Shulou(Shulou.com)06/01 Report--

Windows image how to analyze Fuzzing color profile, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

I. Overview

Image parsing and rendering are the basic functions of any modern operating system (OS). At the same time, image parsing is also an easily accessible attack surface, which can lead to the risk of remote code execution or information disclosure, which is very valuable to attackers. In this series of articles, I will review the image parser and related file formats built into the Windows operating system, with a particular focus on the process of building tools, finding corpus (Corpus), and discovering vulnerabilities through fuzzy testing (Fuzzing). In the first part, we focus on analyzing the color profile. The file is not the image format itself, but the color that rules are embedded in the image.

2. Analysis of ICC color profile

On Wikipedia, the definition of the ICC color profile is provided: "during the color management process, according to the standards issued by the International Color Association (ICC), the ICC profile is a set of data that defines the color input and output devices as well as the color space. Profiles describe the color attributes or preview requirements of a particular device by defining the mapping between the device source or destination color space and the profile connection space (PCS). The PCS here can be either CIELAB (Lhasa roomb*) or CIEXYZ. You can specify the mapping using a table that defines interpolation (Interpolation), or you can convert it through a series of parameters.

In short, the ICC color profile is a binary file that is embedded in the image and parsed when the image is processed by software supported by ICC.

III. ICC specification

The ICC specification is about 100 pages long and is relatively easy to navigate. Read-through specifications can better understand file formats, different types of color profiles, and the mathematical principles behind color conversion. In addition, understanding the internal structure of the file format can provide us with information to better optimize fuzzy tests, select good corpora and prepare dictionaries for fuzzy tests.

Fourth, about Windows color management

Starting with Windows 95, version 1.0 of Image Color Management (ICM) has been released, and version 2.0 has been released since Windows 98. Starting with Windows Vista, significant changes have been made to version 1.0 of the Windows Color system (WCS). The ICC color profile is binary, while the WCS color profile uses XML as its file format. In this article, we focus on analyzing ICC color profiles.

Microsoft has published a list of supported Windows API, including some API with very obvious names, such as OpenColorProfile, which we can see implemented in MSCMS.dll. This DLL is a common entry point that supports loading Microsoft's color management module (CMM) and third-party color management modules (such as Adobe's CMM). The CMM for Microsoft, or ICM, can be found in the system32 directory with the name ICM32.dll.

ICM32:

Windows's CMM was written by a third party in the era of Windows 95, and it still contains more or less the code at that time, but it has been securely fixed for decades. Since it is such an old module, we can hope to find new loopholes in it. However, the fact that this is also a very small module and may have undergone several rounds of audit and fuzzy testing, including internal product security teams and external researchers, has somewhat reduced our hopes of finding vulnerabilities. When we search for recently discovered ICM32 vulnerabilities, we can find that Project Zero and ZDI researchers found several vulnerabilities during 2017-2018, but no more research results have been found since 2019.

Fifth, build tools

Although there is a list of ICM API on MSDN, we need to find the API sequence that Windows uses for all ICC-related operations. One way to find API sequences is to search the disassembly of Windows DLL and EXE and find the color profile API used, and another way is to find a tool for open source color management systems such as Little CMS,LCMS. Using these two methods, you end up pointing to a small number of API, which have the ability to open color profiles and create color transformations.

Based on the above information, I wrote a simple initial tool:

# include

# include

# include

# pragma comment (lib, "mscms.lib") int main (int argc, char** argv) {char dstProfilePath [] = "sRGB Color Space Profile.icm"; tagPROFILE destinationProfile; HPROFILE hDstProfile = nullptr; destinationProfile.dwType = PROFILE_FILENAME; destinationProfile.pProfileData = dstProfilePath; destinationProfile.cbDataSize = (strlen (dstProfilePath) + 1); hDstProfile = OpenColorProfileA (& destinationProfile, PROFILE_READ, FILE_SHARE_READ, OPEN_EXISTING) If (nullptr = = hDstProfile) {return-1;} tagPROFILE sourceProfile; HPROFILE hSrcProfile = nullptr; HTRANSFORM hColorTransform = nullptr; DWORD dwIntent [] = {INTENT_PERCEPTUAL, INTENT_PERCEPTUAL}; HPROFILE hProfileList [2]; sourceProfile.dwType = PROFILE_FILENAME; sourceProfile.pProfileData = argv [1]; sourceProfile.cbDataSize = (strlen (argv [1]) + 1) HSrcProfile = OpenColorProfileA (& sourceProfile, PROFILE_READ, FILE_SHARE_READ, OPEN_EXISTING); if (nullptr = = hSrcProfile) {return-1;} hProfileList [0] = hSrcProfile; hProfileList [1] = hDstProfile; hColorTransform = CreateMultiProfileTransform (hProfileList, 2, dwIntent, 2, USE_RELATIVE_COLORIMETRIC | BEST_MODE, INDEX_DONT_CARE) If (nullptr = = hColorTransform) {return-1;} DeleteColorTransform (hColorTransform); CloseColorProfile (hSrcProfile); CloseColorProfile (hDstProfile); return 0;}

Search for corpora and dictionaries

On the Internet, you can find a large number of websites that provide color profiles. Another major source of color profiles is images. Many image files contain color profiles, but some tools are needed to dump the color profiles into separate files.

