This blog post will demonstrate how to trigger a vulnerability with only the public information available provided by the vendor during a security patch release cycle. For this analysis, I will be using CVE-2014-0301 that was patched in MS14-013.
casing the target
First, I gathered as much information about the target vulnerability as possible. By simply looking at the bulletin, it can quickly be seen what files were patched. For Windows 7 (32-bit), the new file information includes qedit.dll, with a file modification date of 2013-06-03.
Next, I made a backup copy of the old versions of the files, installed the update, and made a backup copy of the new versions of the files. At this point I had both a patched and unpatched copy of the qedit.dll file.
finding the patched function
For this example, I will be focusing on the Windows 7 version of these files. The first thing to do is to diff the files and see what changed. I did this with DarunGrim3, an automated binary diffing tool. Here are the results of the diff on the patched and unpatched file, sorted by security implication score. (Note: any mis-matched functions have been removed from the listing, so that only functions with matching names between patched and unpatched versions were kept in the list.)
The security implication score assigned by DarunGrim3 is calculated based on several heuristics which are applied to any code added including:
- Addition of a cmp / test instruction.
- Presence of 0xFFFFFFFF anywhere.
- Call to a member of the strlen() family, which generally can be used to patch buffer overflows.
- Call to StringCchCopy() family, which is used to patch buffer overflows.
- Call to ULongLongToULong() which is used to patch integer overflows.
Here are the results of the diff on each file, sorted by security implication score (the mis-matched functions have been removed from the listing):
A diff of the Windows XP versions of qedit.dll was also performed to help narrow down the patched functions. Here are the patched functions:
We can see that the functions patched in both Windows XP and Windows 7 are the following:
Searching for these functions in the popular disassembler, IDA, gives us the following function definitions:
LoadJPEGImageNewBuffer(unsigned short *, class CMediaType *, unsigned char * *) OpenTGAFile(void *,uchar * *,CMediaType *,uchar *) OpenDIBFile(void *,uchar * *,CMediaType *,uchar *) CGenStilVid::~CGenStilVid(void)
The first changed function looks to be a destructor, which might be interesting, but it turns out that there are no real changes, with the exception of changes to file offsets. This makes sense since its implication score was 0. It is safe to rule out this function at this point.
Most of the changes in this function are caused by what are likely compiler optimizations having to do with comparisons. However, one change is significant. After calling
LoadJPEGImage(), the function continues on to a block that deletes a pointer. A new
mov [esi], ebx instruction is added. In the patched version of the function,
ebx maintains a value of 0, so this new instruction simply clears out the value stored at
At first glance, this is indicative of a patch to a dangling pointer, because the patch is to explicitly clear out a reference to the deleted object, so that it won’t be re-used. In the case of the unpatched
CGenStilVid object, it is deleted twice, as we will soon see.
A couple registers (
ebx) swapped purpose in the last part of this function. This was because the instruction to assign the value at
arg_4 to a register was moved further on down in the function. Additionally, at the original place of instantiation, the register is instead set to 0, as can be shown by this diff:
That’s the extent of the meaningful changes in this function.
The changes in this function are similar to
OpenTGAFile(). A newly added internal variable is set to zero. Then, some other changes in register/variable usage occurs, but the semantics of the function remain the same.
analyzing the changes
It is safe to assume that the changes to
OpenDIBFile() were the result of compiler optimizations, since they did not have any significant bearing on the semantics of either function.
However, the changes to
LoadJPEGImageNewBuffer() actually change the purpose of the code, cleaning up what looks like a dangling pointer, so at this point, it is safe to assume that this is the function containing the security patch for CVE-2014-0301.
how to hit the patched function
I tested to see if qedit.dll was loading with common Microsoft programs such as, Excel, Outlook, PowerPoint, Word, Lync, Windows Media Player and even Adobe Acrobat but none of those targets seem to use qedit. So this might only be a vulnerability that more specifically affects 3rd party software using this Microsoft API.
One such 3rd party software, a media player known as Media Player Classic (MPC), will play lots of media types, including JPEG files. When a JPEG image is loaded MPC, it will load our target DLL, qedit.dll. The following following JPEG was used for the purposes of this analysis:
When we attach WinDbg to MPC and break on the
LoadJPEGImageNewBuffer() function, we can trace execution down to a call to
LoadJPEGImage(). If this returns a nonzero result in
eax, then our vulnerable code path will be executed.
LoadJPEGImage() to fail
There are a few functions called by
LoadJPEGImage() that could return error codes. Since invalid size values have been the source of many failures to parse various file formats, my first thought was to mess with the length values in the JPEG image by using a binary file editor, such as 010 Editor. By using the JPG binary template, I simply went through and tested the effects of changing any value that looked like a size value to either
0xFFFF. Most of the values that I changed caused the function to never even get hit. However, I eventually had success in hitting the
LoadJPEGImage() function when setting the
htInfo value of a
Huffmann_Table structure to 0:
With this value set to 0, the image is parsed as usual, but fails during the call to
LockBits() with the error stored in
eax as 7. Parsing a valid file results with
eax being set to 0, which is the
Status. According to the MSDN documentation for
Bitmap.LockBits(), this error code translates to
Win32Error as a part of the
This error is passed to
ResetFormatBuffer(), which is followed directly by
ConvertStatustoHR(). The status saved to
0x80004005. At this point, the function cleans up the stack and returns execution back to
Once execution is returned back to
LoadJPEGImageNewBuffer(), it continues on to a call to delete. This is the first free that occurs.
Later on in the execution, the second free is called on the same object:
The application crashes on the call to
ntdll!RtlFreeHeap() during the second call to
I hope you enjoyed this breakdown of how to diff a patch and produce a crash based off of the diff. I leave the process of creating an exploit based on the crash as an exercise to the reader.
Special thanks to Bill Finlayson for his sage like wisdom and all of his help during the analysis of this vulnerability.