niedziela, 9 kwietnia 2017

Multiple Crashes in VLC 2.2.4

Just as a 'quick note'... Below few examples and notes as usual...


I used Windows XP SP3 and VLC - 'latest one' - available here (2.2.4).
I also used "gflags.exe /p /enable vlc.exe /full" for more details.

Ok. Results, results...

Sample#01: parsing FLAC:

Windbg is attached to started VLC player. Drag&drop the poc-file
to the VLC window to see:

---<cut>---
(128.5d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00010000 ebx=00000002 ecx=00000010 edx=017b1000 esi=00001a90 edi=00000005
eip=62982335 esp=02cefcc0 ebp=000006a4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll -
libflac_plugin+0x2335:
62982335 8902            mov     dword ptr [edx],eax  ds:0023:017b1000=????????
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:010> g
(128.41c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00180000 ebx=003f0178 ecx=016601f4 edx=00000fa0 esi=003f0000 edi=01757000
eip=7c91a661 esp=0166d89c ebp=0166d8d0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
ntdll!RtlReAllocateHeap+0xae1:
7c91a661 663b48f8        cmp     cx,word ptr [eax-8]      ds:0023:0017fff8=????
0:004> g
(128.41c): Access violation - code c0000005 (!!! second chance !!!)
eax=00180000 ebx=003f0178 ecx=016601f4 edx=00000fa0 esi=003f0000 edi=01757000
eip=7c91a661 esp=0166d89c ebp=0166d8d0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
ntdll!RtlReAllocateHeap+0xae1:
7c91a661 663b48f8        cmp     cx,word ptr [eax-8]      ds:0023:0017fff8=????
---<cut>---

Cool. Next:

---<cut>---
0:004> u eip
ntdll!RtlReAllocateHeap+0xae1:
7c91a661 663b48f8        cmp     cx,word ptr [eax-8]
7c91a665 7606            jbe     ntdll!RtlReAllocateHeap+0xaed (7c91a66d)
7c91a667 8b00            mov     eax,dword ptr [eax]
7c91a669 3bd8            cmp     ebx,eax
7c91a66b 75f4            jne     ntdll!RtlReAllocateHeap+0xae1 (7c91a661)
7c91a66d 8b5004          mov     edx,dword ptr [eax+4]
7c91a670 8d4f08          lea     ecx,[edi+8]
7c91a673 8901            mov     dword ptr [ecx],eax
0:004> u eip-1
ntdll!RtlReAllocateHeap+0xae0:
7c91a660 0f663b          pcmpgtd mm7,mmword ptr [ebx]
7c91a663 48              dec     eax
7c91a664 f8              clc
7c91a665 7606            jbe     ntdll!RtlReAllocateHeap+0xaed (7c91a66d)
7c91a667 8b00            mov     eax,dword ptr [eax]
7c91a669 3bd8            cmp     ebx,eax
7c91a66b 75f4            jne     ntdll!RtlReAllocateHeap+0xae1 (7c91a661)
7c91a66d 8b5004          mov     edx,dword ptr [eax+4]
0:004> u eip-2
ntdll!RtlReAllocateHeap+0xadf:
7c91a65f 8b0f            mov     ecx,dword ptr [edi]
7c91a661 663b48f8        cmp     cx,word ptr [eax-8]
7c91a665 7606            jbe     ntdll!RtlReAllocateHeap+0xaed (7c91a66d)
7c91a667 8b00            mov     eax,dword ptr [eax]
7c91a669 3bd8            cmp     ebx,eax
7c91a66b 75f4            jne     ntdll!RtlReAllocateHeap+0xae1 (7c91a661)
7c91a66d 8b5004          mov     edx,dword ptr [eax+4]
7c91a670 8d4f08          lea     ecx,[edi+8]
0:004> dd edi
01757000  000001f4 02ff0000 ffffb200 ffffb300
01757010  ffffb600 ffffb600 ffffb500 ffffb300
01757020  ffffb400 ffffb300 ffffb300 ffffb400
01757030  ffffb300 ffffb100 ffffae00 ffffab00
01757040  ffffa500 ffffa100 fffe9c00 fffe9900
01757050  fffe9800 fffe9800 fffe9700 ffff9700
01757060  ffff9700 fffe9800 ffff9800 ffff9700
01757070  ffff9800 ffff9800 ffff9800 ffff9800
0:004>
---<cut>---

