Exploiting memory corruption vulnerabilities in server-side software often requires knowledge of the binary and environment, which limits the attack surface, especially for unknown binaries and load-balanced environments.
Successful exploitation is challenging due to the difficulty of preparing the heap and deploying ROP chains without this information.
Researchers discovered vulnerabilities in the Kakadu JPEG 2000 library, which could potentially allow remote code execution, by developing a technique called “Conditional Corruption” to exploit these vulnerabilities, crafting self-modifying images to achieve the desired impact.
A technical overview of JPEG 2000, including its vulnerabilities and exploitation strategies, has been provided by using code snippets from Kakadu version 8.41 to illustrate their findings and explain the challenges encountered during exploit development.
The JPEG 2000 standard uses boxes to store metadata about an image, such as its dimensions and color information, which are hierarchical, allowing for nested structures.
The actual image data, encoded in the codestream, is typically located within a specific box within the overall file structure.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
The Codestream, a sequence of Type-Length-Value containers called Segment Markers, stores image data. Each Segment Marker starts with a unique identifier followed by a length field.
Tiles, rectangular units within the image, are defined by Start-of-Tile (SOT) and Start-of-Data (SOD) markers, which include a tile index used to calculate its position in the image.
A vulnerability in Kakadu’s JPEG 2000 decoder that allows for arbitrary file reads by exploiting Codestream fragmentation, which is a variant of TALOS-2017-0309 and caused by an out-of-bounds write on the heap due to signed integer multiplication.
It allows attackers to inject bytes from local files into the codestream of JPX images. By crafting JPX images with specific data references and fragment tables, attackers can exfiltrate bytes from arbitrary files by encoding them within the image’s properties or pixels.
The researchers exploited a vulnerability in JPEG 2000 by manipulating tile data and comment markers to leak sensitive data within an image and used a jump table mechanism to encode leaked bytes into pixel values, allowing for data exfiltration and potential remote code execution.
They found that Kakadu’s default behavior of writing uninitialized tiles with 0x80 data caused unpredictable crashes.
By leveraging the SOT marker’s tile-number parameter, they were able to craft an image that would write only a single tile of controlled data, preventing the 808080 Apocalypse and enabling more reliable and predictable heap overflows.
The attackers found a reliable heap overflow in Kakadu by exploiting a composition layer extensions box by using a Kha-Kha slide to dynamically determine the object alignment and avoid crashes, increasing exploit reliability.
Bug Hunter also added a mechanism to check for invalid memory addresses and bail out early, preventing the exploitation of unintended targets.
Leveraging file-read and memory-read primitives, they executed conditional corruption to reliably target a worker process and gain a write-what-where primitive, which allowed them to locate global variables, hijack control flow, and execute arbitrary code without user impact.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar