IBM Global Services © Copyright IBM Corporation 2007 IBM Internet Security Systems Ahead of the...

IBM Global Services

© Copyright IBM Corporation 2007

IBM Internet Security SystemsAhead of the threat.™

© 2005 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Media Frenzy: Attacking the Windows Media Framework

CansecWest 2008

Mark Dowd, John McDonaldIBM ISS X-Force R&D

March 2008

IBM Internet Security Systems

© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force Preemptive Protection

INTRODUCTION



Media Software

Why worry about media software?

Multimedia content is at an all-time high– Internet Stealing - Movies / TV shows / mp3’s– Streaming media (http://www.di.fm and the like)– Podcasts, VOIP– Video clips (YouTube, http://videos.google.com, etc…) – Embedded content in documents, web pages, emails, etc…

Everyone uses media software– Ubiquitous client-side vector



Media Software Security

Is media software secure?– Almost definitely maybe (probably)

Ok, no.

Contributing factors– Changes fast, with new technologies and rapid

expansion– Content is nearly always untrusted

Few people worry about getting owned while watching video

– Note: Microsoft code is officially Internet Not Horrible™ Third party code FTW!



Media Software Security

Large, nuanced attack surface– Media file formats are often containers for arbitrary data streams– Complex data flow

Processing handed off to any number of possible codecs– Extensive set of codecs available on a default system

Example: MPEG1, MPEG2, MP3, MP4S, SAMI, many others…– Most users install additional ones

Example: DivX/XviD, AAC, ffdshow

Not enough security research into this topic– Existing research focuses on file-formats and fuzzing– Prior work by David Thiel, at Blackhat 2007

(https://www.blackhat.com/presentations/bh-usa-07/Thiel/Presentation/bh-usa-07-thiel.pdf)

– Easy for fuzzers to miss large chunks of functionality– Discovering attack surface and codecs is non-trivial



Our Focus

What we will cover– Media software built for Windows

Focusing on DirectShow

– Enumeration of registered codecs on a given system– How to audit a typical codec

What we won’t cover– Video For Windows, DMO, MF, Silverlight (sorry, not enough time!)– Playback software/codecs for Unix, VLC, Quicktime– Fuzz-testing– Databases– Diabetes– The Hanseatic League circa 1432



DIRECTSHOW

"Pwn" -- security slang for compromising, or owning, a computer system -- is pronounced like the "pon" in pony.



DirectShow Overview Media processing framework for Windows

– Playing Media Files– Conversion between Formats– Media Capture– Central Registry

Supports multiple A/V compression and file formats– Easily extended to add support for new types of media– AVI, WMF, ASF, MPEG2, etc…

Internally uses DirectSound/DirectDraw/Direct3D/etc..– Interfaces with various hardware

Modular Architecture– built on COM



DirectShow Overview II

Basic building block – Filter– COM object that implements IFilter interface

You link filters together to perform various tasks– Create a filter graph

Filters have input pins and output pins– Connect output pins to input pins



DirectShow Overview II – Media File Exposure

Source FilterVideo Codec

Filter

Audio Codec Filter

Video Rendering

Filter

Audio Rendering

Filter

Splitter Filter

Media File

Exposed Code

Exposed Code

Graphic File

Graphic Parser

Exposed Code

Exposure:Standard Graphic Files

vs Media Files



Filters

Data enters the filter graph through a Source Filter– Provides input data from a file, url, or device– Typically one output pin

Data leaves the filter graph through a Renderer Filter Deliver data to the user or a device or file– Typically one input pin



Filters III

Media files are typically parsed by a Splitter Filter A Splitter Filter, or Demultiplexor, takes input data and

splits it into multiple separate output streams– Typically one input pin and two or more output pins

A Mux Filter, or multiplexor, is the logical opposite Takes separate constituent streams and joins them together into a

single output Used to create media files



Transform Filters

Transform Filters do the rest of the data processing– exactly one input and one output

Codec Filters– Used for compressing or decompressing data with codecs

Conversion Filters– Takes data in one format and outputs data in another format– Color schemes or image scaling



Data Flow

Data flows downstream from an output pin to an input pin

Two models for data flow between pins: push and pull

Push – upstream filter prepares a buffer full of data and then delivers it to the downstream filter

– useful when there is a linear stream of data going from one filter to the next– Default model, more complicated

Pull – the downstream filter directly requests certain data from its upstream filter

Used when a downstream filter needs random access to the upstream’s data Generally used for splitter filters that need to parse files



graphedt and the Filter Graph

Graphedt.exe (in windows sdk)– Lets you experiment with filter graphs– Instantiate and connect filters installed on your system– See the filters chosen to render a given file



Filter Graph Manager

The Filter Graph Manager controls all of the filters, and is responsible for:

– Choosing, Initializing, and Connecting the filters (More on this later)

– Maintaining a reference clock All of the filters use the clock to stay in lockstep

– Synchronizing the filter actions. start, pause, and stop

Apps call the Filter Graph Manager– which sets up and calls the filters



FINDING TARGETS



How do codecs get selected, anyway?

