poniedziałek, 29 maja 2017

Multiple crashes in RealPlayer 18.1.7.344

Few bugs found in RealPlayer 18.1.7.344 during last fuzzing (Win7/32bit) - FYI...

Below few details:

Case#01:
------------------------------------------------------------------------------------------
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Real\RealPlayer\realplay.exe" /launch:desktop C:\sf_a3ac7ddabb263c2d00b73e8177d15c8d-754.mp4
(...)
Executable search path is:
ModLoad: 00f90000 0101d000   realplay.exe
(...)
ModLoad: 71b40000 71b44000   C:\Program Files\Real\Runtimes\api-ms-win-crt-runtime-l1-1-0.dll
ModLoad: 71a50000 71b31000   C:\Program Files\Real\Runtimes\ucrtbase.DLL
ModLoad: 71a40000 71a43000   C:\Program Files\Real\Runtimes\api-ms-win-core-timezone-l1-1-0.dll
ModLoad: 71a30000 71a33000   C:\Program Files\Real\Runtimes\api-ms-win-core-file-l2-1-0.dll
ModLoad: 71a20000 71a23000   C:\Program Files\Real\Runtimes\api-ms-win-core-localization-l1-2-0.dll
ModLoad: 71a10000 71a13000   C:\Program Files\Real\Runtimes\api-ms-win-core-synch-l1-2-0.dll
ModLoad: 71a00000 71a03000   C:\Program Files\Real\Runtimes\api-ms-win-core-processthreads-l1-1-1.dll
ModLoad: 719f0000 719f3000   C:\Program Files\Real\Runtimes\api-ms-win-core-file-l1-2-0.dll
ModLoad: 719e0000 719e4000   C:\Program Files\Real\Runtimes\api-ms-win-crt-string-l1-1-0.dll
ModLoad: 719d0000 719d3000   C:\Program Files\Real\Runtimes\api-ms-win-crt-heap-l1-1-0.dll
ModLoad: 719c0000 719c4000   C:\Program Files\Real\Runtimes\api-ms-win-crt-stdio-l1-1-0.dll
ModLoad: 719b0000 719b4000   C:\Program Files\Real\Runtimes\api-ms-win-crt-convert-l1-1-0.dll
ModLoad: 719a0000 719a3000   C:\Program Files\Real\Runtimes\api-ms-win-crt-locale-l1-1-0.dll
ModLoad: 71990000 71995000   C:\Program Files\Real\Runtimes\api-ms-win-crt-math-l1-1-0.dll
ModLoad: 71980000 71985000   C:\Program Files\Real\Runtimes\api-ms-win-crt-multibyte-l1-1-0.dll
ModLoad: 71970000 71973000   C:\Program Files\Real\Runtimes\api-ms-win-crt-time-l1-1-0.dll
ModLoad: 71960000 71963000   C:\Program Files\Real\Runtimes\api-ms-win-crt-filesystem-l1-1-0.dll
ModLoad: 71950000 71953000   C:\Program Files\Real\Runtimes\api-ms-win-crt-environment-l1-1-0.dll
ModLoad: 71940000 71943000   C:\Program Files\Real\Runtimes\api-ms-win-crt-utility-l1-1-0.dll
ModLoad: 02800000 028b5000   C:\Program Files\Real\RealPlayer\dbghelp.dll
(a6c.ad4): Break instruction exception - code 80000003 (first chance)
(...)
ModLoad: 6e470000 6e48a000   c:\program files\real\realplayer\CrashRpt\CrashRpt1402.dll
(...)
ModLoad: 6c260000 6c2c1000   C:\Program Files\Real\RealPlayer\common\hxmedpltfm.dll
(...)
ModLoad: 6b760000 6b969000   C:\Program Files\Real\RealPlayer\rpplugins\rpap3260.dll
(...)
ModLoad: 70670000 7067a000   C:\Program Files\Real\RealPlayer\common\pnrs3260.dll
ModLoad: 6b2b0000 6b3d1000   C:\Program Files\Real\RealPlayer\rpplugins\rpcl3260.dll
ModLoad: 6bd50000 6bdc6000   C:\Program Files\Real\RealPlayer\RCAPlugins\uisy3201.dll
ModLoad: 6b070000 6b224000   C:\Program Files\Real\RealPlayer\RCAPlugins\rpsharedcomponents.dll
ModLoad: 6ae00000 6b063000   C:\Program Files\Real\RealPlayer\RCAPlugins\rpcontrols.dll
ModLoad: 6c230000 6c25f000   C:\Program Files\Real\RealPlayer\plugins\zipf3260.dll
ModLoad: 6acd0000 6adfe000   C:\Program Files\Real\RealPlayer\rpplugins\rjbc3260.dll
ModLoad: 6b590000 6b607000   C:\Program Files\Real\RealPlayer\common\pngu3267.dll
ModLoad: 6b710000 6b755000   C:\Program Files\Real\RealPlayer\RCAPlugins\mpacore.dll
ModLoad: 6b4a0000 6b56c000   C:\Program Files\Real\RealPlayer\rpplugins\myde3260.dll
ModLoad: 6ac00000 6acc2000   C:\Program Files\Real\RealPlayer\mpaplugins\mpamedia.dll
ModLoad: 6b640000 6b689000   C:\Program Files\Real\RealPlayer\rpplugins\rpme3260.dll
ModLoad: 70680000 7068c000   C:\Program Files\Real\RealPlayer\plugins\pxcb3210.dll
ModLoad: 6ab70000 6abf1000   C:\Program Files\Real\RealPlayer\plugins\imgrender.dll
ModLoad: 6aab0000 6ab62000   C:\Program Files\Real\RealPlayer\rpplugins\rpmn3260.dll
ModLoad: 6a9c0000 6aaa8000   C:\Program Files\Real\RealPlayer\rpplugins\rpwe3260.dll
ModLoad: 6de60000 6de7d000   c:\program files\real\realplayer\RPDS\Lib\r1com.dll
ModLoad: 6ddb0000 6de53000   c:\program files\real\realplayer\RPDS\Lib\r1api.dll
ModLoad: 705a0000 705af000   C:\Program Files\Real\RealPlayer\rpplugins\rpms3260.dll
ModLoad: 6cea0000 6ceb8000   C:\Program Files\Real\RealPlayer\common\twebbrowse.dll
(...)
Executable search path is:
ModLoad: 012c0000 019de000   rpsystray.exe
(...)
(e98.b44): Break instruction exception - code 80000003 (first chance)
(...)
Executable search path is:
ModLoad: 00a40000 00a62000   realupgrade.exe
(...)
Executable search path is:
ModLoad: 01350000 013ab000   recordingmanager.exe
(...)
(ca8.97c): Break instruction exception - code 80000003 (first chance)
(...)
ModLoad: 70580000 70588000   C:\Program Files\Real\RealPlayer\mpaplugins\rjrmapln.dll
ModLoad: 6cea0000 6ceb6000   C:\Program Files\Real\RealPlayer\mpaplugins\rjm4pln.dll
ModLoad: 6b610000 6b63f000   C:\Program Files\Real\RealPlayer\plugins\mp4fformat.dll
ModLoad: 6ce40000 6ce57000   C:\Program Files\Real\RealPlayer\plugins\smplfsys.dll
ModLoad: 6bd30000 6bd46000   C:\Program Files\Real\RealPlayer\mpaplugins\rjm4pln.dll
ModLoad: 6b420000 6b44a000   C:\Program Files\Real\RealPlayer\rpplugins\rpqt3260.dll
ModLoad: 69dd0000 6a255000   c:\program files\real\realplayer\MediaInfo.dll
(a6c.ad4): C++ EH exception - code e06d7363 (first chance)
(a6c.ad4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03d02d78 ebx=03d02d80 ecx=03b58a50 edx=ff7a4a48 esi=00340000 edi=00000000
eip=77811f70 esp=001ae5ec ebp=001ae5fc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
ntdll!RtlFreeHeap+0x3f:
77811f70 80780705        cmp     byte ptr [eax+7],5         ds:0023:03d02d7f=??