Ok, let's see what the !analyze will produce for us:

---<cut>---
0:004> !analyze -v
(...)
*************************************************************************
FAULTING_IP:
ntdll!RtlReAllocateHeap+ae1
7c91a661 663b48f8        cmp     cx,word ptr [eax-8]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7c91a661 (ntdll!RtlReAllocateHeap+0x00000ae1)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 0017fff8
Attempt to read from address 0017fff8

FAULTING_THREAD:  0000041c
PROCESS_NAME:  vlc.exe
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  0
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod "0x%08lx" odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod "0x%08lx" odwo
EXCEPTION_PARAMETER1:  00000000
EXCEPTION_PARAMETER2:  0017fff8
READ_ADDRESS:  0017fff8

FOLLOWUP_IP:
ntdll!RtlReAllocateHeap+ae1
7c91a661 663b48f8        cmp     cx,word ptr [eax-8]

DEFAULT_BUCKET_ID:  HEAP_CORRUPTION
PRIMARY_PROBLEM_CLASS:  HEAP_CORRUPTION
BUGCHECK_STR:  APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER:  from 7c91099a to 7c91a661

STACK_TEXT: 
WARNING: Stack unwind information not available. Following frames may be wrong.
0166d8d0 7c91099a 01748000 0000f000 000001f4 ntdll!RtlReAllocateHeap+0xae1
0166d9a0 77c1c2de 003f0000 00000000 01747fa0 ntdll!wcsncpy+0x43b
0166d9e8 6957a6af 01747fa0 ffffffff 77c1c2e3 msvcrt!free+0xc3
0166d9f4 77c1c2e3 6982bcd5 00b5f9ac 0170bdb0 libqt4_plugin!vlc_entry_license__2_2_0b+0x4f5c0f
0166d9f8 6982bcd5 00b5f9ac 0170bdb0 00b61928 msvcrt!free+0xc8
0166da08 6957a74c 01733f84 00b61928 00b94990 libqt4_plugin!vlc_entry_license__2_2_0b+0x7a7235
0166da18 69563d48 0170f488 00b5f980 01733f84 libqt4_plugin!vlc_entry_license__2_2_0b+0x4f5cac
0166da28 6955fee5 0166da14 00b94990 00b9499c libqt4_plugin!vlc_entry_license__2_2_0b+0x4df2a8
0166da38 69564289 00b9499c ffffffff 00b94990 libqt4_plugin!vlc_entry_license__2_2_0b+0x4db445
0166da48 695657ea 01733f84 00b61920 00b61920 libqt4_plugin!vlc_entry_license__2_2_0b+0x4df7e9
0166da58 6994d9f5 0170f490 69baaed8 00b3c478 libqt4_plugin!vlc_entry_license__2_2_0b+0x4e0d4a
0166da68 699297be 01684d18 00000076 00b5ac20 libqt4_plugin!vlc_entry_license__2_2_0b+0x8c8f55
0166da98 695645a8 000133d7 00000000 69b9f7c8 libqt4_plugin!vlc_entry_license__2_2_0b+0x8a4d1e
0166dad8 6956474d 00000000 0166dd18 0166ddf8 libqt4_plugin!vlc_entry_license__2_2_0b+0x4dfb08
0166dae8 6959dbd9 69baaed8 00b61918 0166dd60 libqt4_plugin!vlc_entry_license__2_2_0b+0x4dfcad
0166ddf8 7e368734 00000000 00000001 7e368734 libqt4_plugin!vlc_entry_license__2_2_0b+0x519139
0166de30 7e368816 6976c4f0 000b01c0 00000113 USER32!GetDC+0x6d
0166de98 7e3689cd 00000000 6976c4f0 000b01c0 USER32!GetDC+0x14f
0166def8 7e368a10 0166df60 00000000 0166fca8 USER32!GetWindowLongW+0x127
0166df08 6976c08b 0166df60 00000000 00000000 USER32!DispatchMessageW+0xf
0166fca8 695997dd 0166fce8 695997dd 0166fce8 libqt4_plugin!vlc_entry_license__2_2_0b+0x6e75eb
0166fd90 6978aa82 0166fdac ffffffff 00ac5bb0 libqt4_plugin!vlc_entry_license__2_2_0b+0x514d3d
0166fda0 695e6db0 0166fed0 00000000 69b81f88 libqt4_plugin!vlc_entry_license__2_2_0b+0x705fe2
0166fdb4 6980ad50 00ac5bb0 00000000 690826b8 libqt4_plugin!vlc_entry_license__2_2_0b+0x562310
0166fdc0 690826b8 0166fe8c ffffffff 0166ff28 libqt4_plugin!vlc_entry_license__2_2_0b+0x7862b0
00000000 00000000 00000000 00000000 00000000 libqt4_plugin+0x26b8