We need to define attack surface before auditing– Enumerating codecs on a system– Determining which codecs are reachable through remote vectors

(such as malicious AVI files)– Knowing which codec will be selected upon collision

DirectShow Filters are looked up in the registry by CLSID– Filters are organized by category– Quite a few categories available

(http://msdn2.microsoft.com/en-us/library/ms783347(VS.85).aspx)– Only interesting category for us is “DirectShow Filters” (CLSID_LegacyAMFilterCategory)– Location in the registry is HKEY_CLASSES_ROOT\<Category CLSID>\Instance– The “Instance” subkey contains a collection of CLSID subkeys corresponding to registered

filters




Each input pin for a filter accepts data of a certain media type

– Filters instantiated one by one– Pins queried using CBasePin::CheckMediaType() – Filters are sorted in order of priority (“merit value”)– Some filters don’t participate in this process at all (merit <=

MERIT_DO_NOT_USE)– Once filter is connected successfully to the filter graph, the process starts again– The connected filter will create 0 or more output pins, This media type is

retrieved with CBasePin::GetMediaType()

Media type used for negotiation is done with AM_MEDIA_TYPE structures

– Data structure that fully describes a media type for a given stream– Uses GUIDs for distinguishing both the media type and additional information

pertaining to that type– Typing information might be implicit (such as MPEG2 Video for MPEG files), or

user specified (streams in an AVI file)



struct _AM_MEDIA_TYPE

majortype – general type of data (e.g. video – MEDIATYPE_Video, audio, opaque stream, text, etc..)

subtype – specific type of data (e.g DIVX, MP4S, audioone)

bFixedSizeSamples, lSampleSize– for fixed sample sizes

bTemporalCompression– interframe compression

Formattype, cbFormat, pbFormat – Type, Length, and Ptr for format block



Format Block Examples



Type Codes

Media types use FourCC Codes– Many container formats identify streams with FourCC codes instead of GUIDs– Typically located in a stream header– DWORD for video streams is 4 ASCII characters that represent the stream type– For audio streams, integer is used– GUID is derived by adding constant “0000-0010-800000AA00389B71”– Eg. “divx” = {64697678-0000-0010-800000AA00389B71}– Common FourCC codes available at http://www.fourcc.org

Example FourCC codes (taken from http://www.fourcc.org)

FourCC Owner Description

3ivx 3IVX MPEG-4 based codec

H264 Intel H264 video codec

MJPG Microsoft Motion-JPEG codec

WMVx Microsoft Windows Media Video x

Xvid Xvid.org MPEG-4 based decoder



Matching the media types yourself…

Enumerating available codecs involves identifying those with media types accessible to you

– FourCC-based media types can all be reached from AVI files– Examining the CheckInputType() function for an input pin can determine what types a

codec will accept– The “FilterData” key present for many codecs also gives this valuable information away

A more precise method: programmatically querying the registry– Programmatic method for enumerating filters based on various properties– Achieved with the FilterMapper2 COM object

(http://msdn2.microsoft.com/en-us/library/ms787861(VS.85).aspx) – Select filters by merit, input/output pin count, input/output pin types and more– Can also enumerate pins by category using the device enumerator using the

SystemDeviceEnum COM object (http://msdn2.microsoft.com/en-us/library/ms787871(VS.85).aspx)



AUDITING DIRECTSHOW

“Hey, I’m just the doctor – I don’t make the needles sharp.”

- Alan Johnson, Peep Show



Auditing Overview

Attacking media software– Attack Surface– Data Flow

Auditing Direct Show components– Source Filters– Splitter Filters– Transform Filters

Complex attacks– Desynchronization Attacks– Dynamic Format Changes– Exploitation



Media File Attack Surface

How do you attack media software?– Provide a malicious file– Embed media content

Web pages, flash, OLE, etc..

