exploiting vulnerabilities in media software
play

Exploiting Vulnerabilities in Media Software iSEC Partners - PowerPoint PPT Presentation

Aug 14, 2023 •164 likes •470 views

Exploiting Vulnerabilities in Media Software iSEC Partners https://www.isecpartners.com Agenda Introduction Why media software? Why bugs are still out there How we're going to bang them out Fuzzing techniques

  1. Exploiting Vulnerabilities in Media Software iSEC Partners https://www.isecpartners.com

  2. Agenda • Introduction – Why media software? – Why bugs are still out there – How we're going to bang them out • Fuzzing techniques – Why/What/How – Fuzzbox • Codecs to attack – Ogg Vorbis – MP3 – FLAC – Speex – Raw formats: PCM/WAV, AIFF iSEC Partners https://www.isecpartners.com

  3. Agenda • Case studies: blown up software • Demo • Q&A iSEC Partners https://www.isecpartners.com

  4. Introduction • Hello – I'm a consultant for iSEC Partners – Focus on application security – UNIX grump – Audio hobbyist • What's this all about? – The attack surface and potential of media codecs – Focus here is on audio, but that doesn't matter – Video works the same way, and uses the same container formats iSEC Partners https://www.isecpartners.com

  5. Why this matters • Omnipresent, and always on – Promiscuously shared, played, streamed – Come from extremely untrusted, often anonymous sources – Who thinks to refrain from playing “untrusted” sounds? – Most browsers will play automatically anyhow • It's political – There are people out there who don't like you stealing music – Like me, for example – But mostly I mean the RIAA, and companies like Sony – Ripe for corporate abuse • It's “rich” – Media playback software is excessively functional – Does tons of parsing • It's underexplored! iSEC Partners https://www.isecpartners.com

  6. Why underexplored? • Modern codecs are designed to be resistant to corruption – Bit-flipping an ogg file, for example, will usually not work – Example: zzuf, a popular bit-flipping fuzzer, noted VLC as being “robust” against fuzzing of Vorbis, Theora, FLAC – As zzuf notes, this does not mean there are no bugs; we just need a targeted fuzzer • Most exploits thus far have been simple – Attacks on players: long playlists, URL names, etc – Few attacks using media files themselves – Even fewer targeting things on the codec level iSEC Partners https://www.isecpartners.com

  7. Fuzzing techniques: what to fuzz • Two main areas are important here – Content metadata • ID3, APEv2, Vorbis comments, album art, etc. • Frame data – We're mostly interested in the frame header – Contains structural data describing overall file layout • Sample rate, number of frames, frame size, channels – Can be multiple types of frame headers in a file, especially in the case of container formats iSEC Partners https://www.isecpartners.com

  8. Fuzzing techniques: what to fuzz with • Obviously, random strings – Repeating one random ASCII char to help us spot stack pointer overwrites – Throw in some random unicode, encoded in funny ways – Format strings – Just a bunch of %ns to give us some memory corruption – Random signed ints – Fencepost numbers • HTML! More on this later. • URLs – maybe we can catch some URL pingbacks iSEC Partners https://www.isecpartners.com

  9. Fuzzing techniques: how to fuzz it • Three possible approaches – Reach in and just mutate • Might work, might not • Works a sad amount of the time • Use existing parsing libraries – Works well, but usually requires patching the libs – Built-in error handling will obviously trip us up – Metadata editing libraries don't always allow changing of data we want – Let's use this for basic stuff like ID3 tags and Vorbis comments • Make your own frame parser – Sometimes quick and easy, sometimes painful – But turns up some great bugs iSEC Partners https://www.isecpartners.com

  10. The toolbox • A few tools to make fuzzing and parsing easier: • Hachoir – Dissects many file types visually • mutagen – Help in mangling audio tags and understanding file layout • vbindiff – shows differences between fuzzed and non-fuzzed files • bvi – a hex editor with keybindings similar to a certain one true editor • gdb iSEC Partners https://www.isecpartners.com

  11. Fuzzbox • A multi-codec audio stream fuzzer, written in Python • Targets specific codecs, no general file fuzzing • Uses third party libs like py-vorbis and mutagen for metadata fuzzing • Uses built-in frame parsing for frame fuzzing • NOT another “fuzzing framework” • An example of real-world fuzzers used in pen-testing: quick, dirty and targeted iSEC Partners https://www.isecpartners.com

  12. Ogg Frame Structure • Case study: Ogg Vorbis – Excellent free codec – Well documented – Not just for hippies – Unencumbered status gets it into many things – Consists of an Ogg container: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1| Byte +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | capture_pattern: Magic number for page start "OggS" | 0-3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | version | header_type | granule_position | 4-7 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | 8-11 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | bitstream_serial_number | 12-15 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | page_sequence_number | 16-19 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | CRC_checksum | 20-23 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | page_segments | segment_table | 24-27 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | 28- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- iSEC Partners https://www.isecpartners.com

  13. Vorbis Frame Structure • ...with a chewy Vorbis center – Contains channels, sample rate, etc – Also “Vorbis comments” • Simple name/value pairs – can be any length or content, but some have special meaning • Easiest to use existing libs for this – in this case, py-vorbis iSEC Partners https://www.isecpartners.com

