wtorek, 19 lipca 2016

Crash in PhotosApp for Windows 8.1

Found during fuzzing... Few details below.

Found: 15.07.2016

TL;DR

Details:

0:000> .childdbg 1
Processes created by the current process will be debugged

0:000> g
Executable search path is:
ModLoad: 01040000 01099000   PhotosApp.exe
(...)

1:001>
ModLoad: 6ba50000 6baa5000   C:\Windows\System32\Windows.UI.dll
(10b4.1278): C++ EH exception - code e06d7363 (first chance)
ModLoad: 74b50000 74b5e000   C:\Windows\System32\profapi.dll
(10b4.1278): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=020139f8 ecx=6b0ecaaf edx=65272318 esi=00000000 edi=0248f6f8
eip=6b0eca58 esp=0248f688 ebp=0248f698 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\System32\Windows.UI.Xaml.dll -
Windows_UI_Xaml!DllGetActivationFactory+0x26bf81:
6b0eca58 8b481c          mov     ecx,dword ptr [eax+1Ch] ds:0023:0000001c=????????


1:002> ub eip
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\FileManager\FileManagerApp.dll -
Windows_UI_Xaml!DllGetActivationFactory+0x26bf68:
6b0eca3f 50              push    eax
6b0eca40 e832000000      call    Windows_UI_Xaml!DllGetActivationFactory+0x26bfa0 (6b0eca77)
6b0eca45 8bf0            mov     esi,eax
6b0eca47 85f6            test    esi,esi
6b0eca49 0f88a3722600    js      Windows_UI_Xaml!DllGetActivationFactory+0x4d321b (6b353cf2)
6b0eca4f 8b45fc          mov     eax,dword ptr [ebp-4]
6b0eca52 ff7510          push    dword ptr [ebp+10h]
6b0eca55 ff750c          push    dword ptr [ebp+0Ch]


1:002> u eip
Windows_UI_Xaml!DllGetActivationFactory+0x26bf81:
6b0eca58 8b481c          mov     ecx,dword ptr [eax+1Ch]
6b0eca5b 8b01            mov     eax,dword ptr [ecx]
6b0eca5d ff10            call    dword ptr [eax]
6b0eca5f 8bf0            mov     esi,eax
6b0eca61 85f6            test    esi,esi
6b0eca63 0f8895722600    js      Windows_UI_Xaml!DllGetActivationFactory+0x4d3227 (6b353cfe)
6b0eca69 8bc6            mov     eax,esi
6b0eca6b 5e              pop     esi


1:002> kv
ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
0248f698 64ed222a 020110bc 020139f8 0248f6f8 Windows_UI_Xaml!DllGetActivationFactory+0x26bf81
0248f6d4 64ea3527 020110b8 0248f6f8 020139f8 FileManagerApp+0x5222a
0248f718 65146bf1 b4ada604 01ff4080 02010fd0 FileManagerApp+0x23527
0248f738 64eaa57e 0119ab80 b4ada654 00000000 FileManagerApp!VSDesignerDllMain+0x25b241
*** ERROR: Module load completed but symbols could not be loaded for PhotosApp.exe
0248f768 01042377 0119ab80 0248f780 ecb749d4 FileManagerApp+0x2a57e
0248f794 01041e2b 01ff31ec 02010f18 ecb74988 PhotosApp+0x2377
0248f7c8 6b0c5eaf 01ff31d8 02010f18 badc0d82 PhotosApp+0x1e2b
0248f7f8 6b4e9c27 badc022a 00000000 00000000 Windows_UI_Xaml!DllGetActivationFactory+0x2453d8
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\KERNEL32.DLL -
0248f850 758116e8 00000000 0248f8a0 7714c206 Windows_UI_Xaml!GetStringRawBuffer+0x12b0
0248f85c 7714c206 00000000 9aad759b 00000000 KERNEL32!BaseThreadInitThunk+0x12
0248f8a0 7714c1df ffffffff 77170cf3 00000000 ntdll!RtlCreateMemoryZone+0xc2
0248f8b0 00000000 6b4e9bd2 00000000 00000000 ntdll!RtlCreateMemoryZone+0x9b


1:002> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

(...)

FAULTING_IP:
Windows_UI_Xaml!DllGetActivationFactory+26bf81
6b0eca58 8b481c          mov     ecx,dword ptr [eax+1Ch]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 6b0eca58 (Windows_UI_Xaml!DllGetActivationFactory+0x0026bf81)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 0000001c
Attempt to read from address 0000001c

FAULTING_THREAD:  00001278

PROCESS_NAME:  PhotosApp.exe

ADDITIONAL_DEBUG_TEXT: 

Use '!findthebuild' command to search for the target build information.

