czwartek, 14 lipca 2016

Irfan View - Crash - ANI poc

ANI crash found 09.04.2016 during IrfaView fuzzing...



TL;DR

Details below:

0:001> g
===========================================================
VERIFIER STOP 00000004: pid 0x6EC: extreme size request

    00150000 : Heap handle
    C600022C : Size requested
    00000000 :
    00000000 :
===========================================================

(6ec.244): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=c600022c ecx=7c91eab5 edx=0012bf60 esi=00000004 edi=00150000
eip=7c90120e esp=0012c194 ebp=0012c1a8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c90120e cc              int     3

0:000> g (again)
===========================================================
VERIFIER STOP 00000004: pid 0x6EC: extreme size request

    00150000 : Heap handle
    CA2A3054 : Size requested
    00000000 :
    00000000 :
===========================================================

(6ec.244): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=ca2a3054 ecx=7c91eab5 edx=0012bf60 esi=00000004 edi=00150000
eip=7c90120e esp=0012c194 ebp=0012c1a8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c90120e cc              int     3

0:000> g (...and again...)
(6ec.244): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=d0d0d0d0 ebx=0245cfe0 ecx=0012c7b4 edx=7c90e4f4 esi=02112ff8 edi=00000044
eip=00402e31 esp=0012c758 ebp=00000001 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\IrfanView\i_view32.exe
i_view32+0x2e31:
00402e31 8b4608          mov     eax,dword ptr [esi+8] ds:0023:02113000=????????


0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
(...)
FAULTING_IP:
i_view32+2e31
00402e31 8b4608          mov     eax,dword ptr [esi+8]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 00402e31 (i_view32+0x00002e31)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 02113000
Attempt to read from address 02113000

FAULTING_THREAD:  00000244

PROCESS_NAME:  i_view32.exe

ADDITIONAL_DEBUG_TEXT: 

Use '!findthebuild' command to search for the target build information.

If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 7c900000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  56e13a3d

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  02113000

READ_ADDRESS:  02113000

FOLLOWUP_IP:
i_view32+2e31
00402e31 8b4608          mov     eax,dword ptr [esi+8]

MOD_LIST: <ANALYSIS/>

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_WRONG_SYMBOLS_PROBABLYEXPLOITABLE_FILL_PATTERN_d0d0d0d0

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ_PROBABLYEXPLOITABLE_FILL_PATTERN_d0d0d0d0

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ_PROBABLYEXPLOITABLE_FILL_PATTERN_d0d0d0d0

LAST_CONTROL_TRANSFER:  from 0040145c to 00402e31

STACK_TEXT: 
WARNING: Stack unwind information not available. Following frames may be wrong.
0012c75c 0040145c 0012c7b4 7c80fcbf 7c80ff12 i_view32+0x2e31
0012c7a4 7c810902 000367d8 00000020 d0d0d0d0 i_view32+0x145c
0012c7c4 7c90d9bc 02112ff8 02428ed8 02429ed8 kernel32!CreateFileW+0x112
00000000 00000000 00000000 00000000 00000000 ntdll!NtReadFile+0xc


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  i_view32+2e31

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: i_view32

STACK_COMMAND:  ~0s ; kb

BUCKET_ID:  WRONG_SYMBOLS

IMAGE_NAME:  C:\Program Files\IrfanView\i_view32.exe

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_PROBABLYEXPLOITABLE_FILL_PATTERN_d0d0d0d0_c0000005_C:_Program_Files_IrfanView_i_view32.exe!Unknown

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/i_view32_exe/4_4_2_0/56e13a3d/i_view32_exe/4_4_2_0/56e13a3d/c0000005/00002e31.htm?Retriage=1

Followup: MachineOwner
---------

0:000> g
(6ec.244): Access violation - code c0000005 (!!! second chance !!!)
eax=d0d0d0d0 ebx=0245cfe0 ecx=0012c7b4 edx=7c90e4f4 esi=02112ff8 edi=00000044
eip=00402e31 esp=0012c758 ebp=00000001 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
i_view32+0x2e31:
00402e31 8b4608          mov     eax,dword ptr [esi+8] ds:0023:02113000=????????