SYMBOL_NAME:  heap_corruption!heap_corruption
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: heap_corruption
IMAGE_NAME:  heap_corruption
STACK_COMMAND:  ~4s ; kb
FAILURE_BUCKET_ID:  HEAP_CORRUPTION_c0000005_heap_corruption!heap_corruption
BUCKET_ID:  APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_WRONG_SYMBOLS_heap_corruption!heap_corruption
WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/vlc_exe/2_2_4_0/_______4/ntdll_dll/5_1_2600_5512/48039211/c0000005/0001a661.htm?Retriage=1
---<cut>---

...and some results from !exploitable as well:

---<cut>---
0:004> !load winext\msec.dll;!exploitable -v

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x17fff8
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:7c91a661 cmp cx,word ptr [eax-8]

Basic Block:
    7c91a661 cmp cx,word ptr [eax-8]
       Tainted Input operands: 'cx','eax'
    7c91a665 jbe ntdll!rtlreallocateheap+0xaed (7c91a66d)
       Tainted Input operands: 'ZeroFlag','CarryFlag'

Exception Hash (Major/Minor): 0x2aa3353c.0xf686d5cb

 Hash Usage : Stack Trace:
Excluded    : ntdll!RtlReAllocateHeap+0xae1
Major+Minor : ntdll!wcsncpy+0x43b
Excluded    : msvcrt!free+0xc3
Major+Minor : libqt4_plugin!vlc_entry_license__2_2_0b+0x4f5c0f
Excluded    : msvcrt!free+0xc8
Major+Minor : libqt4_plugin!vlc_entry_license__2_2_0b+0x7a7235
Major+Minor : libqt4_plugin!vlc_entry_license__2_2_0b+0x4f5cac
Major+Minor : libqt4_plugin!vlc_entry_license__2_2_0b+0x4df2a8
Minor       : libqt4_plugin!vlc_entry_license__2_2_0b+0x4db445
Minor       : libqt4_plugin!vlc_entry_license__2_2_0b+0x4df7e9
Minor       : libqt4_plugin!vlc_entry_license__2_2_0b+0x4e0d4a
Minor       : libqt4_plugin!vlc_entry_license__2_2_0b+0x8c8f55
Minor       : libqt4_plugin!vlc_entry_license__2_2_0b+0x8a4d1e
Minor       : libqt4_plugin!vlc_entry_license__2_2_0b+0x4dfb08
Minor       : libqt4_plugin!vlc_entry_license__2_2_0b+0x4dfcad
Minor       : libqt4_plugin!vlc_entry_license__2_2_0b+0x519139
Minor       : USER32!GetDC+0x6d
Minor       : USER32!GetDC+0x14f
Minor       : USER32!GetWindowLongW+0x127
Minor       : USER32!DispatchMessageW+0xf
Minor       : libqt4_plugin!vlc_entry_license__2_2_0b+0x6e75eb
Minor       : libqt4_plugin!vlc_entry_license__2_2_0b+0x514d3d
Minor       : libqt4_plugin!vlc_entry_license__2_2_0b+0x705fe2
Minor       : libqt4_plugin!vlc_entry_license__2_2_0b+0x562310
Minor       : libqt4_plugin!vlc_entry_license__2_2_0b+0x7862b0
Minor       : libqt4_plugin+0x26b8
Instruction Address: 0x000000007c91a661
---<cut>---


Sample#02:

We will start here:

