Publisher (from MS Office 2010) is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to crash the affected application.
-------------------------------------------------------------------------------------------
Found by : code16@07.05.2016
TL;DR
-------------------------------------------------------------------------------------------
0:007> g
ModLoad: 3a8c0000 3a961000 C:\Program Files\Microsoft Office\Office14\PTXT9.DLL
ModLoad: 6bdc0000 6be7c000 C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSPTLS.DLL
(...)
ModLoad: 76f60000 76f8c000 C:\WINDOWS\system32\WLDAP32.dll
(5a8.458): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0a0af850 ebx=0b5e3000 ecx=0a0af850 edx=00000081 esi=00000000 edi=0012fa30
eip=3940f8fe esp=0012f7e4 ebp=0012fa80 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll -
mso!Ordinal4211+0x51a:
3940f8fe a5 movs dword ptr es:[edi],dword ptr [esi] es:0023:0012fa30=00000000 ds:0023:00000000=????????
-------------------------------------------------------------------------------------------
More:
0:000> r
eax=0a0af850 ebx=0b5e3000 ecx=0a0af850 edx=00000081 esi=00000000 edi=0012fa30
eip=3940f8fe esp=0012f7e4 ebp=0012fa80 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
mso!Ordinal4211+0x51a:
3940f8fe a5 movs dword ptr es:[edi],dword ptr [esi] es:0023:0012fa30=00000000 ds:0023:00000000=????????
0:000> !exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Module load completed but symbols could not be loaded for C:\PROGRA~1\MICROS~2\Office14\MSPUB.EXE
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\USER32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:3940f8fe movs dword ptr es:[edi],dword ptr [esi]
Basic Block:
3940f8fe movs dword ptr es:[edi],dword ptr [esi]
Tainted Input operands: 'esi'
3940f8ff movs dword ptr es:[edi],dword ptr [esi]
Tainted Input operands: 'esi'
3940f900 movs dword ptr es:[edi],dword ptr [esi]
Tainted Input operands: 'esi'
3940f901 movs dword ptr es:[edi],dword ptr [esi]
Tainted Input operands: 'esi'
3940f902 jne mso!ordinal6819+0xa12c5 (39707538)
Exception Hash (Major/Minor): 0x7220f779.0x8841e9f2
Hash Usage : Stack Trace:
Major+Minor : mso!Ordinal4211+0x51a
Major+Minor : mso!Ordinal1774+0x594
Major+Minor : mso!Ordinal1774+0x57a
Major+Minor : MSPUB+0x7d277
Major+Minor : MSPUB+0x1d7b7
Minor : USER32!GetDC+0x6d
Minor : USER32!GetDC+0x14f
Minor : USER32!GetWindowLongW+0x127
Minor : USER32!DispatchMessageW+0xf
Minor : mso!Ordinal9774+0x23
Minor : MSPUB+0x347ec
Minor : MSPUB+0x212d
Minor : MSPUB+0x20d0
Minor : MSPUB+0x2083
Minor : kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x000000003940f8fe
Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at mso!Ordinal4211+0x000000000000051a (Hash=0x7220f779.0x8841e9f2)
This is a user mode read access violation near null, and is probably not exploitable.