0:000> r;!exploitable -v
eax=03d02d78 ebx=03d02d80 ecx=03b58a50 edx=ff7a4a48 esi=00340000 edi=00000000
eip=77811f70 esp=001ae5ec ebp=001ae5fc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
ntdll!RtlFreeHeap+0x3f:
77811f70 80780705        cmp     byte ptr [eax+7],5         ds:0023:03d02d7f=??

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
(...)
Exception Faulting Address: 0x3d02d7f
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:77811f70 cmp byte ptr [eax+7],5

Basic Block:
    77811f70 cmp byte ptr [eax+7],5
       Tainted Input operands: 'eax'
    77811f74 je ntdll!rtltimetoelapsedtimefields+0x1dd0 (7783b264)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0xb4630163.0xcf34cbfe

 Hash Usage : Stack Trace:
Excluded    : ntdll!RtlFreeHeap+0x3f
Excluded    : kernel32!HeapFree+0x14
Major+Minor : MediaInfo!MediaInfo_Info_Version+0x30d479
Major+Minor : MediaInfo!MediaInfo_Info_Version+0x39021
Major+Minor : MediaInfo!MediaInfo_Info_Version+0x197ea
Major+Minor : rpcl3260!RMAShutdown+0x4c546
Major+Minor : rpcl3260!RMAShutdown+0x20044
Minor       : rpcl3260!RMAShutdown+0x1cb10
Minor       : rpcl3260!RMAShutdown+0x1d57f
Minor       : rpcl3260!RMAShutdown+0x1c91c
Minor       : rpcl3260!RMAShutdown+0x1c9ca
Minor       : rpap3260+0x14a3c
Minor       : rpap3260+0x1086e
Minor       : rpap3260+0xaf6a
Minor       : USER32!IsThreadDesktopComposited+0x11f
Minor       : USER32!IsThreadDesktopComposited+0x2a6
Minor       : USER32!IsThreadDesktopComposited+0x3e5
Minor       : USER32!DispatchMessageA+0xf
Minor       : uisy3201+0x4590
Minor       : uisy3201+0x71fe
Minor       : rpap3260+0x572d
Minor       : realplay+0x2edf
Minor       : realplay+0xf661
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x0000000077811f70

Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at ntdll!RtlFreeHeap+0x000000000000003f called from MediaInfo!MediaInfo_Info_Version+0x000000000030d479 (Hash=0xb4630163.0xcf34cbfe)

The data from the faulting address is later used to determine whether or not a branch is taken.
------------------------------------------------------------------------------------------
Updated:

Case#02: Heap Corrupted


Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Real\RealPlayer\realplay.exe" /launch:desktop C:\\sf_a3ac7ddabb263c2d00b73e8177d15c8d-589.mp4
ModLoad: 011f0000 0127d000   realplay.exe
(...)
(fc8.468): C++ EH exception - code e06d7363 (first chance)
Critical error detected c0000374
(fc8.468): Break instruction exception - code 80000003 (first chance)
(fc8.468): Unknown exception - code c0000374 (first chance)
(fc8.468): Unknown exception - code c0000374 (!!! second chance !!!)
eax=002ce45c ebx=00000000 ecx=777e07ed edx=002ce1f9 esi=00110000 edi=03bd3070
eip=7788283b esp=002ce44c ebp=002ce4c4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!RtlpNtMakeTemporaryKey+0x1a77:
7788283b eb12            jmp     ntdll!RtlpNtMakeTemporaryKey+0x1a8b (7788284f)

0:000> r;!exploitable -v;q
eax=002ce45c ebx=00000000 ecx=777e07ed edx=002ce1f9 esi=00110000 edi=03bd3070
eip=7788283b esp=002ce44c ebp=002ce4c4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!RtlpNtMakeTemporaryKey+0x1a77:
7788283b eb12            jmp     ntdll!RtlpNtMakeTemporaryKey+0x1a8b (7788284f)

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x7788283b
Second Chance Exception Type: STATUS_HEAP_CORRUPTION (0xC0000374)

Exception Hash (Major/Minor): 0x380b2163.0xa9d64cea

 Hash Usage : Stack Trace:
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x1a77
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x29a7
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x2a87
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x2cf0
Major+Minor : ntdll!RtlTimeToElapsedTimeFields+0xe643
Minor       : ntdll!RtlTryEnterCriticalSection+0x258
Excluded    : kernel32!HeapFree+0x14
Minor       : MediaInfo!MediaInfo_Info_Version+0x30d479
Minor       : MediaInfo!MediaInfo_Info_Version+0x39021
Minor       : MediaInfo!MediaInfo_Info_Version+0x197ea
Minor       : rpcl3260!RMAShutdown+0x4c546
Minor       : rpcl3260!RMAShutdown+0x20044
Minor       : rpcl3260!RMAShutdown+0x1cb10
Minor       : rpcl3260!RMAShutdown+0x1d57f
Minor       : rpcl3260!RMAShutdown+0x1c91c
Minor       : rpcl3260!RMAShutdown+0x1c9ca
Minor       : rpap3260+0x14a3c
Minor       : rpap3260+0x1086e
Minor       : rpap3260+0xaf6a
Minor       : USER32!IsThreadDesktopComposited+0x11f
Minor       : USER32!IsThreadDesktopComposited+0x2a6
Minor       : USER32!IsThreadDesktopComposited+0x3e5
Minor       : USER32!DispatchMessageA+0xf
Minor       : uisy3201+0x4590
Minor       : uisy3201+0x71fe
Minor       : rpap3260+0x572d
Minor       : realplay+0x2edf
Minor       : realplay+0xf661
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x000000007788283b

Description: Heap Corruption
Short Description: HeapCorruption
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Heap Corruption starting at ntdll!RtlpNtMakeTemporaryKey+0x0000000000001a77 (Hash=0x380b2163.0xa9d64cea)

Heap Corruption has been detected. This is considered exploitable, and must be fixed.

------------------------------------------------------------------------------------------
; more:
; -- https://code610.blogspot.com
; -- https://twitter.com/codysixteen


tl;dr ;\
poc2 <-- here

Brak komentarzy:

Prześlij komentarz