mediatype Negotiation
CheckInputType()– Called by CTransformInputPin::CheckMediaType()– Inspects media type and encapsulated format block– Check for integer overflows (e.g. width * height * color depth for video,
nchannels * bitrate for audio)– Check for special cases (negative height in BMI)– Discover what sanity checks are needed for this filter to accept the proposal
CheckTransform()– Called by CTransformOutputPin::CheckMediaType()– Determines if filter can convert input MT to provided MT– Output type is usually derived from the input type– Similar issues to what you would look for in CheckInputType()
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Transform Filters – CheckInputType() Example
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Transform Filters – CheckInputType() Example
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Transform Filters – Allocator Configuration
After Media Types are decided, output pin chooses allocator
An allocator is responsible for:– Provisioning empty media samples– Tracking media samples with reference counters– Free’ing and/or recycling media samples
Allocators typically allocate a pool of media samples, and hand them out as they are needed.
Also, be aware of internal allocations – occur after configuration of media types– no use of formal allocator/sample mechanism– Example: Xvid, ffdshow library wrappers
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Transform Filters – Allocator Configuration
DecideBufferSize()– Caller provides ALLOCATOR_PROPERTIES structure– Used by output pin to configure allocator– Note: Allocation isn’t completed until later…
Allocator Properties Structure
cBuffers – number of buffers created by the allocator
cbBuffer – size of each buffer in bytes, excluding prefix
cbAlign – alignment of buffer
cbPrefix – each buffer is preceded by a prefix of this many bytes
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Transform Filters – Allocator Example
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Transform Filters – Main Data Processing
Auditing the data processor– A large portion of the time, it’s doing decompression– Decompression makes something small into something large– Does this seem like the sort of thing we’d be interested in? :>– What to look for depends very much on what the codec does– Compressed streams with invalid huffman codes– Additional metadata in headers that aren’t correctly sanitized
Where to look– Receive() for filters using push model, Transform() for transform filters– Function decodes input into a (pre-allocated) buffer– IMediaSample::GetPointer()
Offset 0x0c in IMediaSample vtable
– IMediaSample::GetActualDataLength() Offset 0x2c in IMediaSample vtable
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Transform Filters – Data Processing Example
Example
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Format Block Desynchronization
Information is often duplicated in multiple places
If it is sourced from two or more separate user-malleable places, internet chaos™ can ensue
Format blocks often appear out-of-band– Format block describes a specific stream, but is not part of that stream– Recall AVI “strf” chunk– Also happens with ASF– For video, BITMAPINFOHEADER structure used (height, width, color depth,
palette, etc)– For audio, WAVEFORMATEX (channels, bitrate, etc)
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Format Block Desynchronization
Many stream formats also provide similar information– Often contain prevalent information in-band also– Example: DivX contains height/width information in band (as well as many
other parameters) If values are inconsistent, there is the potential for vulnerabilities
– Usually, output buffers allocated based on sizes in the format block– If values within the stream are then used during sample copies, potential for buffer
overflows and such exist
In-band values also have had no prior sanity checking– Some codecs might correctly allocate buffers reflecting the sizes indicated by the in-
band headers, rather that the format block – Still potential for vulnerabilities due to integer overflows and such– This is less of a problem with format blocks, as the splitter filters often do some
verification– Output buffers and sample sizes have already been determined so new information can
conflict with that
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Format Block Desynchronization
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Exploitation Ideas
Media Buffer Allocations– Default allocator uses VirtualAlloc()– Could be problematic
Priming Memory– Relatively plausible – Fairly arbitrary sized allocations in many filters
DLL Loading for fun and profit– You specify the stream type – you specify the codecs– DLL loaded as a result – Good for SEH handler tables, ASLR, etc..
Precision timing of exploitation– Filter graph maintains a reference clock– Synchronizing multiple streams– Sound useful for dialing in:
Multi-threaded execution Concurrent allocation behaviors
IBM Internet Security Systems
© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection
Parting Thoughts
Watch out for some disclosures…
Fertile ground for bug hunting
– Plenty of code left to audit– More written all the time
TiVo, Roxio, Quicktime, Nero, xvid, etc…
Auditing DMO, MF, and other media software
– Knowledge will transfer well Similar data structures and ideas
IBM Global Services
© Copyright IBM Corporation 2007
IBM Internet Security SystemsAhead of the threat.™
© 2005 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Thank you!
markdowd@au1.ibm.comjrmcdona@us.ibm.comIBM ISS X-Force R&D