By simply browsing the specification, we can also ensure that the corpus contains at least all samples from seven different color profiles. Combining it with code coverage information, the first set of corpus can be prepared for fuzziness testing.

In the process of combing through the specification, we can create a list of unique tag names and corresponding values to prepare dictionaries to help fuzzy tools find other code paths. In addition, dictionaries can be found in open source fuzzy testing attempts such as LCMS.

7. Fuzzy test

I use a 16-core host to obfuscate the first set of corpus and use the code coverage information from MSCMS.dll and ICM32.dll as feedback to my fuzziness tool. A few days later, it began to collapse.

Heap overflow in CVE-2020-1117:InitNamedColorProfileData

The following crash occurred in icm32percent SwapShortOffset when trying to read out of bounds:

0 000 > r rax=0000023690497000 rbx=0000000000000000 rcx=00000000000000ff rdx=000000000000ffff rsi=0000023690496f00 rdi=0000023690496fee rip=00007ffa46bf3790 rsp=000000c2a56ff5a8 rbp=0000000000000001 r8room000000000014 r9room0000023690497002 r10room000000000014 r11ang000000000014 r12=000000c2a56ff688 r13=0000023690492de0 r14room0000000000000a r15=000000004c616220 iopl=0 nv up ei ng nz ac pe cy cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293 icm32swimming SwapShortOffsetbacks 0x10: 00007ffa`46bf3790 0fb610 movzx edx Byte ptr [rax] ds: 00000236`90497000 =? 0heap >! heap-p-a @ rax address 0000023690497000 found in _ DPH_HEAP_ROOT @ 23690411000 in busy allocation (DPH_HEAP_BLOCK: UserAddr UserSize-VirtAddr VirtSize) 23690412b60: 23690496f00 100-23690496000 2000 00007ffa51644807 ntdllrooms RtlDebugAllocateHeapprints 0x00000000003f 00007ffa515f49d6 ntdll!RtlpAllocateHeap+0x0000000000077ae6 00007ffa5157babb ntdll!RtlpAllocateHeapInternal+0x00000000000001cb 00007ffa51479da0 msvcrt!malloc+0x0000000000000070 00007ffa46bf3805 icm32!SmartNewPtr+0x0000000000000011 00007ffa46bf37c8 icm32!SmartNewPtrClear+0x0000000000000014 00007ffa46c02d05 icm32!InitNamedColorProfileData+0x0000000000000085 00007ffa46bf6e39 icm32!Create_LH_ProfileSet+0x0000000000004e15 00007ffa46bf1973 icm32!PrepareCombiLUTs+0x0000000000000117 00007ffa46bf1814 icm32!CMMConcatInitPrivate+0x00000000000001f4 00007ffa46bf12a1 icm32!CWConcatColorWorld4MS+0x0000000000000075 00007ffa46bf11f4 icm32!CMCreateMultiProfileTransformInternal+0x00000000000000e8 00007ffa46bf1039 icm32!CMCreateMultiProfileTransform+0x0000000000000029 00007ffa48f16e6c mscms!CreateMultiProfileTransform+0x000000000000024c 00007ff774651191 ldr+0x0000000000001191 00007ff7746514b4 ldr+0x00000000000014b4 00007ffa505a7bd4 KERNEL32!BaseThreadInitThunk+0x0000000000000014 00007ffa515aced1 ntdll!RtlUserThreadStart+0x0000000000000021

Icm32 read SwapShortOffset reads unsigned short values, bswap them, and stores them in the same location, which causes the read-write primitive to crash.

Decompiled SwapShortOffset:

Unsigned _ _ int16 * _ fastcall SwapShortOffset (void * sourceBuff, unsigned int offset, unsigned int len) {unsigned _ int16 * endBuff; / / R9 unsigned _ int16 * result; / / rax endBuff = (sourceBuff + len); for (result = (sourceBuff + offset); result < endBuff; + + result) * result = _ byteswap_ushort (* result); / / read, bswap and write return result;}

The crashed function icm32destroy SwapShortOffset does not immediately point to the root cause of the problem. To do this, we need to look at icm32 initNamedColorProfileData.

Decompiled InitNamedColorProfileData:

_ _ int64 _ _ fastcall InitNamedColorProfileData (_ _ int64 A1, void * hProfile, int a3, _ DWORD * a4) {. ErrCode = CMGetPartialProfileElement (hProfile, 'ncl2', 0, pBuffSize, 0i64); / / getting size of ncl2 element if (errCode) return errCode; minSize = pBuffSize [0]; if (pBuffSize [0] < 0x55) minSize = 0x55; pBuffSize [0] = minSize; outBuff = SmartNewPtrClear (minSize, & errCode); / / allocating the buffer for ncl2. ErrCode = CMGetPartialProfileElement (hProfile, 'ncl2', 0, pBuffSize, outBuff); / / reading ncl2 elements to buffer if (! errCode) {. TotalSizeToRead = count * totalDeviceCoord; if (totalSizeToRead < 0xFFFFFFFFFFFFFFAEui64 & & totalSizeToRead + 0x51

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.