If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 770f0000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  5215860f

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  0000001c

READ_ADDRESS:  0000001c

FOLLOWUP_IP:
Windows_UI_Xaml!DllGetActivationFactory+26bf81
6b0eca58 8b481c          mov     ecx,dword ptr [eax+1Ch]

BUGCHECK_STR:  APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_READ_WRONG_SYMBOLS

PRIMARY_PROBLEM_CLASS:  NULL_CLASS_PTR_DEREFERENCE

DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER:  from 64ed222a to 6b0eca58

STACK_TEXT: 
WARNING: Stack unwind information not available. Following frames may be wrong.
0248f698 64ed222a 020110bc 020139f8 0248f6f8 Windows_UI_Xaml!DllGetActivationFactory+0x26bf81
0248f6d4 64ea3527 020110b8 0248f6f8 020139f8 FileManagerApp+0x5222a
0248f718 65146bf1 b4ada604 01ff4080 02010fd0 FileManagerApp+0x23527
0248f738 64eaa57e 0119ab80 b4ada654 00000000 FileManagerApp!VSDesignerDllMain+0x25b241
0248f768 01042377 0119ab80 0248f780 ecb749d4 FileManagerApp+0x2a57e
0248f794 01041e2b 01ff31ec 02010f18 ecb74988 PhotosApp+0x2377
0248f7c8 6b0c5eaf 01ff31d8 02010f18 badc0d82 PhotosApp+0x1e2b
0248f7f8 6b4e9c27 badc022a 00000000 00000000 Windows_UI_Xaml!DllGetActivationFactory+0x2453d8
0248f850 758116e8 00000000 0248f8a0 7714c206 Windows_UI_Xaml!GetStringRawBuffer+0x12b0
0248f85c 7714c206 00000000 9aad759b 00000000 KERNEL32!BaseThreadInitThunk+0x12
0248f8a0 7714c1df ffffffff 77170cf3 00000000 ntdll!RtlCreateMemoryZone+0xc2
0248f8b0 00000000 6b4e9bd2 00000000 00000000 ntdll!RtlCreateMemoryZone+0x9b


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  Windows_UI_Xaml!DllGetActivationFactory+26bf81

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Windows_UI_Xaml

IMAGE_NAME:  Windows.UI.Xaml.dll

STACK_COMMAND:  ~2s ; kb

BUCKET_ID:  WRONG_SYMBOLS

FAILURE_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE_c0000005_Windows.UI.Xaml.dll!DllGetActivationFactory

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/PhotosApp_exe/6_3_9600_16384/521577fc/Windows_UI_Xaml_dll/6_3_9600_16384/5215860f/c0000005/003eca58.htm?Retriage=1

Followup: MachineOwner
---------


1:002> !exploitable -v

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x1c
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:6b0eca58 mov ecx,dword ptr [eax+1ch]

Basic Block:
    6b0eca58 mov ecx,dword ptr [eax+1ch]
       Tainted Input operands: 'eax'
    6b0eca5b mov eax,dword ptr [ecx]
       Tainted Input operands: 'ecx'
    6b0eca5d call dword ptr [eax]
       Tainted Input operands: 'eax','ecx'

Exception Hash (Major/Minor): 0x8fbb1cc3.0x7d261817

 Hash Usage : Stack Trace:
Major+Minor : Windows_UI_Xaml!DllGetActivationFactory+0x26bf81
Major+Minor : FileManagerApp+0x5222a
Major+Minor : FileManagerApp+0x23527
Major+Minor : FileManagerApp!VSDesignerDllMain+0x25b241
Major+Minor : FileManagerApp+0x2a57e
Minor       : PhotosApp+0x2377
Minor       : PhotosApp+0x1e2b
Minor       : Windows_UI_Xaml!DllGetActivationFactory+0x2453d8
Minor       : Windows_UI_Xaml!GetStringRawBuffer+0x12b0
Minor       : KERNEL32!BaseThreadInitThunk+0x12
Minor       : ntdll!RtlCreateMemoryZone+0xc2
Minor       : ntdll!RtlCreateMemoryZone+0x9b
Instruction Address: 0x000000006b0eca58

Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at Windows_UI_Xaml!DllGetActivationFactory+0x000000000026bf81 (Hash=0x8fbb1cc3.0x7d261817)

The data from the faulting address is later used as the target for a branch.


1:002> .logclose



+---------------------------------------------------------------------------+
More: code610.blogspot.com
Or twitter @CodySixteen.

+---------------------------------------------------------------------------+
Cheers,
Cody



Brak komentarzy:

Prześlij komentarz