  14. Ogg and Vorbis frame in Python • Mercifully 8-bit aligned iSEC Partners https://www.isecpartners.com

  15. Data loaded, feed to fuzzer • Now we have comments and frame data • Time to mangle them up • Transforms are defined in randjunk.py: iSEC Partners https://www.isecpartners.com

  16. Data fuzzed, writing back out • In the case of comments, we just write them back in • For our frame data, we need to pack it: iSEC Partners https://www.isecpartners.com

  17. Fix the CRC • Every ogg frame has a CRC to prevent corruption – Also hides bugs :( – But, easy enough to fix iSEC Partners https://www.isecpartners.com

  18. Other supported formats • MP3 – Metadata with ID3 – ID3v1 • Length limited • Stored at end of file • Great for rewriting, awful for streaming – ID3v2 • Massively structured and complex • Incompletely supported • I hope it dies • FLAC – Lossless audio – uses Vorbis comments for metadata, can use Ogg as a container iSEC Partners https://www.isecpartners.com

  19. Even more supported formats • WAV and AIFF – What's to attack in raw audio? – Not much, but it still works – Sample width, framerate, frame number; all things that can expose integer bugs – WAV and AIFF parsing libraries are included with Python • Speex – Optimized for speech – Used in several high-profile third-party products – Uses vorbis comments for metadata – Can be stored in an Ogg container iSEC Partners https://www.isecpartners.com

  20. Setting up a fuzzer run • Basic usage of fuzzbox iSEC Partners https://www.isecpartners.com

  21. Demo https://www.isecpartners.com iSEC Partners

  22. Nifty features • Autoplay mode – kicks off a player of your choice under gdb • Gathers backtraces, registers and resource usage • iTunes anti-anti-debugging • iTunes automation with AppleScript • Kills off runaway apps iSEC Partners https://www.isecpartners.com

  23. Fallout: VLC • Format string issues in Vorbis comments – Also CDDA, SAP/SDP – broadcast exploitation! iSEC Partners https://www.isecpartners.com

  24. Fallout: libvorbis iSEC Partners https://www.isecpartners.com

  25. Fallout: flac-tools • Stack overflow in metadata parsing iSEC Partners https://www.isecpartners.com

  26. Demo https://www.isecpartners.com iSEC Partners

  27. iSEC Partners https://www.isecpartners.com

  28. Collateral Damage • Non-player apps, or “nobody uses Vorbis!” – As mentioned before, some of these codecs get around – Used in games – custom sounds downloaded with maps... – Asterisk does. • (O_o);;; • It also supports Speex, which is structurally very similar... • In other words, any DoS or code execution in Ogg/Vorbis means the same for Asterisk • Web applications – Some apps aren't real careful about data parsed from media – Cool for CSRF, XSS or Javascript intranet scanning • Indexing services and other parsers – Software like Beagle relies on media libraries to index – Exploits in these libraries affect the indexer – Can also be a venue for finding bugs in the indexer itself – Or its web interface iSEC Partners https://www.isecpartners.com

Recommend

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural DerbyCon October 2 nd 2011 About the Presenter Joshua J. Drake, aka jduck Employed with Accuvant LABS Research Vulnerabilities &

750 views • 45 slides
Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an

Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an

Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an Example Saghar Estehghari 1 Yvo Desmedt 1 , 2 1 Department of Computer Science University College London, UK 2 Research Center for Information Security

572 views • 28 slides
Detecting and exploiting amino acid vulnerabilities in cancer Oncode Institute - NKI-AVL Reuven

Detecting and exploiting amino acid vulnerabilities in cancer Oncode Institute - NKI-AVL Reuven

Detecting and exploiting amino acid vulnerabilities in cancer Oncode Institute - NKI-AVL Reuven Agami Course Basic and Translational Oncology 2018 How to -specifically- kill cancer cells? Target DNA replication (chemotherapy) Suffocate them

518 views • 37 slides
Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016 Who am I? Security researcher @ SpiderLabs Exploit dev / bug hunting / reverse engineering Agenda 1. Counter overflows in the kernel

1.02k views • 70 slides
Outline Exploiting other vulnerabilities Return address protections CSci 5271 Introduction to

Outline Exploiting other vulnerabilities Return address protections CSci 5271 Introduction to

Outline Exploiting other vulnerabilities Return address protections CSci 5271 Introduction to Computer Security Announcements intermission Day 5: Low-level defenses and BCECHO demo counterattacks ASLR and counterattacks Stephen McCamant

528 views • 10 slides
Disabling a Computer by Exploiting Softphone Vulnerabilities Ryan Farley and Xinyuan Wang George

Disabling a Computer by Exploiting Softphone Vulnerabilities Ryan Farley and Xinyuan Wang George

Disabling a Computer by Exploiting Softphone Vulnerabilities Ryan Farley and Xinyuan Wang George Mason University September 26, 2013 Where Innovation Is Tradition Threat and Mitigation Introduction Background Disabling the

