piątek, 27 maja 2016

MS Office 2010 - DoS in Publisher - #3

Publisher (from MS Office 2010) is (again) prone to a remote denial-of-service vulnerability.

Attackers can exploit this issue to crash the affected application.
-------------------------------------------------------------------------------------------
Found  by : code16@26.05.2016


 TL;DR

-------------------------------------------------------------------------------------------
0:000> r
eax=09a69af0 ebx=0947fdc0 ecx=09a69af0 edx=00000081 esi=00000000 edi=0012fa30
eip=3940f8fe esp=0012f7e4 ebp=0012fa80 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
mso!Ordinal4211+0x51a:
3940f8fe a5              movs    dword ptr es:[edi],dword ptr [esi] es:0023:0012fa30=00000000 ds:0023:00000000=????????


0:000> !exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Module load completed but symbols could not be loaded for C:\PROGRA~1\MICROS~2\Office14\MSPUB.EXE
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\USER32.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:3940f8fe movs dword ptr es:[edi],dword ptr [esi]

Basic Block:
    3940f8fe movs dword ptr es:[edi],dword ptr [esi]
       Tainted Input operands: 'esi'
    3940f8ff movs dword ptr es:[edi],dword ptr [esi]
       Tainted Input operands: 'esi'
    3940f900 movs dword ptr es:[edi],dword ptr [esi]
       Tainted Input operands: 'esi'
    3940f901 movs dword ptr es:[edi],dword ptr [esi]
       Tainted Input operands: 'esi'
    3940f902 jne mso!ordinal6819+0xa12c5 (39707538)

Exception Hash (Major/Minor): 0x7220f779.0x8841e9f2

 Hash Usage : Stack Trace:
Major+Minor : mso!Ordinal4211+0x51a
Major+Minor : mso!Ordinal1774+0x594
Major+Minor : mso!Ordinal1774+0x57a
Major+Minor : MSPUB+0x7d277
Major+Minor : MSPUB+0x1d7b7
Minor       : USER32!GetDC+0x6d
Minor       : USER32!GetDC+0x14f
Minor       : USER32!GetWindowLongW+0x127
Minor       : USER32!DispatchMessageW+0xf
Minor       : mso!Ordinal9774+0x23
Minor       : MSPUB+0x347ec
Minor       : MSPUB+0x212d
Minor       : MSPUB+0x20d0
Minor       : MSPUB+0x2083
Minor       : kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x000000003940f8fe

Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at mso!Ordinal4211+0x000000000000051a (Hash=0x7220f779.0x8841e9f2)

This is a user mode read access violation near null, and is probably not exploitable.

0:000> r
eax=09a69af0 ebx=0947fdc0 ecx=09a69af0 edx=00000081 esi=00000000 edi=0012fa30
eip=3940f8fe esp=0012f7e4 ebp=0012fa80 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
mso!Ordinal4211+0x51a:
3940f8fe a5              movs    dword ptr es:[edi],dword ptr [esi] es:0023:0012fa30=00000000 ds:0023:00000000=????????

0:000> ub
mso!Ordinal4211+0x4fd:
3940f8e1 54              push    esp
3940f8e2 d8ff            fdivr   st,st(7)
3940f8e4 f6465808        test    byte ptr [esi+58h],8
3940f8e8 0f84a652d8ff    je      mso!Ordinal1774+0x90f (39194b94)
3940f8ee 83bd40ffffff00  cmp     dword ptr [ebp-0C0h],0
3940f8f5 8b45e8          mov     eax,dword ptr [ebp-18h]
3940f8f8 8b7010          mov     esi,dword ptr [eax+10h]
3940f8fb 8d7db0          lea     edi,[ebp-50h]

0:000> kv
ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fa80 39194819 022cabf0 0012fb8c 391947ff mso!Ordinal4211+0x51a
0012fa8c 391947ff 0947fe8c 00003210 0012fbc0 mso!Ordinal1774+0x594
0012fb8c 2e07d277 022762a0 0012fd30 0012fbc0 mso!Ordinal1774+0x57a
0012fbd4 2e01d7b7 0000002c 000000bc 0012fd30 MSPUB+0x7d277
0012fd90 7e418734 001501b2 00000200 00000000 MSPUB+0x1d7b7
0012fdbc 7e418816 2e01d3a2 001501b2 00000200 USER32!GetDC+0x6d
0012fe24 7e4189cd 00000000 2e01d3a2 001501b2 USER32!GetDC+0x14f
0012fe84 7e418a10 2e7146d8 00000000 0012fea4 USER32!GetWindowLongW+0x127
0012fe94 3917b55b 2e7146d8 00000000 0012fee4 USER32!DispatchMessageW+0xf
0012fea4 2e0347ec 2e7146d8 2e7c577c 0115effa mso!Ordinal9774+0x23
0012fee4 2e00212d 00000000 00000000 0012ff30 MSPUB+0x347ec
0012fef4 2e0020d0 2e000000 00000000 00000001 MSPUB+0x212d
0012ff30 2e002083 2e000000 00000000 0115effa MSPUB+0x20d0
0012ffc0 7c817067 056bd8b0 00000018 7ffde000 MSPUB+0x2083
0012fff0 00000000 2e001af8 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49

0:000> u eip
mso!Ordinal4211+0x51a:
3940f8fe a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f8ff a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f900 a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f901 a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f902 0f85307c2f00    jne     mso!Ordinal6819+0xa12c5 (39707538)
3940f908 83bd44ffffff00  cmp     dword ptr [ebp-0BCh],0
3940f90f 0f85487c2f00    jne     mso!Ordinal6819+0xa12ea (3970755d)
3940f915 8d852cffffff    lea     eax,[ebp-0D4h]

0:000> u eip-1
mso!Ordinal4211+0x519:
3940f8fd b0a5            mov     al,0A5h
3940f8ff a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f900 a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f901 a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f902 0f85307c2f00    jne     mso!Ordinal6819+0xa12c5 (39707538)
3940f908 83bd44ffffff00  cmp     dword ptr [ebp-0BCh],0
3940f90f 0f85487c2f00    jne     mso!Ordinal6819+0xa12ea (3970755d)
3940f915 8d852cffffff    lea     eax,[ebp-0D4h]

0:000> u eip-2
mso!Ordinal4211+0x518:
3940f8fc 7db0            jge     mso!Ordinal4211+0x4ca (3940f8ae)
3940f8fe a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f8ff a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f900 a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f901 a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f902 0f85307c2f00    jne     mso!Ordinal6819+0xa12c5 (39707538)
3940f908 83bd44ffffff00  cmp     dword ptr [ebp-0BCh],0
3940f90f 0f85487c2f00    jne     mso!Ordinal6819+0xa12ea (3970755d)

0:000> u eip-3
mso!Ordinal4211+0x517:
3940f8fb 8d7db0          lea     edi,[ebp-50h]
3940f8fe a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f8ff a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f900 a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f901 a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f902 0f85307c2f00    jne     mso!Ordinal6819+0xa12c5 (39707538)
3940f908 83bd44ffffff00  cmp     dword ptr [ebp-0BCh],0
3940f90f 0f85487c2f00    jne     mso!Ordinal6819+0xa12ea (3970755d)

0:000> kvn1
 # ChildEBP RetAddr  Args to Child             
00 0012fa80 39194819 022cabf0 0012fb8c 391947ff mso!Ordinal4211+0x51a

0:000> .exr -1
ExceptionAddress: 3940f8fe (mso!Ordinal4211+0x0000051a)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000000
Attempt to read from address 00000000

0:000> .logclose
-------------------------------------------------------------------------------------------

cheers

Posted by at
Labels: , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)