0:000> !exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x2113000
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:00402e31 mov eax,dword ptr [esi+8]

Basic Block:
    00402e31 mov eax,dword ptr [esi+8]
       Tainted Input operands: 'esi'
    00402e34 cdq

    00402e35 sub eax,edx
       Tainted Input operands: 'eax'
    00402e37 xor edx,edx
    00402e39 sar eax,1
    00402e3b mov dword ptr [ecx+4],eax
       Tainted Input operands: 'eax'
    00402e3e mov dx,word ptr [esi+0eh]
       Tainted Input operands: 'esi'
    00402e42 mov dword ptr [ecx+8],edx
    00402e45 mov dword ptr [esi+20h],0
       Tainted Input operands: 'esi'
    00402e4c mov eax,dword ptr [ecx+18h]
    00402e4f cmp word ptr [eax+0eh],1
    00402e54 jne i_view32+0x2e5d (00402e5d)

Exception Hash (Major/Minor): 0xfdd7d7e0.0x2f99cfbe

 Hash Usage : Stack Trace:
Major+Minor : i_view32+0x2e31
Major+Minor : i_view32+0x145c
Major+Minor : kernel32!CreateFileW+0x112
Major+Minor : ntdll!NtReadFile+0xc
Instruction Address: 0x0000000000402e31

Description: Data from Faulting Address controls subsequent Write Address
Short Description: TaintedDataControlsWriteAddress
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls subsequent Write Address starting at i_view32+0x0000000000002e31 (Hash=0xfdd7d7e0.0x2f99cfbe)

The data from the faulting address is later used as the target for a later write.


0:000> u i_view32+0x2e31
i_view32+0x2e31:
00402e31 8b4608          mov     eax,dword ptr [esi+8]
00402e34 99              cdq
00402e35 2bc2            sub     eax,edx
00402e37 33d2            xor     edx,edx
00402e39 d1f8            sar     eax,1
00402e3b 894104          mov     dword ptr [ecx+4],eax
00402e3e 668b560e        mov     dx,word ptr [esi+0Eh]
00402e42 895108          mov     dword ptr [ecx+8],edx

0:000> dd esi+8
02113000  ???????? ???????? ???????? ????????
02113010  ???????? ???????? ???????? ????????
02113020  ???????? ???????? ???????? ????????
02113030  ???????? ???????? ???????? ????????
02113040  ???????? ???????? ???????? ????????
02113050  ???????? ???????? ???????? ????????
02113060  ???????? ???????? ???????? ????????
02113070  ???????? ???????? ???????? ????????

0:000> dd eax
d0d0d0d0  ???????? ???????? ???????? ????????
d0d0d0e0  ???????? ???????? ???????? ????????
d0d0d0f0  ???????? ???????? ???????? ????????
d0d0d100  ???????? ???????? ???????? ????????
d0d0d110  ???????? ???????? ???????? ????????
d0d0d120  ???????? ???????? ???????? ????????
d0d0d130  ???????? ???????? ???????? ????????
d0d0d140  ???????? ???????? ???????? ????????

0:000> u eip-1
i_view32+0x2e30:
00402e30 018b4608992b    add     dword ptr [ebx+2B990846h],ecx
00402e36 c233d2          ret     0D233h
00402e39 d1f8            sar     eax,1
00402e3b 894104          mov     dword ptr [ecx+4],eax
00402e3e 668b560e        mov     dx,word ptr [esi+0Eh]
00402e42 895108          mov     dword ptr [ecx+8],edx
00402e45 c7462000000000  mov     dword ptr [esi+20h],0
00402e4c 8b4118          mov     eax,dword ptr [ecx+18h]

0:000> u eip-2
i_view32+0x2e2f:
00402e2f 8901            mov     dword ptr [ecx],eax
00402e31 8b4608          mov     eax,dword ptr [esi+8]
00402e34 99              cdq
00402e35 2bc2            sub     eax,edx
00402e37 33d2            xor     edx,edx
00402e39 d1f8            sar     eax,1
00402e3b 894104          mov     dword ptr [ecx+4],eax
00402e3e 668b560e        mov     dx,word ptr [esi+0Eh]

+---------------------------------------------------------------------------+
More: code610.blogspot.com
Or twitter @CodySixteen.

+---------------------------------------------------------------------------+
Cheers,
Cody

Posted by at
Labels: , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)