czwartek, 26 maja 2016

MS Office 2010 - DoS in Publisher - #2

(AFAIK it's already published but without details.)

Below again a little bit more and poc:

TL;DR

Few details below:

Publisher (from MS Office 2010) is prone to a remote denial-of-service vulnerability.

Attackers can exploit this issue to crash the affected application.

-------------------------------------------------------------------------------------------

0:007> g
ModLoad: 3a8c0000 3a961000   C:\Program Files\Microsoft Office\Office14\PTXT9.DLL
ModLoad: 6bdc0000 6be7c000   C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSPTLS.DLL
(...)
(6a0.194): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=0012fd84 edx=0012fd88 esi=00000200 edi=09b65400
eip=2e0a0200 esp=0012faa8 ebp=0012fdbc iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
*** ERROR: Module load completed but symbols could not be loaded for C:\PROGRA~1\MICROS~2\Office14\MSPUB.EXE
MSPUB+0xa0200:
2e0a0200 395804          cmp     dword ptr [eax+4],ebx ds:0023:00000004=????????
0:000> kv
ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fdbc 2e0a1805 00000002 00000055 0012fdec MSPUB+0xa0200
0012fdf0 2e0a1756 00000055 00000055 00000000 MSPUB+0xa1805
0012fe18 2e0a163d 00000055 00000055 00ffffff MSPUB+0xa1756
0012fe34 2e15686c 00000055 00000000 00000001 MSPUB+0xa163d
0012fea4 2e0351e9 00000055 2e7c577c 0115effa MSPUB+0x15686c
0012fee4 2e00212d 00000000 00000000 0012ff30 MSPUB+0x351e9
0012fef4 2e0020d0 2e000000 00000000 00000001 MSPUB+0x212d
0012ff30 2e002083 2e000000 00000000 0115effa MSPUB+0x20d0
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
0012ffc0 7c817067 0482d8b0 00000018 7ffd9000 MSPUB+0x2083
0012fff0 00000000 2e001af8 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49
0:000> u eip
MSPUB+0xa0200:
2e0a0200 395804          cmp     dword ptr [eax+4],ebx
2e0a0203 0f8461010000    je      MSPUB+0xa036a (2e0a036a)
2e0a0209 8b4804          mov     ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff      call    MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0            test    eax,eax
2e0a0213 0f8481561100    je      MSPUB+0x1b589a (2e1b589a)
2e0a0219 8b45c8          mov     eax,dword ptr [ebp-38h]
2e0a021c ff7004          push    dword ptr [eax+4]
0:000> dd ebx
00000000  ???????? ???????? ???????? ????????
00000010  ???????? ???????? ???????? ????????
00000020  ???????? ???????? ???????? ????????
00000030  ???????? ???????? ???????? ????????
00000040  ???????? ???????? ???????? ????????
00000050  ???????? ???????? ???????? ????????
00000060  ???????? ???????? ???????? ????????
00000070  ???????? ???????? ???????? ????????
0:000> u ebx
00000000 ??              ???
           ^ Memory access error in 'u ebx'
0:000> dd eax+4
00000004  ???????? ???????? ???????? ????????
00000014  ???????? ???????? ???????? ????????
00000024  ???????? ???????? ???????? ????????
00000034  ???????? ???????? ???????? ????????
00000044  ???????? ???????? ???????? ????????
00000054  ???????? ???????? ???????? ????????
00000064  ???????? ???????? ???????? ????????
00000074  ???????? ???????? ???????? ????????
0:000> u eip-1
MSPUB+0xa01ff:
2e0a01ff c8395804        enter   5839h,4
2e0a0203 0f8461010000    je      MSPUB+0xa036a (2e0a036a)
2e0a0209 8b4804          mov     ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff      call    MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0            test    eax,eax
2e0a0213 0f8481561100    je      MSPUB+0x1b589a (2e1b589a)
2e0a0219 8b45c8          mov     eax,dword ptr [ebp-38h]
2e0a021c ff7004          push    dword ptr [eax+4]
0:000> u eip-2
MSPUB+0xa01fe:
2e0a01fe 45              inc     ebp
2e0a01ff c8395804        enter   5839h,4
2e0a0203 0f8461010000    je      MSPUB+0xa036a (2e0a036a)
2e0a0209 8b4804          mov     ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff      call    MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0            test    eax,eax
2e0a0213 0f8481561100    je      MSPUB+0x1b589a (2e1b589a)
2e0a0219 8b45c8          mov     eax,dword ptr [ebp-38h]
0:000> u eip-3
MSPUB+0xa01fd:
2e0a01fd 8b45c8          mov     eax,dword ptr [ebp-38h]
2e0a0200 395804          cmp     dword ptr [eax+4],ebx
2e0a0203 0f8461010000    je      MSPUB+0xa036a (2e0a036a)
2e0a0209 8b4804          mov     ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff      call    MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0            test    eax,eax
2e0a0213 0f8481561100    je      MSPUB+0x1b589a (2e1b589a)
2e0a0219 8b45c8          mov     eax,dword ptr [ebp-38h]
0:000> u eip-4
MSPUB+0xa01fc:
2e0a01fc 008b45c83958    add     byte ptr [ebx+5839C845h],cl
2e0a0202 040f            add     al,0Fh
2e0a0204 846101          test    byte ptr [ecx+1],ah
2e0a0207 0000            add     byte ptr [eax],al
2e0a0209 8b4804          mov     ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff      call    MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0            test    eax,eax
2e0a0213 0f8481561100    je      MSPUB+0x1b589a (2e1b589a)

