ANI crash found 09.04.2016 during IrfaView fuzzing...
TL;DR
Details below:
0:001> g
===========================================================
VERIFIER STOP 00000004: pid 0x6EC: extreme size request
00150000 : Heap handle
C600022C : Size requested
00000000 :
00000000 :
===========================================================
(6ec.244): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=c600022c ecx=7c91eab5 edx=0012bf60 esi=00000004 edi=00150000
eip=7c90120e esp=0012c194 ebp=0012c1a8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!DbgBreakPoint:
7c90120e cc int 3
0:000> g (again)
===========================================================
VERIFIER STOP 00000004: pid 0x6EC: extreme size request
00150000 : Heap handle
CA2A3054 : Size requested
00000000 :
00000000 :
===========================================================
(6ec.244): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=ca2a3054 ecx=7c91eab5 edx=0012bf60 esi=00000004 edi=00150000
eip=7c90120e esp=0012c194 ebp=0012c1a8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!DbgBreakPoint:
7c90120e cc int 3
0:000> g (...and again...)
(6ec.244): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=d0d0d0d0 ebx=0245cfe0 ecx=0012c7b4 edx=7c90e4f4 esi=02112ff8 edi=00000044
eip=00402e31 esp=0012c758 ebp=00000001 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\IrfanView\i_view32.exe
i_view32+0x2e31:
00402e31 8b4608 mov eax,dword ptr [esi+8] ds:0023:02113000=????????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
(...)
FAULTING_IP:
i_view32+2e31
00402e31 8b4608 mov eax,dword ptr [esi+8]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 00402e31 (i_view32+0x00002e31)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 02113000
Attempt to read from address 02113000
FAULTING_THREAD: 00000244
PROCESS_NAME: i_view32.exe
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 56e13a3d
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 02113000
READ_ADDRESS: 02113000
FOLLOWUP_IP:
i_view32+2e31
00402e31 8b4608 mov eax,dword ptr [esi+8]
MOD_LIST: <ANALYSIS/>
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_WRONG_SYMBOLS_PROBABLYEXPLOITABLE_FILL_PATTERN_d0d0d0d0
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_PROBABLYEXPLOITABLE_FILL_PATTERN_d0d0d0d0
DEFAULT_BUCKET_ID: INVALID_POINTER_READ_PROBABLYEXPLOITABLE_FILL_PATTERN_d0d0d0d0
LAST_CONTROL_TRANSFER: from 0040145c to 00402e31
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0012c75c 0040145c 0012c7b4 7c80fcbf 7c80ff12 i_view32+0x2e31
0012c7a4 7c810902 000367d8 00000020 d0d0d0d0 i_view32+0x145c
0012c7c4 7c90d9bc 02112ff8 02428ed8 02429ed8 kernel32!CreateFileW+0x112
00000000 00000000 00000000 00000000 00000000 ntdll!NtReadFile+0xc
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: i_view32+2e31
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: i_view32
STACK_COMMAND: ~0s ; kb
BUCKET_ID: WRONG_SYMBOLS
IMAGE_NAME: C:\Program Files\IrfanView\i_view32.exe
FAILURE_BUCKET_ID: INVALID_POINTER_READ_PROBABLYEXPLOITABLE_FILL_PATTERN_d0d0d0d0_c0000005_C:_Program_Files_IrfanView_i_view32.exe!Unknown
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/i_view32_exe/4_4_2_0/56e13a3d/i_view32_exe/4_4_2_0/56e13a3d/c0000005/00002e31.htm?Retriage=1
Followup: MachineOwner
---------
0:000> g
(6ec.244): Access violation - code c0000005 (!!! second chance !!!)
eax=d0d0d0d0 ebx=0245cfe0 ecx=0012c7b4 edx=7c90e4f4 esi=02112ff8 edi=00000044
eip=00402e31 esp=0012c758 ebp=00000001 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
i_view32+0x2e31:
00402e31 8b4608 mov eax,dword ptr [esi+8] ds:0023:02113000=????????
