czwartek, 7 września 2017

Night fuzzing session - Kaspersky10 on Windows 10

During last few days I was playling a little bit with Kaspersky Endpoint Security 10 for Windows 10. Below you will find few results.

For now, just as a quick review: tested version was:
---<cmd>---
C:\Users\user>ver
Microsoft Windows [Version 10.0.14393]
C:\Users\user>
---<cmd>---

Log file from Windbg looks like this:
---<cut>---
Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "c:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\avp.exe" scan C:\95676.ico
(...)
Executable search path is:
ModLoad: 00000000`00100000 00000000`00226000   avp.exe
(...)
prloader!PragueLoad+0x16ca8:
714c6c48 8a12            mov     dl,byte ptr [edx]          ds:002b:036f20a0=??

0:006:x86> r;!exploitable -v;!analyze -v;kb;u eip-2; u eip-1; u eip ;q
eax=00000000 ebx=00000000 ecx=00000001 edx=036f20a0 esi=036f204c edi=036f2098
eip=714c6c48 esp=03a9ef74 ebp=03a9ef98 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
prloader!PragueLoad+0x16ca8:
714c6c48 8a12            mov     dl,byte ptr [edx]          ds:002b:036f20a0=??

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x36f20a0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:714c6c48 mov dl,byte ptr [edx]

Basic Block:
    714c6c48 mov dl,byte ptr [edx]
       Tainted Input operands: 'edx'
    714c6c4a mov esi,dword ptr [ebp+0ch]
    714c6c4d mov byte ptr [esi],dl
       Tainted Input operands: 'dl'
    714c6c4f sub dword ptr [ebp+10h],ecx
    714c6c52 add dword ptr [ebp+0ch],ecx
    714c6c55 add dword ptr [ebp+8],ecx
    714c6c58 jmp prloader!pragueload+0x16ca0 (714c6c40)

Exception Hash (Major/Minor): 0xad316372.0xf56b5a7d

 Hash Usage : Stack Trace:
Major+Minor : prloader!PragueLoad+0x16ca8
Major+Minor : prloader+0x1b06a
Major+Minor : prremote!PRRegisterObject+0xcee
Major+Minor : prremote!PRRegisterObject+0x1d37
Major+Minor : prremote!PRGetAPI+0x1d2c
Minor       : RPCRT4!I_RpcGetBuffer+0xd90
Minor       : RPCRT4!I_RpcGetBuffer+0x6ff
Minor       : RPCRT4!NdrServerInitializeMarshall+0x1dce9
Minor       : RPCRT4!NdrServerInitializeMarshall+0xce29
Minor       : RPCRT4!I_RpcGetBuffer+0x1ea5
Minor       : RPCRT4!I_RpcReceive+0x4260
Minor       : RPCRT4!I_RpcReceive+0x4b54
Minor       : RPCRT4!RpcBindingSetAuthInfoExW+0x424
Minor       : ntdll_77bc0000!TpCallbackMayRunLong+0x1f9
Minor       : ntdll_77bc0000!TpReleaseTimer+0x65f
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Minor       : ntdll_77bc0000!RtlSubscribeWnfStateChangeNotification+0x439
Minor       : ntdll_77bc0000!RtlSubscribeWnfStateChangeNotification+0x404
Instruction Address: 0x00000000714c6c48

Description: Read Access Violation
Short Description: ReadAV
Exploitability Classification: UNKNOWN
Recommended Bug Title: Read Access Violation starting at prloader!PragueLoad+0x0000000000016ca8 (Hash=0xad316372.0xf56b5a7d)

(...)
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
(...)

