(AFAIK it's already published but without details.)
Below again a little bit more and poc:
TL;DR
Few details below:
Publisher (from MS Office 2010) is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to crash the affected application.
-------------------------------------------------------------------------------------------
0:007> g
ModLoad: 3a8c0000 3a961000 C:\Program Files\Microsoft Office\Office14\PTXT9.DLL
ModLoad: 6bdc0000 6be7c000 C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSPTLS.DLL
(...)
(6a0.194): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=0012fd84 edx=0012fd88 esi=00000200 edi=09b65400
eip=2e0a0200 esp=0012faa8 ebp=0012fdbc iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
*** ERROR: Module load completed but symbols could not be loaded for C:\PROGRA~1\MICROS~2\Office14\MSPUB.EXE
MSPUB+0xa0200:
2e0a0200 395804 cmp dword ptr [eax+4],ebx ds:0023:00000004=????????
0:000> kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fdbc 2e0a1805 00000002 00000055 0012fdec MSPUB+0xa0200
0012fdf0 2e0a1756 00000055 00000055 00000000 MSPUB+0xa1805
0012fe18 2e0a163d 00000055 00000055 00ffffff MSPUB+0xa1756
0012fe34 2e15686c 00000055 00000000 00000001 MSPUB+0xa163d
0012fea4 2e0351e9 00000055 2e7c577c 0115effa MSPUB+0x15686c
0012fee4 2e00212d 00000000 00000000 0012ff30 MSPUB+0x351e9
0012fef4 2e0020d0 2e000000 00000000 00000001 MSPUB+0x212d
0012ff30 2e002083 2e000000 00000000 0115effa MSPUB+0x20d0
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
0012ffc0 7c817067 0482d8b0 00000018 7ffd9000 MSPUB+0x2083
0012fff0 00000000 2e001af8 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49
0:000> u eip
MSPUB+0xa0200:
2e0a0200 395804 cmp dword ptr [eax+4],ebx
2e0a0203 0f8461010000 je MSPUB+0xa036a (2e0a036a)
2e0a0209 8b4804 mov ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff call MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0 test eax,eax
2e0a0213 0f8481561100 je MSPUB+0x1b589a (2e1b589a)
2e0a0219 8b45c8 mov eax,dword ptr [ebp-38h]
2e0a021c ff7004 push dword ptr [eax+4]
0:000> dd ebx
00000000 ???????? ???????? ???????? ????????
00000010 ???????? ???????? ???????? ????????
00000020 ???????? ???????? ???????? ????????
00000030 ???????? ???????? ???????? ????????
00000040 ???????? ???????? ???????? ????????
00000050 ???????? ???????? ???????? ????????
00000060 ???????? ???????? ???????? ????????
00000070 ???????? ???????? ???????? ????????
0:000> u ebx
00000000 ?? ???
^ Memory access error in 'u ebx'
0:000> dd eax+4
00000004 ???????? ???????? ???????? ????????
00000014 ???????? ???????? ???????? ????????
00000024 ???????? ???????? ???????? ????????
00000034 ???????? ???????? ???????? ????????
00000044 ???????? ???????? ???????? ????????
00000054 ???????? ???????? ???????? ????????
00000064 ???????? ???????? ???????? ????????
00000074 ???????? ???????? ???????? ????????