0:000> !exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x2113000
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:00402e31 mov eax,dword ptr [esi+8]
Basic Block:
00402e31 mov eax,dword ptr [esi+8]
Tainted Input operands: 'esi'
00402e34 cdq
00402e35 sub eax,edx
Tainted Input operands: 'eax'
00402e37 xor edx,edx
00402e39 sar eax,1
00402e3b mov dword ptr [ecx+4],eax
Tainted Input operands: 'eax'
00402e3e mov dx,word ptr [esi+0eh]
Tainted Input operands: 'esi'
00402e42 mov dword ptr [ecx+8],edx
00402e45 mov dword ptr [esi+20h],0
Tainted Input operands: 'esi'
00402e4c mov eax,dword ptr [ecx+18h]
00402e4f cmp word ptr [eax+0eh],1
00402e54 jne i_view32+0x2e5d (00402e5d)
Exception Hash (Major/Minor): 0xfdd7d7e0.0x2f99cfbe
Hash Usage : Stack Trace:
Major+Minor : i_view32+0x2e31
Major+Minor : i_view32+0x145c
Major+Minor : kernel32!CreateFileW+0x112
Major+Minor : ntdll!NtReadFile+0xc
Instruction Address: 0x0000000000402e31
Description: Data from Faulting Address controls subsequent Write Address
Short Description: TaintedDataControlsWriteAddress
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls subsequent Write Address starting at i_view32+0x0000000000002e31 (Hash=0xfdd7d7e0.0x2f99cfbe)
The data from the faulting address is later used as the target for a later write.
0:000> u i_view32+0x2e31
i_view32+0x2e31:
00402e31 8b4608 mov eax,dword ptr [esi+8]
00402e34 99 cdq
00402e35 2bc2 sub eax,edx
00402e37 33d2 xor edx,edx
00402e39 d1f8 sar eax,1
00402e3b 894104 mov dword ptr [ecx+4],eax
00402e3e 668b560e mov dx,word ptr [esi+0Eh]
00402e42 895108 mov dword ptr [ecx+8],edx
0:000> dd esi+8
02113000 ???????? ???????? ???????? ????????
02113010 ???????? ???????? ???????? ????????
02113020 ???????? ???????? ???????? ????????
02113030 ???????? ???????? ???????? ????????
02113040 ???????? ???????? ???????? ????????
02113050 ???????? ???????? ???????? ????????
02113060 ???????? ???????? ???????? ????????
02113070 ???????? ???????? ???????? ????????
0:000> dd eax
d0d0d0d0 ???????? ???????? ???????? ????????
d0d0d0e0 ???????? ???????? ???????? ????????
d0d0d0f0 ???????? ???????? ???????? ????????
d0d0d100 ???????? ???????? ???????? ????????
d0d0d110 ???????? ???????? ???????? ????????
d0d0d120 ???????? ???????? ???????? ????????
d0d0d130 ???????? ???????? ???????? ????????
d0d0d140 ???????? ???????? ???????? ????????
0:000> u eip-1
i_view32+0x2e30:
00402e30 018b4608992b add dword ptr [ebx+2B990846h],ecx
00402e36 c233d2 ret 0D233h
00402e39 d1f8 sar eax,1
00402e3b 894104 mov dword ptr [ecx+4],eax
00402e3e 668b560e mov dx,word ptr [esi+0Eh]
00402e42 895108 mov dword ptr [ecx+8],edx
00402e45 c7462000000000 mov dword ptr [esi+20h],0
00402e4c 8b4118 mov eax,dword ptr [ecx+18h]
0:000> u eip-2
i_view32+0x2e2f:
00402e2f 8901 mov dword ptr [ecx],eax
00402e31 8b4608 mov eax,dword ptr [esi+8]
00402e34 99 cdq
00402e35 2bc2 sub eax,edx
00402e37 33d2 xor edx,edx
00402e39 d1f8 sar eax,1
00402e3b 894104 mov dword ptr [ecx+4],eax
00402e3e 668b560e mov dx,word ptr [esi+0Eh]
+---------------------------------------------------------------------------+
More: code610.blogspot.com
Or twitter @CodySixteen.
+---------------------------------------------------------------------------+
Cheers,
Cody
Brak komentarzy:
Prześlij komentarz