What’s in a media file?– Streams

Video, audio, text(subtitles), or other data– Media data

Raw or compressed, split among various types of frames: key and interpositional

– Meta-information Describes how to parse, decompress, navigate, and render the media

data



Media File Attack Surface

Meta-information is your primary target

– Header information for the file as a whole– Record and layout information for the file– Header information for each stream

Length, Width, Bit depth, Sample Size, Bitrate, Buffer Size, Allocation Size

– Meta-information for each media sample– Index information– Chronological information for changes in format and

synchronization– Actual compression meta-data

Various levels, pertinent to different filters



Example of Propagation -> AVI

Your primary task as an auditor will be tracing the flow of meta-information data throughout the system.

AVI Filestrf FmtBlk

MediaTypestrf FmtBlk

Media Type

Dim

Allocator Properties

Media Sample



Propagation of data

Filter to Filter (push model)– Data handed over in media samples

Typically fixed sized buffers– Size decided on negotiation

Allocator– They choose and configure an allocator

Upstream gets empty Media Sample from allocator– Fills out data, sets the used length, ships it

Downstream gets Media Sample– Extracts data and processes it



Media Samples Core concept: Media Samples

Generic encapsulation object– Implements IMediaSample

Abstraction used because data can live somewhere “complicated”

– Video memory, dma, sound card buffers, etc.

A media sample has:– underlying data– a time stamp– a media type

(if there is a change)



Media Samples

Upstream Media Sample Downstream

SetTime()SetMediaTime() ->

Times that the sample covers GetTime()<-GetMediaTime()

SetMediaType() Media Type, if there is a change in format

GetMediaType()

GetPointer() Underlying Buffer GetPointer()

GetSize() Size of Buffer GetSize()

SetActualDataLength() Actual size of data in Buffer GetActualDataLength()

SetDiscontinuity()SetPreroll()SetSyncPoint()

Special Sample Characteristics IsDiscontinuity()IsPreroll()IsSyncPoint()



Worst Diagram Ever made



Source Filters

Responsible for providing data from media source– Typically a file or URL

Upstream to a splitter filter– Output pin implements IAsyncReader– Typically uses pull model for random access

General Dataflow (pull model)

1. The splitter decides what it needs to read next

2. It allocates or resizes a buffer locally, if necessary (no formal allocator)

3. Splitter calls SyncRead() on the upstream output pin.

4. Splitter processes the data placed into its local buffer by the upstream filter.



Source Filters

Load()– Loads media (called by filter graph manager)– Audit protocol parsing code

Low-level parsing issues

Output Pin – implements IAsyncReader– Async

Request() / WaitForNext() with a MediaSample

– Sync SyncRead()/SyncReadAligned() with local memory

Look for design problems– Requests across security domains



Splitter Filters

Parses media file and extracts streams– Pass them to downstream filters

File Parsing– Typically have constructions susceptible to numeric issues, such as length prefixed blocks,

etc.– Look for underflows, wraps, etc– AVI/WAV recently had such an issue

(http://www.microsoft.com/technet/security/Bulletin/MS07-064.mspx) – ISS X-Force disclosed such a bug also

(http://www.microsoft.com/technet/security/Bulletin/MS07-068.mspx)– Discovered by Alex Wheeler and Ryan Smith (internet partners in crime)

Dynamic Format Changes– Attaching media type to media sample



File Parsing Example – AVI Splitter

File parsing bug in super-index processing– Undisclosed, but innocuous

AVI Files have indexes– Offset/length pairs, and flags

They can have super-indexes– Point to all the indexes in the file– Offset/length pairs

Validity of offset/length never checked– Internal validity of super index and sub-index entry checked

Length can be pathologically small

Causes existing memory contents to be parsed as index



Splitter Filter – Media Type Construction

Splitter filters construct a media type– Communicate format of data for downstream filters

Derived from meta-information in media file– Possibly read verbatim (AVI strf)

Some high-level validation typically performed– Constraints on our attacks on transform filters– AVI – performed on BMI format blocks, but not others– Private data after BMI is not validated

Consider effects of mixing and matching (codec-hell)– Different splitter that performs less or different validation– Different downstream that assumes different validation



Splitter Filter – AVI Splitter Validation



Transform Filters

Transform Filters are your most common target– Single input stream and single output stream– Usually decompressing a compressed stream– Most codecs you download are of this type (DivX, AAC, AC3, M4S…)

The CTransformFilter class is used to simplify codec development– Source is in Windows SDK (samples\Multimedia\DirectShow\BaseClasses\

transfrm.h)– Handles pin negotiation – Moves processing into various functions in CTransformFilter – Developer overrides/implements these functions



Transform Filters II – Areas of Interest

Input MediaType Processing/Validation– CheckInputType()– Gotcha: Negative Height

Output MediaType Processing/Validation– CheckTransform()

Allocator Configuration– DecideBufferSize()