0:000> ub
mso!Ordinal4211+0x4fd:
3940f8e1 54 push esp
3940f8e2 d8ff fdivr st,st(7)
3940f8e4 f6465808 test byte ptr [esi+58h],8
3940f8e8 0f84a652d8ff je mso!Ordinal1774+0x90f (39194b94)
3940f8ee 83bd40ffffff00 cmp dword ptr [ebp-0C0h],0
3940f8f5 8b45e8 mov eax,dword ptr [ebp-18h]
3940f8f8 8b7010 mov esi,dword ptr [eax+10h]
3940f8fb 8d7db0 lea edi,[ebp-50h]
0:000> kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fa80 39194819 0b4b2070 0012fb8c 391947ff mso!Ordinal4211+0x51a
0012fa8c 391947ff 0b5e30cc 00003210 0012fbc0 mso!Ordinal1774+0x594
0012fb8c 2e07d277 022762a0 0012fd30 0012fbc0 mso!Ordinal1774+0x57a
0012fbd4 2e01d7b7 00000247 0000017e 0012fd30 MSPUB+0x7d277
0012fd90 7e418734 00840136 00000200 00000000 MSPUB+0x1d7b7
0012fdbc 7e418816 2e01d3a2 00840136 00000200 USER32!GetDC+0x6d
0012fe24 7e4189cd 00000000 2e01d3a2 00840136 USER32!GetDC+0x14f
0012fe84 7e418a10 2e7146d8 00000000 0012fea4 USER32!GetWindowLongW+0x127
0012fe94 3917b55b 2e7146d8 00000000 0012fee4 USER32!DispatchMessageW+0xf
0012fea4 2e0347ec 2e7146d8 2e7c577c 0115effa mso!Ordinal9774+0x23
0012fee4 2e00212d 00000000 00000000 0012ff30 MSPUB+0x347ec
0012fef4 2e0020d0 2e000000 00000000 00000001 MSPUB+0x212d
0012ff30 2e002083 2e000000 00000000 0115effa MSPUB+0x20d0
0012ffc0 7c817067 0523d6c4 7c90d950 7ffda000 MSPUB+0x2083
0012fff0 00000000 2e001af8 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49
0:000> u eip
mso!Ordinal4211+0x51a:
3940f8fe a5 movs dword ptr es:[edi],dword ptr [esi]
3940f8ff a5 movs dword ptr es:[edi],dword ptr [esi]
3940f900 a5 movs dword ptr es:[edi],dword ptr [esi]
3940f901 a5 movs dword ptr es:[edi],dword ptr [esi]
3940f902 0f85307c2f00 jne mso!Ordinal6819+0xa12c5 (39707538)
3940f908 83bd44ffffff00 cmp dword ptr [ebp-0BCh],0
3940f90f 0f85487c2f00 jne mso!Ordinal6819+0xa12ea (3970755d)
3940f915 8d852cffffff lea eax,[ebp-0D4h]
0:000> u eip-1
mso!Ordinal4211+0x519:
3940f8fd b0a5 mov al,0A5h
3940f8ff a5 movs dword ptr es:[edi],dword ptr [esi]
3940f900 a5 movs dword ptr es:[edi],dword ptr [esi]
3940f901 a5 movs dword ptr es:[edi],dword ptr [esi]
3940f902 0f85307c2f00 jne mso!Ordinal6819+0xa12c5 (39707538)
3940f908 83bd44ffffff00 cmp dword ptr [ebp-0BCh],0
3940f90f 0f85487c2f00 jne mso!Ordinal6819+0xa12ea (3970755d)
3940f915 8d852cffffff lea eax,[ebp-0D4h]
0:000> u eip-2
mso!Ordinal4211+0x518:
3940f8fc 7db0 jge mso!Ordinal4211+0x4ca (3940f8ae)
3940f8fe a5 movs dword ptr es:[edi],dword ptr [esi]
3940f8ff a5 movs dword ptr es:[edi],dword ptr [esi]
3940f900 a5 movs dword ptr es:[edi],dword ptr [esi]
3940f901 a5 movs dword ptr es:[edi],dword ptr [esi]