0:000> u eip-1
MSPUB+0xa01ff:
2e0a01ff c8395804 enter 5839h,4
2e0a0203 0f8461010000 je MSPUB+0xa036a (2e0a036a)
2e0a0209 8b4804 mov ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff call MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0 test eax,eax
2e0a0213 0f8481561100 je MSPUB+0x1b589a (2e1b589a)
2e0a0219 8b45c8 mov eax,dword ptr [ebp-38h]
2e0a021c ff7004 push dword ptr [eax+4]
0:000> u eip-2
MSPUB+0xa01fe:
2e0a01fe 45 inc ebp
2e0a01ff c8395804 enter 5839h,4
2e0a0203 0f8461010000 je MSPUB+0xa036a (2e0a036a)
2e0a0209 8b4804 mov ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff call MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0 test eax,eax
2e0a0213 0f8481561100 je MSPUB+0x1b589a (2e1b589a)
2e0a0219 8b45c8 mov eax,dword ptr [ebp-38h]
0:000> u eip-3
MSPUB+0xa01fd:
2e0a01fd 8b45c8 mov eax,dword ptr [ebp-38h]
2e0a0200 395804 cmp dword ptr [eax+4],ebx
2e0a0203 0f8461010000 je MSPUB+0xa036a (2e0a036a)
2e0a0209 8b4804 mov ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff call MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0 test eax,eax
2e0a0213 0f8481561100 je MSPUB+0x1b589a (2e1b589a)
2e0a0219 8b45c8 mov eax,dword ptr [ebp-38h]
0:000> u eip-4
MSPUB+0xa01fc:
2e0a01fc 008b45c83958 add byte ptr [ebx+5839C845h],cl
2e0a0202 040f add al,0Fh
2e0a0204 846101 test byte ptr [ecx+1],ah
2e0a0207 0000 add byte ptr [eax],al
2e0a0209 8b4804 mov ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff call MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0 test eax,eax
2e0a0213 0f8481561100 je MSPUB+0x1b589a (2e1b589a)
0:000> u eip-5
MSPUB+0xa01fb:
2e0a01fb 0000 add byte ptr [eax],al
2e0a01fd 8b45c8 mov eax,dword ptr [ebp-38h]
2e0a0200 395804 cmp dword ptr [eax+4],ebx
2e0a0203 0f8461010000 je MSPUB+0xa036a (2e0a036a)
2e0a0209 8b4804 mov ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff call MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0 test eax,eax
2e0a0213 0f8481561100 je MSPUB+0x1b589a (2e1b589a)
0:000> u eip-6
MSPUB+0xa01fa:
2e0a01fa 0100 add dword ptr [eax],eax
2e0a01fc 008b45c83958 add byte ptr [ebx+5839C845h],cl
2e0a0202 040f add al,0Fh
2e0a0204 846101 test byte ptr [ecx+1],ah
2e0a0207 0000 add byte ptr [eax],al
2e0a0209 8b4804 mov ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff call MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0 test eax,eax
0:000> u eip-7
MSPUB+0xa01f9:
2e0a01f9 1801 sbb byte ptr [ecx],al
2e0a01fb 0000 add byte ptr [eax],al
2e0a01fd 8b45c8 mov eax,dword ptr [ebp-38h]
2e0a0200 395804 cmp dword ptr [eax+4],ebx
2e0a0203 0f8461010000 je MSPUB+0xa036a (2e0a036a)
2e0a0209 8b4804 mov ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff call MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0 test eax,eax
0:000> u eip-8
MSPUB+0xa01f8:
2e0a01f8 90 nop
2e0a01f9 1801 sbb byte ptr [ecx],al
2e0a01fb 0000 add byte ptr [eax],al
2e0a01fd 8b45c8 mov eax,dword ptr [ebp-38h]
2e0a0200 395804 cmp dword ptr [eax+4],ebx
2e0a0203 0f8461010000 je MSPUB+0xa036a (2e0a036a)
2e0a0209 8b4804 mov ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff call MSPUB+0x4b80 (2e004b80)
0:000> u eip-9
MSPUB+0xa01f7:
2e0a01f7 ff9018010000 call dword ptr [eax+118h]
2e0a01fd 8b45c8 mov eax,dword ptr [ebp-38h]
2e0a0200 395804 cmp dword ptr [eax+4],ebx
2e0a0203 0f8461010000 je MSPUB+0xa036a (2e0a036a)
2e0a0209 8b4804 mov ecx,dword ptr [eax+4]
2e0a020c e86f49f6ff call MSPUB+0x4b80 (2e004b80)
2e0a0211 85c0 test eax,eax
2e0a0213 0f8481561100 je MSPUB+0x1b589a (2e1b589a)
0:000> u eip-10
MSPUB+0xa01f0:
2e0a01f0 8b07 mov eax,dword ptr [edi]
2e0a01f2 8d4dc8 lea ecx,[ebp-38h]
2e0a01f5 51 push ecx
2e0a01f6 57 push edi
2e0a01f7 ff9018010000 call dword ptr [eax+118h]
2e0a01fd 8b45c8 mov eax,dword ptr [ebp-38h]
2e0a0200 395804 cmp dword ptr [eax+4],ebx
2e0a0203 0f8461010000 je MSPUB+0xa036a (2e0a036a)
0:000> kvn3