0:000> u eip-5
MSPUB+0xa01fb:
2e0a01fb 0000            add     byte ptr [eax],al
2e0a01fd 8b45c8          mov     eax,dword ptr [ebp-38h]
2e0a0200 395804          cmp     dword ptr [eax+4],ebx
2e0a0203 0f8461010000    je      MSPUB+0xa036a (2e0a036a)
2e0a0209 8b4804          mov     ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff      call    MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0            test    eax,eax
2e0a0213 0f8481561100    je      MSPUB+0x1b589a (2e1b589a)

0:000> u eip-6
MSPUB+0xa01fa:
2e0a01fa 0100            add     dword ptr [eax],eax
2e0a01fc 008b45c83958    add     byte ptr [ebx+5839C845h],cl
2e0a0202 040f            add     al,0Fh
2e0a0204 846101          test    byte ptr [ecx+1],ah
2e0a0207 0000            add     byte ptr [eax],al
2e0a0209 8b4804          mov     ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff      call    MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0            test    eax,eax

0:000> u eip-7
MSPUB+0xa01f9:
2e0a01f9 1801            sbb     byte ptr [ecx],al
2e0a01fb 0000            add     byte ptr [eax],al
2e0a01fd 8b45c8          mov     eax,dword ptr [ebp-38h]
2e0a0200 395804          cmp     dword ptr [eax+4],ebx
2e0a0203 0f8461010000    je      MSPUB+0xa036a (2e0a036a)
2e0a0209 8b4804          mov     ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff      call    MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0            test    eax,eax

0:000> u eip-8
MSPUB+0xa01f8:
2e0a01f8 90              nop
2e0a01f9 1801            sbb     byte ptr [ecx],al
2e0a01fb 0000            add     byte ptr [eax],al
2e0a01fd 8b45c8          mov     eax,dword ptr [ebp-38h]
2e0a0200 395804          cmp     dword ptr [eax+4],ebx
2e0a0203 0f8461010000    je      MSPUB+0xa036a (2e0a036a)
2e0a0209 8b4804          mov     ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff      call    MSPUB+0x4b80 (2e004b80)

0:000> u eip-9
MSPUB+0xa01f7:
2e0a01f7 ff9018010000    call    dword ptr [eax+118h]
2e0a01fd 8b45c8          mov     eax,dword ptr [ebp-38h]
2e0a0200 395804          cmp     dword ptr [eax+4],ebx
2e0a0203 0f8461010000    je      MSPUB+0xa036a (2e0a036a)
2e0a0209 8b4804          mov     ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff      call    MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0            test    eax,eax
2e0a0213 0f8481561100    je      MSPUB+0x1b589a (2e1b589a)

0:000> u eip-10
MSPUB+0xa01f0:
2e0a01f0 8b07            mov     eax,dword ptr [edi]
2e0a01f2 8d4dc8          lea     ecx,[ebp-38h]
2e0a01f5 51              push    ecx
2e0a01f6 57              push    edi
2e0a01f7 ff9018010000    call    dword ptr [eax+118h]
2e0a01fd 8b45c8          mov     eax,dword ptr [ebp-38h]
2e0a0200 395804          cmp     dword ptr [eax+4],ebx
2e0a0203 0f8461010000    je      MSPUB+0xa036a (2e0a036a)