Main Data Processing– Transform()

SetActualDataLength()



Transform Filters – Mediatype Negotiation

CheckInputType()– Called by CTransformInputPin::CheckMediaType()– Inspects media type and encapsulated format block– Check for integer overflows (e.g. width * height * color depth for video,

nchannels * bitrate for audio)– Check for special cases (negative height in BMI)– Discover what sanity checks are needed for this filter to accept the proposal

CheckTransform()– Called by CTransformOutputPin::CheckMediaType()– Determines if filter can convert input MT to provided MT– Output type is usually derived from the input type– Similar issues to what you would look for in CheckInputType()



Transform Filters – CheckInputType() Example



Transform Filters – Allocator Configuration

After Media Types are decided, output pin chooses allocator

An allocator is responsible for:– Provisioning empty media samples– Tracking media samples with reference counters– Free’ing and/or recycling media samples

Allocators typically allocate a pool of media samples, and hand them out as they are needed.

Also, be aware of internal allocations – occur after configuration of media types– no use of formal allocator/sample mechanism– Example: Xvid, ffdshow library wrappers



Transform Filters – Allocator Configuration

DecideBufferSize()– Caller provides ALLOCATOR_PROPERTIES structure– Used by output pin to configure allocator– Note: Allocation isn’t completed until later…

Allocator Properties Structure

cBuffers – number of buffers created by the allocator

cbBuffer – size of each buffer in bytes, excluding prefix

cbAlign – alignment of buffer

cbPrefix – each buffer is preceded by a prefix of this many bytes



Transform Filters – Allocator Example



Transform Filters – Main Data Processing

Auditing the data processor– A large portion of the time, it’s doing decompression– Decompression makes something small into something large– Does this seem like the sort of thing we’d be interested in? :>– What to look for depends very much on what the codec does– Compressed streams with invalid huffman codes– Additional metadata in headers that aren’t correctly sanitized

Where to look– Receive() for filters using push model, Transform() for transform filters– Function decodes input into a (pre-allocated) buffer– IMediaSample::GetPointer()

Offset 0x0c in IMediaSample vtable

– IMediaSample::GetActualDataLength() Offset 0x2c in IMediaSample vtable



Transform Filters – Data Processing Example

Example



Format Block Desynchronization

Information is often duplicated in multiple places

If it is sourced from two or more separate user-malleable places, internet chaos™ can ensue

Format blocks often appear out-of-band– Format block describes a specific stream, but is not part of that stream– Recall AVI “strf” chunk– Also happens with ASF– For video, BITMAPINFOHEADER structure used (height, width, color depth,

palette, etc)– For audio, WAVEFORMATEX (channels, bitrate, etc)




Many stream formats also provide similar information– Often contain prevalent information in-band also– Example: DivX contains height/width information in band (as well as many

other parameters) If values are inconsistent, there is the potential for vulnerabilities

– Usually, output buffers allocated based on sizes in the format block– If values within the stream are then used during sample copies, potential for buffer

overflows and such exist

In-band values also have had no prior sanity checking– Some codecs might correctly allocate buffers reflecting the sizes indicated by the in-

band headers, rather that the format block – Still potential for vulnerabilities due to integer overflows and such– This is less of a problem with format blocks, as the splitter filters often do some

verification– Output buffers and sample sizes have already been determined so new information can

conflict with that



Exploitation Ideas

Media Buffer Allocations– Default allocator uses VirtualAlloc()– Could be problematic

Priming Memory– Relatively plausible – Fairly arbitrary sized allocations in many filters

DLL Loading for fun and profit– You specify the stream type – you specify the codecs– DLL loaded as a result – Good for SEH handler tables, ASLR, etc..

Precision timing of exploitation– Filter graph maintains a reference clock– Synchronizing multiple streams– Sound useful for dialing in:

Multi-threaded execution Concurrent allocation behaviors



Parting Thoughts

Watch out for some disclosures…

Fertile ground for bug hunting

– Plenty of code left to audit– More written all the time

TiVo, Roxio, Quicktime, Nero, xvid, etc…

Auditing DMO, MF, and other media software

– Knowledge will transfer well Similar data structures and ideas

IBM Global Services

© Copyright IBM Corporation 2007

IBM Internet Security SystemsAhead of the threat.™

© 2005 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Thank you!

[email protected]@us.ibm.comIBM ISS X-Force R&D

IBM Global Services © Copyright IBM Corporation 2007 IBM Internet Security Systems Ahead of the...

Documents

Transcript of IBM Global Services © Copyright IBM Corporation 2007 IBM Internet Security Systems Ahead of the...