3940f902 0f85307c2f00 jne mso!Ordinal6819+0xa12c5 (39707538)
3940f908 83bd44ffffff00 cmp dword ptr [ebp-0BCh],0
3940f90f 0f85487c2f00 jne mso!Ordinal6819+0xa12ea (3970755d)
0:000> u eip-3
mso!Ordinal4211+0x517:
3940f8fb 8d7db0 lea edi,[ebp-50h]
3940f8fe a5 movs dword ptr es:[edi],dword ptr [esi]
3940f8ff a5 movs dword ptr es:[edi],dword ptr [esi]
3940f900 a5 movs dword ptr es:[edi],dword ptr [esi]
3940f901 a5 movs dword ptr es:[edi],dword ptr [esi]
3940f902 0f85307c2f00 jne mso!Ordinal6819+0xa12c5 (39707538)
3940f908 83bd44ffffff00 cmp dword ptr [ebp-0BCh],0
3940f90f 0f85487c2f00 jne mso!Ordinal6819+0xa12ea (3970755d)
0:000> u eip-4
mso!Ordinal4211+0x516:
3940f8fa 108d7db0a5a5 adc byte ptr [ebp-5A5A4F83h],cl
3940f900 a5 movs dword ptr es:[edi],dword ptr [esi]
3940f901 a5 movs dword ptr es:[edi],dword ptr [esi]
3940f902 0f85307c2f00 jne mso!Ordinal6819+0xa12c5 (39707538)
3940f908 83bd44ffffff00 cmp dword ptr [ebp-0BCh],0
3940f90f 0f85487c2f00 jne mso!Ordinal6819+0xa12ea (3970755d)
3940f915 8d852cffffff lea eax,[ebp-0D4h]
3940f91b 50 push eax
0:000> u eip-5
mso!Ordinal4211+0x515:
3940f8f9 7010 jo mso!Ordinal4211+0x527 (3940f90b)
3940f8fb 8d7db0 lea edi,[ebp-50h]
3940f8fe a5 movs dword ptr es:[edi],dword ptr [esi]
3940f8ff a5 movs dword ptr es:[edi],dword ptr [esi]
3940f900 a5 movs dword ptr es:[edi],dword ptr [esi]
3940f901 a5 movs dword ptr es:[edi],dword ptr [esi]
3940f902 0f85307c2f00 jne mso!Ordinal6819+0xa12c5 (39707538)
3940f908 83bd44ffffff00 cmp dword ptr [ebp-0BCh],0
0:000> u eip-6
mso!Ordinal4211+0x514:
3940f8f8 8b7010 mov esi,dword ptr [eax+10h]
3940f8fb 8d7db0 lea edi,[ebp-50h]
3940f8fe a5 movs dword ptr es:[edi],dword ptr [esi]
3940f8ff a5 movs dword ptr es:[edi],dword ptr [esi]
3940f900 a5 movs dword ptr es:[edi],dword ptr [esi]
3940f901 a5 movs dword ptr es:[edi],dword ptr [esi]
3940f902 0f85307c2f00 jne mso!Ordinal6819+0xa12c5 (39707538)
3940f908 83bd44ffffff00 cmp dword ptr [ebp-0BCh],0
0:000> u eax+10
0a0af860 0000 add byte ptr [eax],al
0a0af862 0000 add byte ptr [eax],al
0a0af864 ff ???
0a0af865 ff01 inc dword ptr [ecx]
0a0af867 005053 add byte ptr [eax+53h],dl
0a0af86a 0200 add al,byte ptr [eax]
0a0af86c 1919 sbb dword ptr [ecx],ebx
0a0af86e ff00 inc dword ptr [eax]
0:000> dd esi
00000000 ???????? ???????? ???????? ????????
00000010 ???????? ???????? ???????? ????????
00000020 ???????? ???????? ???????? ????????
00000030 ???????? ???????? ???????? ????????
00000040 ???????? ???????? ???????? ????????
00000050 ???????? ???????? ???????? ????????
00000060 ???????? ???????? ???????? ????????
00000070 ???????? ???????? ???????? ????????
