czwartek, 7 lipca 2016

Outlook 2010 - WriteAV Crash

Few details (+poc) below...





TL;DR - poc + few details
========================================================================
Remote exploitable if attacker will find a way to write to ECX (used later
as ESI) and invite the victim to click/open the MSG file.

Reproduce:

Run Windbg and attach it to cmd.exe. Run outlook.exe from command line:
cmd> outlook.exe /f poc1.msg
and you should see the crash.

========================================================================
1:001> ub eip
olmapi32!FGetComponentPath+0x1b3e:
4086ffaa c9              leave
4086ffab c20400          ret     4
4086ffae 55              push    ebp
4086ffaf 8bec            mov     ebp,esp
4086ffb1 51              push    ecx            ; value from EXC
4086ffb2 53              push    ebx
4086ffb3 56              push    esi
4086ffb4 8bf1            mov     esi,ecx        ; ECX goes to ESI

1:001> u eip
olmapi32!FGetComponentPath+0x1b4a:
4086ffb6 ff0e            dec     dword ptr [esi] ; crash
4086ffb8 33db            xor     ebx,ebx
4086ffba 57              push    edi
(...)

1:001> kv
ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
0013fdc8 4086ff80 0adceffc 0bcbcfcc 0bcbcfc8 olmapi32!FGetComponentPath+0x1b4a
0013fde4 409dedf7 0adceffc 1704f2b7 00000000 olmapi32!FGetComponentPath+0x1b14
0013fe10 409dee33 0bcbcfc8 0013fe9c 4092eb21 olmapi32!CpidFromCharset+0x14ddd
0013fe1c 4092eb21 00000001 00000000 00000000 olmapi32!CpidFromCharset+0x14e19
0013fe9c 409e063a 0bcbcfc8 4091ac8e 00000000 olmapi32!MAPIOpenFormMgr+0x1bde
0013fee0 408d4e26 30d0c6f0 00000000 00000000 olmapi32!CpidFromCharset+0x16620
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for outlook.exe -
0013ff08 302e4db4 30d083b0 00000000 30120792 olmapi32!HrIsTransportInstalled+0x8883
0013ff30 300077cb 30000000 00000000 0116efbc outlook!DllCanUnloadNow+0xe96e
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
0013ffc0 7c817067 f65db180 01d1d83a 7ffd9000 outlook+0x77cb
0013fff0 00000000 30001f08 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49

1:001> dd esi
00000000  ???????? ???????? ???????? ????????
00000010  ???????? ???????? ???????? ????????
00000020  ???????? ???????? ???????? ????????
00000030  ???????? ???????? ???????? ????????
00000040  ???????? ???????? ???????? ????????
00000050  ???????? ???????? ???????? ????????
00000060  ???????? ???????? ???????? ????????
00000070  ???????? ???????? ???????? ????????

1:001> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
(...)
FAULTING_IP:
olmapi32!FGetComponentPath+1b4a
4086ffb6 ff0e            dec     dword ptr [esi]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 4086ffb6 (olmapi32!FGetComponentPath+0x00001b4a)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00000000
Attempt to write to address 00000000

FAULTING_THREAD:  000007c8

PROCESS_NAME:  outlook.exe

FAULTING_MODULE: 7c900000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  4ba8fe34

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  00000000

WRITE_ADDRESS:  00000000

FOLLOWUP_IP:
olmapi32!FGetComponentPath+1b4a
4086ffb6 ff0e            dec     dword ptr [esi]

MOD_LIST: <ANALYSIS/>

BUGCHECK_STR:  APPLICATION_FAULT_NULL_POINTER_WRITE_WRONG_SYMBOLS

PRIMARY_PROBLEM_CLASS:  NULL_POINTER_WRITE

DEFAULT_BUCKET_ID:  NULL_POINTER_WRITE

LAST_CONTROL_TRANSFER:  from 4086ff80 to 4086ffb6

STACK_TEXT: 
WARNING: Stack unwind information not available. Following frames may be wrong.
0013fdc8 4086ff80 0adceffc 0bcbcfcc 0bcbcfc8 olmapi32!FGetComponentPath+0x1b4a
0013fde4 409dedf7 0adceffc 1704f2b7 00000000 olmapi32!FGetComponentPath+0x1b14
0013fe10 409dee33 0bcbcfc8 0013fe9c 4092eb21 olmapi32!CpidFromCharset+0x14ddd
0013fe1c 4092eb21 00000001 00000000 00000000 olmapi32!CpidFromCharset+0x14e19
0013fe9c 409e063a 0bcbcfc8 4091ac8e 00000000 olmapi32!MAPIOpenFormMgr+0x1bde
0013fee0 408d4e26 30d0c6f0 00000000 00000000 olmapi32!CpidFromCharset+0x16620
0013ff08 302e4db4 30d083b0 00000000 30120792 olmapi32!HrIsTransportInstalled+0x8883
0013ff30 300077cb 30000000 00000000 0116efbc outlook!DllCanUnloadNow+0xe96e
0013ffc0 7c817067 f65db180 01d1d83a 7ffd9000 outlook+0x77cb
0013fff0 00000000 30001f08 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  olmapi32!FGetComponentPath+1b4a

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: olmapi32

IMAGE_NAME:  olmapi32.dll

STACK_COMMAND:  ~1s ; kb

BUCKET_ID:  WRONG_SYMBOLS

FAILURE_BUCKET_ID:  NULL_POINTER_WRITE_c0000005_olmapi32.dll!FGetComponentPath

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/outlook_exe/14_0_4760_1000/4ba8fefd/olmapi32_dll/14_0_4760_1000/4ba8fe34/c0000005/0005ffb6.htm?Retriage=1

Followup: MachineOwner
========================================================================
1:001> !load winext\msec.dll
1:001> !exploitable -v

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:4086ffb6 dec dword ptr [esi]

Basic Block:
    4086ffb6 dec dword ptr [esi]
       Tainted Input operands: 'esi'
    4086ffb8 xor ebx,ebx
    4086ffba push edi
    4086ffbb cmp dword ptr [ebp+8],ebx
    4086ffbe jne olmapi32!hropenabentryusingdefaultcontext+0x235ba (4090700b)

Exception Hash (Major/Minor): 0xfeaa58c2.0xdddb3d78

 Hash Usage : Stack Trace:
Major+Minor : olmapi32!FGetComponentPath+0x1b4a
Major+Minor : olmapi32!FGetComponentPath+0x1b14
Major+Minor : olmapi32!CpidFromCharset+0x14ddd
Major+Minor : olmapi32!CpidFromCharset+0x14e19
Major+Minor : olmapi32!MAPIOpenFormMgr+0x1bde
Minor       : olmapi32!CpidFromCharset+0x16620
Minor       : olmapi32!HrIsTransportInstalled+0x8883
Minor       : outlook!DllCanUnloadNow+0xe96e
Minor       : outlook+0x77cb
Minor       : kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x000000004086ffb6

Description: User Mode Write AV near NULL
Short Description: WriteAVNearNull
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at olmapi32!FGetComponentPath+0x0000000000001b4a (Hash=0xfeaa58c2.0xdddb3d78)

User mode write access violations that are near NULL are unknown.

1:001> .exr -1
ExceptionAddress: 4086ffb6 (olmapi32!FGetComponentPath+0x00001b4a)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00000000
Attempt to write to address 00000000

========================================================================
More: code610.blogspot.com
Or twitter @CodySixteen.
========================================================================
Cheers,
Cody
Posted by at
Labels: , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)