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0012fdbc 2e0a1805 00000002 00000055 0012fdec MSPUB+0xa0200
01 0012fdf0 2e0a1756 00000055 00000055 00000000 MSPUB+0xa1805
02 0012fe18 2e0a163d 00000055 00000055 00ffffff MSPUB+0xa1756
0:000> !analyze -v
*******************************************************************************
(...)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ole32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ADVAPI32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\RPCRT4.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\USER32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\Sensapi.DLL -
Failed calling InternetOpenUrl, GLE=12007
FAULTING_IP:
MSPUB+a0200
2e0a0200 395804 cmp dword ptr [eax+4],ebx
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 2e0a0200 (MSPUB+0x000a0200)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000004
Attempt to read from address 00000004
FAULTING_THREAD: 00000194
PROCESS_NAME: MSPUB.EXE
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
MODULE_NAME: MSPUB
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 4b8bab0b
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000004
READ_ADDRESS: 00000004
FOLLOWUP_IP:
MSPUB+a0200
2e0a0200 395804 cmp dword ptr [eax+4],ebx
MOD_LIST: <ANALYSIS/>
BUGCHECK_STR: APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: NULL_CLASS_PTR_DEREFERENCE
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from 2e0a1805 to 2e0a0200
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fdbc 2e0a1805 00000002 00000055 0012fdec MSPUB+0xa0200
0012fdf0 2e0a1756 00000055 00000055 00000000 MSPUB+0xa1805
0012fe18 2e0a163d 00000055 00000055 00ffffff MSPUB+0xa1756
0012fe34 2e15686c 00000055 00000000 00000001 MSPUB+0xa163d
0012fea4 2e0351e9 00000055 2e7c577c 0115effa MSPUB+0x15686c
0012fee4 2e00212d 00000000 00000000 0012ff30 MSPUB+0x351e9
0012fef4 2e0020d0 2e000000 00000000 00000001 MSPUB+0x212d
0012ff30 2e002083 2e000000 00000000 0115effa MSPUB+0x20d0
0012ffc0 7c817067 0482d8b0 00000018 7ffd9000 MSPUB+0x2083
0012fff0 00000000 2e001af8 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: MSPUB+a0200
FOLLOWUP_NAME: MachineOwner
STACK_COMMAND: ~0s ; kb
BUCKET_ID: WRONG_SYMBOLS
IMAGE_NAME: C:\PROGRA~1\MICROS~2\Office14\MSPUB.EXE
FAILURE_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE_c0000005_C:_PROGRA_1_MICROS_2_Office14_MSPUB.EXE!Unknown
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/MSPUB_EXE/14_0_4750_1000/4b8bab0b/MSPUB_EXE/14_0_4750_1000/4b8bab0b/c0000005/000a0200.htm?Retriage=1
Followup: MachineOwner
---------
0:000> !exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x4
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:2e0a0200 cmp dword ptr [eax+4],ebx
Basic Block:
2e0a0200 cmp dword ptr [eax+4],ebx
Tainted Input operands: 'eax','ebx'
2e0a0203 je mspub+0xa036a (2e0a036a)
Tainted Input operands: 'ZeroFlag'
Exception Hash (Major/Minor): 0x79c80e54.0x4574cd28
Hash Usage : Stack Trace:
Major+Minor : MSPUB+0xa0200
Major+Minor : MSPUB+0xa1805
Major+Minor : MSPUB+0xa1756
Major+Minor : MSPUB+0xa163d
Major+Minor : MSPUB+0x15686c
Minor : MSPUB+0x351e9
Minor : MSPUB+0x212d
Minor : MSPUB+0x20d0
Minor : MSPUB+0x2083
Minor : kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x000000002e0a0200
Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at MSPUB+0x00000000000a0200 (Hash=0x79c80e54.0x4574cd28)
This is a user mode read access violation near null, and is probably not exploitable.
0:000> .exr -1
ExceptionAddress: 2e0a0200 (MSPUB+0x000a0200)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000004
Attempt to read from address 00000004
0:000>
-------------------------------------------------------------------------------------------
afaik both found between 04-11.05.2016.
-------------------------------------------------------------------------------------------
Cheers
code16
Brak komentarzy:
Prześlij komentarz