---<cut>---
(4f4.5f4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=067ef000 ebx=0348fba0 ecx=067dc8d4 edx=0000003c esi=067dc8d4 edi=00000004
eip=6f289d32 esp=0348fb00 ebp=00000008 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmpgatofixed32_plugin.dll -
libmpgatofixed32_plugin!vlc_entry_license__2_2_0b+0x8032:
6f289d32 0fb600          movzx   eax,byte ptr [eax]         ds:0023:067ef000=??
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:012> g
core input error: ES_OUT_SET_(GROUP_)PCR  is called too late (pts_delay increased to 300 ms)
core input error: ES_OUT_RESET_PCR called
(4f4.5f4): Access violation - code c0000005 (!!! second chance !!!)
eax=067ef000 ebx=0348fba0 ecx=067dc8d4 edx=0000003c esi=067dc8d4 edi=00000004
eip=6f289d32 esp=0348fb00 ebp=00000008 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
libmpgatofixed32_plugin!vlc_entry_license__2_2_0b+0x8032:
6f289d32 0fb600          movzx   eax,byte ptr [eax]         ds:0023:067ef000=??
0:012> dd eax
067ef000  ???????? ???????? ???????? ????????
067ef010  ???????? ???????? ???????? ????????
067ef020  ???????? ???????? ???????? ????????
067ef030  ???????? ???????? ???????? ????????
067ef040  ???????? ???????? ???????? ????????
067ef050  ???????? ???????? ???????? ????????
067ef060  ???????? ???????? ???????? ????????
067ef070  ???????? ???????? ???????? ????????
---<cut>---

Results from !analyze -v:

---<cut>---
FAULTING_IP:
libmpgatofixed32_plugin!vlc_entry_license__2_2_0b+8032
6f289d32 0fb600          movzx   eax,byte ptr [eax]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 6f289d32 (libmpgatofixed32_plugin!vlc_entry_license__2_2_0b+0x00008032)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 067ef000
Attempt to read from address 067ef000

FAULTING_THREAD:  000005f4
PROCESS_NAME:  vlc.exe

FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  3f4b3f44
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod "0x%08lx" odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod "0x%08lx" odwo
EXCEPTION_PARAMETER1:  00000000
EXCEPTION_PARAMETER2:  067ef000
READ_ADDRESS:  067ef000

FOLLOWUP_IP:
libmpgatofixed32_plugin!vlc_entry_license__2_2_0b+8032
6f289d32 0fb600          movzx   eax,byte ptr [eax]

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ
DEFAULT_BUCKET_ID:  INVALID_POINTER_READ
LAST_CONTROL_TRANSFER:  from 6f285252 to 6f289d32

STACK_TEXT: 
WARNING: Stack unwind information not available. Following frames may be wrong.
0348fb10 6f285252 067dc8d4 00000004 00000008 libmpgatofixed32_plugin!vlc_entry_license__2_2_0b+0x8032
0348fb20 77c1c3ce 77c1c3e7 0000000c 0348fbac libmpgatofixed32_plugin!vlc_entry_license__2_2_0b+0x3552
0348fb24 77c1c3e7 0000000c 0348fbac 00000004 msvcrt!free+0x1b3
0348fbe4 77c10002 00000000 03480003 0100c200 msvcrt!free+0x1cc
00000000 00000000 00000000 00000000 00000000 msvcrt!stat64+0x360

SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  libmpgatofixed32_plugin!vlc_entry_license__2_2_0b+8032
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: libmpgatofixed32_plugin
IMAGE_NAME:  libmpgatofixed32_plugin.dll
STACK_COMMAND:  ~12s ; kb
BUCKET_ID:  WRONG_SYMBOLS
FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_libmpgatofixed32_plugin.dll!vlc_entry_license__2_2_0b
WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/vlc_exe/2_2_4_0/_______4/libmpgatofixed32_plugin_dll/2_2_4_0/3f4b3f44/c0000005/00009d32.htm?Retriage=1
Followup: MachineOwner
---<cut>---


It should be enough 'as an example', so that's all. ;)
If you need a poc-file, let me know, I will send you a copy producing the crash.

Maybe you will find it useful.

Cheers.

-- Updated: 30.05.2017

2 komentarze:

  1. Can you post your PoCs and/or test against the latest version? Thanks!

    OdpowiedzUsuń
    Odpowiedzi
    1. @jericho: hi, post was updated yesterday (I added 3 pocs for 2.2.4).
      I did not check version after that one. If you need more crash-files drop me an email.
      thanks

      Usuń