czwartek, 14 lipca 2016

Irfan View - Heap Crash (TIF)

Crash during TIF preview... Details and poc below.




TL;DR

...and some details:

0:000> g
ModLoad: 76390000 763ad000   C:\WINDOWS\system32\IMM32.DLL
ModLoad: 10000000 1000d000   C:\FOE2\certfuzz\hooks\winxp\Release\hook.dll
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 74720000 7476c000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 77c00000 77c08000   C:\WINDOWS\system32\version.dll
ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
(d9c.f1c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=04bf7613 ebx=00000000 ecx=00bf0000 edx=04007613 esi=00000000 edi=00251eac
eip=7c9102ee esp=0012bd24 ebp=0012bd4c iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010283
ntdll!RtlAllocateHeap+0x24a:
7c9102ee 813850450000    cmp     dword ptr [eax],4550h ds:0023:04bf7613=????????


0:000> u eip
ntdll!RtlAllocateHeap+0x24a:
7c9102ee 813850450000    cmp     dword ptr [eax],4550h
7c9102f4 0f8586890100    jne     ntdll!RtlLookupAtomInAtomTable+0x7f6 (7c928c80)
7c9102fa 834dfcff        or      dword ptr [ebp-4],0FFFFFFFFh
7c9102fe e8e3e5ffff      call    ntdll!strchr+0xf9 (7c90e8e6)
7c910303 c20400          ret     4
7c910306 90              nop
7c910307 90              nop
7c910308 ff              ???


0:000> kv
ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
0012bd4c 7c91726f 00bf0000 7c97c092 7ffdfdca ntdll!RtlAllocateHeap+0x24a
0012c000 7c916866 00160de8 0012c028 0012c000 ntdll!RtlDosSearchPath_U+0x296
0012c07c 7c916698 00000001 00160de8 00000000 ntdll!LdrGetDllHandleEx+0x1c5
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
0012c098 7c801d23 00160de8 00000000 0012c0c4 ntdll!LdrGetDllHandle+0x18
0012c100 7c801d72 7ffdfc00 00000000 00000002 kernel32!LoadLibraryExW+0x22e
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
0012c114 004032e9 00575100 00000000 00000002 kernel32!LoadLibraryExA+0x1f
0012c118 00575100 00000000 00000002 00575100 image00400000+0x32e9
0012c11c 00000000 00000002 00575100 00000019 image00400000+0x175100



0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
(...)
FAULTING_IP:
ntdll!RtlAllocateHeap+24a
7c9102ee 813850450000    cmp     dword ptr [eax],4550h

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 7c9102ee (ntdll!RtlAllocateHeap+0x0000024a)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 04bf7613
Attempt to read from address 04bf7613

FAULTING_THREAD:  00000f1c

PROCESS_NAME:  image00400000

FAULTING_MODULE: 7c900000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  04bf7613

READ_ADDRESS:  04bf7613

FOLLOWUP_IP:
ntdll!RtlAllocateHeap+24a
7c9102ee 813850450000    cmp     dword ptr [eax],4550h

MOD_LIST: <ANALYSIS/>

ADDITIONAL_DEBUG_TEXT: 

Use '!findthebuild' command to search for the target build information.

If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols. ; Enable Pageheap/AutoVerifer

DEFAULT_BUCKET_ID:  HEAP_CORRUPTION

PRIMARY_PROBLEM_CLASS:  HEAP_CORRUPTION

BUGCHECK_STR:  APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_WRONG_SYMBOLS

LAST_CONTROL_TRANSFER:  from 7c91726f to 7c9102ee

STACK_TEXT: 
WARNING: Stack unwind information not available. Following frames may be wrong.
0012bd4c 7c91726f 00bf0000 7c97c092 7ffdfdca ntdll!RtlAllocateHeap+0x24a
0012c000 7c916866 00160de8 0012c028 0012c000 ntdll!RtlDosSearchPath_U+0x296
0012c07c 7c916698 00000001 00160de8 00000000 ntdll!LdrGetDllHandleEx+0x1c5
0012c098 7c801d23 00160de8 00000000 0012c0c4 ntdll!LdrGetDllHandle+0x18
0012c100 7c801d72 7ffdfc00 00000000 00000002 kernel32!LoadLibraryExW+0x22e
0012c114 004032e9 00575100 00000000 00000002 kernel32!LoadLibraryExA+0x1f
0012c118 00575100 00000000 00000002 00575100 image00400000+0x32e9
0012c11c 00000000 00000002 00575100 00000019 image00400000+0x175100


SYMBOL_NAME:  heap_corruption!heap_corruption

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: heap_corruption

IMAGE_NAME:  heap_corruption

STACK_COMMAND:  ~0s ; kb

FAILURE_BUCKET_ID:  HEAP_CORRUPTION_c0000005_heap_corruption!heap_corruption

BUCKET_ID:  APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_WRONG_SYMBOLS_heap_corruption!heap_corruption

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/image00400000/4_4_2_0/56e13a3d/ntdll_dll/5_1_2600_5512/4802a12c/c0000005/000102ee.htm?Retriage=1

Followup: MachineOwner
---------


0:000> !load winext\msec.dll
0:000> !exploitable -v

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x4bf7613
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:7c9102ee cmp dword ptr [eax],4550h

Basic Block:
    7c9102ee cmp dword ptr [eax],4550h
       Tainted Input operands: 'eax'
    7c9102f4 jne ntdll!rtllookupatominatomtable+0x7f6 (7c928c80)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0x2af669c6.0xf15c0df4

 Hash Usage : Stack Trace:
Excluded    : ntdll!RtlAllocateHeap+0x24a
Major+Minor : ntdll!RtlDosSearchPath_U+0x296
Major+Minor : ntdll!LdrGetDllHandleEx+0x1c5
Major+Minor : ntdll!LdrGetDllHandle+0x18
Major+Minor : kernel32!LoadLibraryExW+0x22e
Major+Minor : kernel32!LoadLibraryExA+0x1f
Minor       : image00400000+0x32e9
Minor       : image00400000+0x175100
Instruction Address: 0x000000007c9102ee

Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at ntdll!RtlAllocateHeap+0x000000000000024a called from ntdll!RtlDosSearchPath_U+0x0000000000000296 (Hash=0x2af669c6.0xf15c0df4)

The data from the faulting address is later used to determine whether or not a branch is taken.

+---------------------------------------------------------------------------+
More: code610.blogspot.com
Or twitter @CodySixteen.

+---------------------------------------------------------------------------+
Cheers,
Cody

Posted by at
Labels: , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)