0:000> kvn3
 # ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0012fdbc 2e0a1805 00000002 00000055 0012fdec MSPUB+0xa0200
01 0012fdf0 2e0a1756 00000055 00000055 00000000 MSPUB+0xa1805
02 0012fe18 2e0a163d 00000055 00000055 00ffffff MSPUB+0xa1756

0:000> !analyze -v
*******************************************************************************
(...)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\ole32.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\ADVAPI32.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\RPCRT4.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\USER32.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\Sensapi.DLL -
Failed calling InternetOpenUrl, GLE=12007

FAULTING_IP:
MSPUB+a0200
2e0a0200 395804          cmp     dword ptr [eax+4],ebx

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 2e0a0200 (MSPUB+0x000a0200)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000004
Attempt to read from address 00000004

FAULTING_THREAD:  00000194

PROCESS_NAME:  MSPUB.EXE

ADDITIONAL_DEBUG_TEXT: 

Use '!findthebuild' command to search for the target build information.

If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

MODULE_NAME: MSPUB

FAULTING_MODULE: 7c900000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  4b8bab0b

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  00000004

READ_ADDRESS:  00000004

FOLLOWUP_IP:
MSPUB+a0200
2e0a0200 395804          cmp     dword ptr [eax+4],ebx

MOD_LIST: <ANALYSIS/>

BUGCHECK_STR:  APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_READ_WRONG_SYMBOLS

PRIMARY_PROBLEM_CLASS:  NULL_CLASS_PTR_DEREFERENCE

DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER:  from 2e0a1805 to 2e0a0200

STACK_TEXT: 
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fdbc 2e0a1805 00000002 00000055 0012fdec MSPUB+0xa0200
0012fdf0 2e0a1756 00000055 00000055 00000000 MSPUB+0xa1805
0012fe18 2e0a163d 00000055 00000055 00ffffff MSPUB+0xa1756
0012fe34 2e15686c 00000055 00000000 00000001 MSPUB+0xa163d
0012fea4 2e0351e9 00000055 2e7c577c 0115effa MSPUB+0x15686c
0012fee4 2e00212d 00000000 00000000 0012ff30 MSPUB+0x351e9
0012fef4 2e0020d0 2e000000 00000000 00000001 MSPUB+0x212d
0012ff30 2e002083 2e000000 00000000 0115effa MSPUB+0x20d0
0012ffc0 7c817067 0482d8b0 00000018 7ffd9000 MSPUB+0x2083
0012fff0 00000000 2e001af8 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  MSPUB+a0200

FOLLOWUP_NAME:  MachineOwner

STACK_COMMAND:  ~0s ; kb

BUCKET_ID:  WRONG_SYMBOLS

IMAGE_NAME:  C:\PROGRA~1\MICROS~2\Office14\MSPUB.EXE

FAILURE_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE_c0000005_C:_PROGRA_1_MICROS_2_Office14_MSPUB.EXE!Unknown

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/MSPUB_EXE/14_0_4750_1000/4b8bab0b/MSPUB_EXE/14_0_4750_1000/4b8bab0b/c0000005/000a0200.htm?Retriage=1

Followup: MachineOwner
---------

0:000> !exploitable -v

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x4
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:2e0a0200 cmp dword ptr [eax+4],ebx

Basic Block:
    2e0a0200 cmp dword ptr [eax+4],ebx
       Tainted Input operands: 'eax','ebx'
    2e0a0203 je mspub+0xa036a (2e0a036a)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0x79c80e54.0x4574cd28

 Hash Usage : Stack Trace:
Major+Minor : MSPUB+0xa0200
Major+Minor : MSPUB+0xa1805
Major+Minor : MSPUB+0xa1756
Major+Minor : MSPUB+0xa163d
Major+Minor : MSPUB+0x15686c
Minor       : MSPUB+0x351e9
Minor       : MSPUB+0x212d
Minor       : MSPUB+0x20d0
Minor       : MSPUB+0x2083
Minor       : kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x000000002e0a0200

Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at MSPUB+0x00000000000a0200 (Hash=0x79c80e54.0x4574cd28)

This is a user mode read access violation near null, and is probably not exploitable.

0:000> .exr -1
ExceptionAddress: 2e0a0200 (MSPUB+0x000a0200)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000004
Attempt to read from address 00000004
0:000>

-------------------------------------------------------------------------------------------
afaik both found between 04-11.05.2016.
-------------------------------------------------------------------------------------------
Cheers
code16

Brak komentarzy:

Prześlij komentarz