0:000> dd edi
0012fa30 00000000 00000000 00000000 00000000
0012fa40 00000000 00000000 00000000 00000000
0012fa50 00000000 092ba600 00000000 00000000
0012fa60 092f5f00 00000000 0a0af850 00000002
0012fa70 00000000 00000000 00000010 00000000
0012fa80 0012fa8c 39194819 0b4b2070 0012fb8c
0012fa90 391947ff 0b5e30cc 00003210 0012fbc0
0012faa0 0012fd30 022762a0 39422af8 0012fd30
0:000> u edi
0012fa30 0000 add byte ptr [eax],al
0012fa32 0000 add byte ptr [eax],al
0012fa34 0000 add byte ptr [eax],al
0012fa36 0000 add byte ptr [eax],al
0012fa38 0000 add byte ptr [eax],al
0012fa3a 0000 add byte ptr [eax],al
0012fa3c 0000 add byte ptr [eax],al
0012fa3e 0000 add byte ptr [eax],al
0:000> kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fa80 39194819 0b4b2070 0012fb8c 391947ff mso!Ordinal4211+0x51a
0012fa8c 391947ff 0b5e30cc 00003210 0012fbc0 mso!Ordinal1774+0x594
0012fb8c 2e07d277 022762a0 0012fd30 0012fbc0 mso!Ordinal1774+0x57a
0012fbd4 2e01d7b7 00000247 0000017e 0012fd30 MSPUB+0x7d277
0012fd90 7e418734 00840136 00000200 00000000 MSPUB+0x1d7b7
0012fdbc 7e418816 2e01d3a2 00840136 00000200 USER32!GetDC+0x6d
0012fe24 7e4189cd 00000000 2e01d3a2 00840136 USER32!GetDC+0x14f
0012fe84 7e418a10 2e7146d8 00000000 0012fea4 USER32!GetWindowLongW+0x127
0012fe94 3917b55b 2e7146d8 00000000 0012fee4 USER32!DispatchMessageW+0xf
0012fea4 2e0347ec 2e7146d8 2e7c577c 0115effa mso!Ordinal9774+0x23
0012fee4 2e00212d 00000000 00000000 0012ff30 MSPUB+0x347ec
0012fef4 2e0020d0 2e000000 00000000 00000001 MSPUB+0x212d
0012ff30 2e002083 2e000000 00000000 0115effa MSPUB+0x20d0
0012ffc0 7c817067 0523d6c4 7c90d950 7ffda000 MSPUB+0x2083
0012fff0 00000000 2e001af8 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49
0:000> u mso!Ordinal1774+0x594
mso!Ordinal1774+0x594:
39194819 5d pop ebp
3919481a c20800 ret 8
3919481d 3bf0 cmp esi,eax
3919481f 0f8486f2f0ff je mso!Ordinal2482+0x248 (390a3aab)
39194825 8b08 mov ecx,dword ptr [eax]
39194827 50 push eax
39194828 ff5124 call dword ptr [ecx+24h]
3919482b e97bf2f0ff jmp mso!Ordinal2482+0x248 (390a3aab)
0:000> u ecx+24
0a0af874 2300 and eax,dword ptr [eax]
0a0af876 0000 add byte ptr [eax],al
0a0af878 2300 and eax,dword ptr [eax]
0a0af87a 0000 add byte ptr [eax],al
0a0af87c 0800 or byte ptr [eax],al
0a0af87e 0a00 or al,byte ptr [eax]
0a0af880 c00d0a0a000000 ror byte ptr ds:[0A0Ah],0
0a0af887 002e add byte ptr [esi],ch
0:000> dd ecx+24
0a0af874 00000023 00000023 000a0008 0a0a0dc0
0a0af884 00000000 0000f82e eaf05eaf 092ba600
0a0af894 00000000 00000000 00000001 00000000
0a0af8a4 0a0a9fa4 00002808 eaf01eaf 00000000
0a0af8b4 007f0010 000003bf 007b0003 3929a968
0a0af8c4 00000c0a 00000000 00000000 09469a60
0a0af8d4 0001ffff 0000319c 00000000 00cccccc
0a0af8e4 0000001c 0000001c 000a0008 09489d20
-------------------------------------------------------------------------------------------
cheers
Brak komentarzy:
Prześlij komentarz