czwartek, 14 lipca 2016

Irfan View - Crash - TIFF case

TIFF crash found 09.04.2016 during IrfaView fuzzing... Details below:




TL;DR

Details below:
----
Irfan View - Crash - TIFF case
Found ........ | 09.07.2016
Version ...... | 4.42 - 32bit
Tested against | Windows XP SP3
----

0:000> r
eax=036be478 ebx=0012beb4 ecx=026d0000 edx=00fee478 esi=00000000 edi=026d0000
eip=7c9102ee esp=0012bbf8 ebp=0012bc20 iopl=0         nv up ei ng nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010287
ntdll!RtlAllocateHeap+0x24a:
7c9102ee 813850450000    cmp     dword ptr [eax],4550h ds:0023:036be478=????????

0:000> kv
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
0012bc20 7c814e51 026d0000 00000000 00000001 ntdll!RtlAllocateHeap+0x24a
0012be70 7c801d3e 023a7e88 0012be98 0012beb4 kernel32!GetEnvironmentVariableA+0x2cf
0012bed4 7c801d72 7ffdfc00 00000000 00000002 kernel32!LoadLibraryExW+0x249
*** WARNING: Unable to verify checksum for C:\Program Files\IrfanView\Plugins\TOOLS.DLL
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\IrfanView\Plugins\TOOLS.DLL -
0012bee8 025a1c45 00575100 00000000 00000002 kernel32!LoadLibraryExA+0x1f
0012c038 025a223b 00575100 0012c050 ffffffff TOOLS!CreateTextEffect+0x515
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\IrfanView\i_view32.exe
0012c054 0049260c 00575100 00562f20 00575100 TOOLS!ScanResourceImages+0x1b
0012c058 00575100 00562f20 00575100 00000019 i_view32+0x9260c
0012c05c 00562f20 00575100 00000019 4c4f4f54 i_view32+0x175100
0012c060 00575100 00000019 4c4f4f54 4c442e53 i_view32+0x162f20
0012c064 00000000 4c4f4f54 4c442e53 0000004c i_view32+0x175100


0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
(...)
FAULTING_IP:
ntdll!RtlAllocateHeap+24a
7c9102ee 813850450000    cmp     dword ptr [eax],4550h

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 7c9102ee (ntdll!RtlAllocateHeap+0x0000024a)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 036be478
Attempt to read from address 036be478

FAULTING_THREAD:  0000020c

PROCESS_NAME:  i_view32.exe

FAULTING_MODULE: 7c900000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  036be478

READ_ADDRESS:  036be478

FOLLOWUP_IP:
ntdll!RtlAllocateHeap+24a
7c9102ee 813850450000    cmp     dword ptr [eax],4550h

MOD_LIST: <ANALYSIS/>

ADDITIONAL_DEBUG_TEXT: 

Use '!findthebuild' command to search for the target build information.

If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols. ; Enable Pageheap/AutoVerifer

DEFAULT_BUCKET_ID:  HEAP_CORRUPTION

PRIMARY_PROBLEM_CLASS:  HEAP_CORRUPTION

BUGCHECK_STR:  APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_WRONG_SYMBOLS

LAST_CONTROL_TRANSFER:  from 7c814e51 to 7c9102ee

STACK_TEXT: 
WARNING: Stack unwind information not available. Following frames may be wrong.
0012bc20 7c814e51 026d0000 00000000 00000001 ntdll!RtlAllocateHeap+0x24a
0012be70 7c801d3e 023a7e88 0012be98 0012beb4 kernel32!GetEnvironmentVariableA+0x2cf
0012bed4 7c801d72 7ffdfc00 00000000 00000002 kernel32!LoadLibraryExW+0x249
0012bee8 025a1c45 00575100 00000000 00000002 kernel32!LoadLibraryExA+0x1f
0012c038 025a223b 00575100 0012c050 ffffffff TOOLS!CreateTextEffect+0x515
0012c054 0049260c 00575100 00562f20 00575100 TOOLS!ScanResourceImages+0x1b
0012c058 00575100 00562f20 00575100 00000019 i_view32+0x9260c
0012c05c 00562f20 00575100 00000019 4c4f4f54 i_view32+0x175100
0012c060 00575100 00000019 4c4f4f54 4c442e53 i_view32+0x162f20
0012c064 00000000 4c4f4f54 4c442e53 0000004c i_view32+0x175100


SYMBOL_NAME:  heap_corruption!heap_corruption

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: heap_corruption

IMAGE_NAME:  heap_corruption

STACK_COMMAND:  ~0s ; kb

FAILURE_BUCKET_ID:  HEAP_CORRUPTION_c0000005_heap_corruption!heap_corruption

BUCKET_ID:  APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_WRONG_SYMBOLS_heap_corruption!heap_corruption

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/i_view32_exe/4_4_2_0/56e13a3d/ntdll_dll/5_1_2600_5512/4802a12c/c0000005/000102ee.htm?Retriage=1

Followup: MachineOwner
---------


0:000> !load winext\msec.dll;!exploitable -v

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x36be478
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:7c9102ee cmp dword ptr [eax],4550h

Basic Block:
    7c9102ee cmp dword ptr [eax],4550h
       Tainted Input operands: 'eax'
    7c9102f4 jne ntdll!rtllookupatominatomtable+0x7f6 (7c928c80)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0x620d61d0.0xd897f552

 Hash Usage : Stack Trace:
Excluded    : ntdll!RtlAllocateHeap+0x24a
Major+Minor : kernel32!GetEnvironmentVariableA+0x2cf
Major+Minor : kernel32!LoadLibraryExW+0x249
Major+Minor : kernel32!LoadLibraryExA+0x1f
Major+Minor : TOOLS!CreateTextEffect+0x515
Major+Minor : TOOLS!ScanResourceImages+0x1b
Minor       : i_view32+0x9260c
Minor       : i_view32+0x175100
Minor       : i_view32+0x162f20
Minor       : i_view32+0x175100
Instruction Address: 0x000000007c9102ee

Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at ntdll!RtlAllocateHeap+0x000000000000024a called from kernel32!GetEnvironmentVariableA+0x00000000000002cf (Hash=0x620d61d0.0xd897f552)

The data from the faulting address is later used to determine whether or not a branch is taken.


0:000> r
eax=036be478 ebx=0012beb4 ecx=026d0000 edx=00fee478 esi=00000000 edi=026d0000
eip=7c9102ee esp=0012bbf8 ebp=0012bc20 iopl=0         nv up ei ng nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010287
ntdll!RtlAllocateHeap+0x24a:
7c9102ee 813850450000    cmp     dword ptr [eax],4550h ds:0023:036be478=????????


0:000> dd eax
036be478  ???????? ???????? ???????? ????????
036be488  ???????? ???????? ???????? ????????
036be498  ???????? ???????? ???????? ????????
036be4a8  ???????? ???????? ???????? ????????
036be4b8  ???????? ???????? ???????? ????????
036be4c8  ???????? ???????? ???????? ????????
036be4d8  ???????? ???????? ???????? ????????
036be4e8  ???????? ???????? ???????? ????????
0:000> .logclose




+---------------------------------------------------------------------------+
More: code610.blogspot.com
Or twitter @CodySixteen.

+---------------------------------------------------------------------------+
Cheers,
Cody

Brak komentarzy:

Prześlij komentarz