FAULTING_IP:
prloader!PragueLoad+16ca8
714c6c48 8a12            mov     dl,byte ptr [edx]

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 00000000714c6c48 (prloader!PragueLoad+0x0000000000016ca8)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 00000000036f20a0
Attempt to read from address 00000000036f20a0

FAULTING_THREAD:  0000000000002774
PROCESS_NAME:  avp.exe
ADDITIONAL_DEBUG_TEXT:
FAULTING_MODULE: 0000000077650000 KERNEL32
DEBUG_FLR_IMAGE_TIMESTAMP:  5642245a
MODULE_NAME: prloader
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_PARAMETER1:  0000000000000000
EXCEPTION_PARAMETER2:  00000000036f20a0
READ_ADDRESS:  00000000036f20a0
FOLLOWUP_IP:
prloader!PragueLoad+16ca8
714c6c48 8a12            mov     dl,byte ptr [edx]

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ
DEFAULT_BUCKET_ID:  INVALID_POINTER_READ
LAST_CONTROL_TRANSFER:  from 00000000714ab06a to 00000000714c6c48

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
03a9ef98 714ab06a 036f20a0 03a9efd0 00000004 prloader!PragueLoad+0x16ca8
03a9efc4 7150831e 0157a61c 00000000 00000000 prloader+0x1b06a
03a9f550 71509367 01381de8 01303f52 0000003f prremote!PRRegisterObject+0xcee
03a9f6bc 7150f8cc 01381de8 01303f20 00000071 prremote!PRRegisterObject+0x1d37
03a9f700 75464eb0 01381ea0 dbf38714 01381ea0 prremote!PRGetAPI+0x1d2c
03a9f744 7546481f 7150f870 01381ea0 03a9f820 RPCRT4!I_RpcGetBuffer+0xd90
03a9f7b0 754a30f9 01381ea0 00000000 00000000 RPCRT4!I_RpcGetBuffer+0x6ff
03a9f7dc 75492239 01381ea0 00000000 00000000 RPCRT4!NdrServerInitializeMarshall+0x1dce9
03a9f844 75465fc5 03a9f8a4 01381de8 013354d0 RPCRT4!NdrServerInitializeMarshall+0xce29
03a9f8d4 7546a870 01303eb8 01380db0 00000000 RPCRT4!I_RpcGetBuffer+0x1ea5
03a9f920 7546b164 01303eb8 03a9f978 01380db0 RPCRT4!I_RpcReceive+0x4260
03a9f9f4 75461694 00000000 01332178 754615f0 RPCRT4!I_RpcReceive+0x4b54
03a9fa30 77be9989 03a9fb70 013352b4 01332178 RPCRT4!RpcBindingSetAuthInfoExW+0x424
03a9faa0 77bf6d3f 03a9fb70 01332178 00000000 ntdll_77bc0000!TpCallbackMayRunLong+0x1f9
03a9fc44 776662c4 012f07c8 776662a0 9fb1ed0e ntdll_77bc0000!TpReleaseTimer+0x65f
03a9fc58 77c20fd9 012f07c8 c5959ba6 00000000 KERNEL32!BaseThreadInitThunk+0x24
03a9fca0 77c20fa4 ffffffff 77c42ef0 00000000 ntdll_77bc0000!RtlSubscribeWnfStateChangeNotification+0x439
03a9fcb0 00000000 77bf67c0 012f07c8 00000000 ntdll_77bc0000!RtlSubscribeWnfStateChangeNotification+0x404

SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  prloader!PragueLoad+16ca8
FOLLOWUP_NAME:  MachineOwner
IMAGE_NAME:  prloader.dll
STACK_COMMAND:  ~6s ; kb
BUCKET_ID:  WRONG_SYMBOLS
FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_prloader.dll!PragueLoad
WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/avp_exe/10_2_5_3201/5787bce0/prloader_dll/10_2_4_674/5642245a/c0000005/00036c48.htm?Retriage=1
Followup: MachineOwner
---------