535 views • 31 slides
Assessing and Exploiting BigNum Vulnerabilities Ralf-Philipp Weinmann Director of Research -

Assessing and Exploiting BigNum Vulnerabilities Ralf-Philipp Weinmann Director of Research -

Assessing and Exploiting BigNum Vulnerabilities Ralf-Philipp Weinmann Director of Research - Comsecuris <ralf@comsecuris.com> PGP fingerprint : D244D6F2E79B529BF5548F39B27967D58C07C5B7 twitter: @esizkur 1 PARENTAL ADVISORY Sparse

419 views • 28 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Vulnerabilities in C-based languages

633 views • 59 slides
Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe

Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe

Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe 2010 Stephen Michell, Maurya Software, Ottawa, Canada Security There are people out there trying to attack every computer that we own. Most

503 views • 48 slides
Common software vulnerabilities: causes and consequences Ricardo J. Rodrguez CUD

Common software vulnerabilities: causes and consequences Ricardo J. Rodrguez CUD

Common software vulnerabilities: causes and consequences Ricardo J. Rodrguez CUD rjrodriguez@unizar.es @RicardoJRdez 14 de marzo, 2019 I Jornadas OWASP ZGZ $whoami Ph.D. in Computer Sciences (University of Zaragoza, 2013)

611 views • 31 slides
Exploiting Insecurity to Secure Software Update Systems Justin Cappos Department of Computer

Exploiting Insecurity to Secure Software Update Systems Justin Cappos Department of Computer

Exploiting Insecurity to Secure Software Update Systems Justin Cappos Department of Computer Science and Engineering University of Washington Introduction software update system -- a piece of software that installs, updates, removes, or

431 views • 10 slides
Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Some Terminology Software error A programming mistake that make the software not meet its expectation Software

726 views • 59 slides
Exploiting State Information to Support QoS in Software-Defined WSNs Paolo Di Dio ,

Exploiting State Information to Support QoS in Software-Defined WSNs Paolo Di Dio ,

Exploiting State Information to Support QoS in Software-Defined WSNs Paolo Di Dio , Salvatore Faraci , Laura Galluccio, Sebastiano Milardo , Giacomo Morabito, Sergio Palazzo, and Patrizia Livreri CNIT Research Unit

902 views • 36 slides
Automatic Workarounds: Exploiting the Intrinsic Redundancy of Software to Improve Reliability

Automatic Workarounds: Exploiting the Intrinsic Redundancy of Software to Improve Reliability

Automatic Workarounds: Exploiting the Intrinsic Redundancy of Software to Improve Reliability Antonio Carzaniga , Alessandra Gorla, Nicol` o Perino, Mauro Pezz` e Faculty of Informatics University of Lugano Switzerland March 22, 2012 Scope

780 views • 55 slides
Should Cyber-Insurance Providers Invest in Software Security? Aron Laszka 1 and Jens Grossklags 2

Should Cyber-Insurance Providers Invest in Software Security? Aron Laszka 1 and Jens Grossklags 2

Should Cyber-Insurance Providers Invest in Software Security? Aron Laszka 1 and Jens Grossklags 2 1 University of California, Berkeley 2 Pennsylvania State University Software Vulnerabilities Most software products suffer from vulnerabilities

448 views • 22 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security Security is a form

2.11k views • 190 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 7, Feb. 8, 2010 Malicious Software Malicious Software programs exploiting system vulnerabilities known

427 views • 10 slides
RouteBricks: Exploiting Parallelism To Scale Software Routers Mihai Dobrescu & Norbert Egi,

RouteBricks: Exploiting Parallelism To Scale Software Routers Mihai Dobrescu & Norbert Egi,

RouteBricks: Exploiting Parallelism To Scale Software Routers Mihai Dobrescu & Norbert Egi, Katerina Argyraki, Byung-Gon Chun, Kevin Fall, Gianluca Iannaccone, Allan Knies, Maziar Manesh, Sylvia Ratnasamy EPFL, Intel Labs Berkeley,

856 views • 46 slides
Software implementation of correlated quantum chemistry methods. Exploiting advanced programming

Software implementation of correlated quantum chemistry methods. Exploiting advanced programming

Software implementation of correlated quantum chemistry methods. Exploiting advanced programming tools and new computer architectures Evgeny Epifanovsky Q-Chem Septermber 29, 2015 Acknowledgments Many thanks to my collaborators: Michael

410 views • 21 slides
Vulnerabilities in C/C++ programs Part II TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part II TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part II TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Integer overflows and sign errors Adding,

756 views • 42 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Mobile Security Issues Introduction So many cool mobile apps Access to web, personal information, social media, etc

1.05k views • 55 slides
Exploiting Performance Benefits of Extruded Meshes in PyOP2 Department of Computing - Software

Exploiting Performance Benefits of Extruded Meshes in PyOP2 Department of Computing - Software

Exploiting Performance Benefits of Extruded Meshes in PyOP2 Department of Computing - Software Performance Optimisation Group Imperial College London Gheorghe-Teodor Bercea, Florian Rathgeber, Fabio Luporini, David A. Ham, Paul H. J. Kelly

585 views • 34 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides

More recommend