(...)
windbg > kb
ChildEBP RetAddr  Args to Child            
WARNING: Stack unwind information not available. Following frames may be wrong.
03a9ef98 714ab06a 036f20a0 03a9efd0 00000004 prloader!PragueLoad+0x16ca8
03a9efc4 7150831e 0157a61c 00000000 00000000 prloader+0x1b06a
03a9f550 71509367 01381de8 01303f52 0000003f prremote!PRRegisterObject+0xcee
03a9f6bc 7150f8cc 01381de8 01303f20 00000071 prremote!PRRegisterObject+0x1d37
03a9f700 75464eb0 01381ea0 dbf38714 01381ea0 prremote!PRGetAPI+0x1d2c
03a9f744 7546481f 7150f870 01381ea0 03a9f820 RPCRT4!I_RpcGetBuffer+0xd90
03a9f7b0 754a30f9 01381ea0 00000000 00000000 RPCRT4!I_RpcGetBuffer+0x6ff
03a9f7dc 75492239 01381ea0 00000000 00000000 RPCRT4!NdrServerInitializeMarshall+0x1dce9
03a9f844 75465fc5 03a9f8a4 01381de8 013354d0 RPCRT4!NdrServerInitializeMarshall+0xce29
03a9f8d4 7546a870 01303eb8 01380db0 00000000 RPCRT4!I_RpcGetBuffer+0x1ea5
03a9f920 7546b164 01303eb8 03a9f978 01380db0 RPCRT4!I_RpcReceive+0x4260
03a9f9f4 75461694 00000000 01332178 754615f0 RPCRT4!I_RpcReceive+0x4b54
03a9fa30 77be9989 03a9fb70 013352b4 01332178 RPCRT4!RpcBindingSetAuthInfoExW+0x424
03a9faa0 77bf6d3f 03a9fb70 01332178 00000000 ntdll_77bc0000!TpCallbackMayRunLong+0x1f9
03a9fc44 776662c4 012f07c8 776662a0 9fb1ed0e ntdll_77bc0000!TpReleaseTimer+0x65f
03a9fc58 77c20fd9 012f07c8 c5959ba6 00000000 KERNEL32!BaseThreadInitThunk+0x24
03a9fca0 77c20fa4 ffffffff 77c42ef0 00000000 ntdll_77bc0000!RtlSubscribeWnfStateChangeNotification+0x439
03a9fcb0 00000000 77bf67c0 012f07c8 00000000 ntdll_77bc0000!RtlSubscribeWnfStateChangeNotification+0x404

(...)
windbg > u eip -2
prloader!PragueLoad+0x16ca6:
714c6c46 55              push    ebp
714c6c47 088a128b750c    or      byte ptr [edx+0C758B12h],cl
714c6c4d 8816            mov     byte ptr [esi],dl
714c6c4f 294d10          sub     dword ptr [ebp+10h],ecx
714c6c52 014d0c          add     dword ptr [ebp+0Ch],ecx
714c6c55 014d08          add     dword ptr [ebp+8],ecx
714c6c58 ebe6            jmp     prloader!PragueLoad+0x16ca0 (714c6c40)
714c6c5a b801000000      mov     eax,1

(...)
windbg > u eip -1
prloader!PragueLoad+0x16ca7:
714c6c47 088a128b750c    or      byte ptr [edx+0C758B12h],cl
714c6c4d 8816            mov     byte ptr [esi],dl
714c6c4f 294d10          sub     dword ptr [ebp+10h],ecx
714c6c52 014d0c          add     dword ptr [ebp+0Ch],ecx
714c6c55 014d08          add     dword ptr [ebp+8],ecx
714c6c58 ebe6            jmp     prloader!PragueLoad+0x16ca0 (714c6c40)
714c6c5a b801000000      mov     eax,1
714c6c5f c3              ret

(...)
windbg > u eip
prloader!PragueLoad+0x16ca8:
714c6c48 8a12            mov     dl,byte ptr [edx]
714c6c4a 8b750c          mov     esi,dword ptr [ebp+0Ch]
714c6c4d 8816            mov     byte ptr [esi],dl
714c6c4f 294d10          sub     dword ptr [ebp+10h],ecx
714c6c52 014d0c          add     dword ptr [ebp+0Ch],ecx
714c6c55 014d08          add     dword ptr [ebp+8],ecx
714c6c58 ebe6            jmp     prloader!PragueLoad+0x16ca0 (714c6c40)
714c6c5a b801000000      mov     eax,1
---</cut>---

To be continued... (for now - "poc for request").

More:
-- https://code610.blogspot.com
-- https://twitter.com/CodySixteen

Cheers


Posted by at
Labels: , , , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)