WMA crash found 09.04.2016 during IrfaView fuzzing... Details below:
TL;DR
...and some details:
0:001> g
(...)
(7d8.268): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=023a0cc8 ebx=00000000 ecx=0000c0da edx=7c90e4f4 esi=023a0cc8 edi=023a0cc8
eip=75a7dda6 esp=0012bec8 ebp=0012c03c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\MSVFW32.dll -
MSVFW32!GetSaveFileNamePreviewA+0x10b8:
75a7dda6 8b4718 mov eax,dword ptr [edi+18h] ds:0023:023a0ce0=????????
0:000> u MSVFW32!GetSaveFileNamePreviewA+0x10b8
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\USER32.dll -
MSVFW32!GetSaveFileNamePreviewA+0x10b8:
75a7dda6 8b4718 mov eax,dword ptr [edi+18h]
75a7dda9 bb00010000 mov ebx,100h
75a7ddae 85c3 test ebx,eax
75a7ddb0 7508 jne MSVFW32!GetSaveFileNamePreviewA+0x10cc (75a7ddba)
75a7ddb2 a802 test al,2
75a7ddb4 7404 je MSVFW32!GetSaveFileNamePreviewA+0x10cc (75a7ddba)
75a7ddb6 a840 test al,40h
75a7ddb8 747a je MSVFW32!GetSaveFileNamePreviewA+0x1146 (75a7de34)
0:000> u eip-1
MSVFW32!GetSaveFileNamePreviewA+0x10b7:
75a7dda5 f8 clc
75a7dda6 8b4718 mov eax,dword ptr [edi+18h]
75a7dda9 bb00010000 mov ebx,100h
75a7ddae 85c3 test ebx,eax
75a7ddb0 7508 jne MSVFW32!GetSaveFileNamePreviewA+0x10cc (75a7ddba)
75a7ddb2 a802 test al,2
75a7ddb4 7404 je MSVFW32!GetSaveFileNamePreviewA+0x10cc (75a7ddba)
75a7ddb6 a840 test al,40h
0:000> u eip-2
MSVFW32!GetSaveFileNamePreviewA+0x10b6:
75a7dda4 8bf8 mov edi,eax
75a7dda6 8b4718 mov eax,dword ptr [edi+18h]
75a7dda9 bb00010000 mov ebx,100h
75a7ddae 85c3 test ebx,eax
75a7ddb0 7508 jne MSVFW32!GetSaveFileNamePreviewA+0x10cc (75a7ddba)
75a7ddb2 a802 test al,2
75a7ddb4 7404 je MSVFW32!GetSaveFileNamePreviewA+0x10cc (75a7ddba)
75a7ddb6 a840 test al,40h
0:000> u eip-3
MSVFW32!GetSaveFileNamePreviewA+0x10b5:
75a7dda3 57 push edi
75a7dda4 8bf8 mov edi,eax
75a7dda6 8b4718 mov eax,dword ptr [edi+18h]
75a7dda9 bb00010000 mov ebx,100h
75a7ddae 85c3 test ebx,eax
75a7ddb0 7508 jne MSVFW32!GetSaveFileNamePreviewA+0x10cc (75a7ddba)
75a7ddb2 a802 test al,2
75a7ddb4 7404 je MSVFW32!GetSaveFileNamePreviewA+0x10cc (75a7ddba)
0:000> u eip-4
MSVFW32!GetSaveFileNamePreviewA+0x10b4:
75a7dda2 56 push esi
75a7dda3 57 push edi
75a7dda4 8bf8 mov edi,eax
75a7dda6 8b4718 mov eax,dword ptr [edi+18h]
75a7dda9 bb00010000 mov ebx,100h
75a7ddae 85c3 test ebx,eax
75a7ddb0 7508 jne MSVFW32!GetSaveFileNamePreviewA+0x10cc (75a7ddba)
75a7ddb2 a802 test al,2
0:000> kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012c03c 7e418734 0034021c 00000806 00000000 MSVFW32!GetSaveFileNamePreviewA+0x10b8
0012c068 7e418816 75a80455 0034021c 00000806 USER32!GetDC+0x6d
0012c0d0 7e42927b 00000000 75a80455 0034021c USER32!GetDC+0x14f
0012c10c 7e42f40b 00a74100 01a74098 00000000 USER32!GetParent+0x16c
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\IrfanView\i_view32.exe
0012c12c 004a3ff7 0034021c 00000806 00000000 USER32!SendMessageA+0x49
0012c130 0034021c 00000806 00000000 00000000 i_view32+0xa3ff7
0012c134 00000000 00000000 00000000 00000000 0x34021c
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
(...)
FAULTING_IP:
MSVFW32!GetSaveFileNamePreviewA+10b8
75a7dda6 8b4718 mov eax,dword ptr [edi+18h]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 75a7dda6 (MSVFW32!GetSaveFileNamePreviewA+0x000010b8)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 023a0ce0
Attempt to read from address 023a0ce0
FAULTING_THREAD: 00000268
PROCESS_NAME: i_view32.exe
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
MODULE_NAME: MSVFW32
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 4802a189
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 023a0ce0
READ_ADDRESS: 023a0ce0
FOLLOWUP_IP:
MSVFW32!GetSaveFileNamePreviewA+10b8
75a7dda6 8b4718 mov eax,dword ptr [edi+18h]
MOD_LIST: <ANALYSIS/>
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
LAST_CONTROL_TRANSFER: from 7e418734 to 75a7dda6
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0012c03c 7e418734 0034021c 00000806 00000000 MSVFW32!GetSaveFileNamePreviewA+0x10b8
0012c068 7e418816 75a80455 0034021c 00000806 USER32!GetDC+0x6d
0012c0d0 7e42927b 00000000 75a80455 0034021c USER32!GetDC+0x14f
0012c10c 7e42f40b 00a74100 01a74098 00000000 USER32!GetParent+0x16c
0012c12c 004a3ff7 0034021c 00000806 00000000 USER32!SendMessageA+0x49
0012c130 0034021c 00000806 00000000 00000000 i_view32+0xa3ff7
0012c134 00000000 00000000 00000000 00000000 0x34021c
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: msvfw32!GetSaveFileNamePreviewA+10b8
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: MSVFW32.dll
STACK_COMMAND: ~0s ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_MSVFW32.dll!GetSaveFileNamePreviewA
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/i_view32_exe/4_4_2_0/56e13a3d/MSVFW32_dll/5_1_2600_5512/4802a189/c0000005/0000dda6.htm?Retriage=1
Followup: MachineOwner
---------
0:000> !load winext\msec.dll;!exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x23a0ce0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:75a7dda6 mov eax,dword ptr [edi+18h]
Basic Block:
75a7dda6 mov eax,dword ptr [edi+18h]
Tainted Input operands: 'edi'
75a7dda9 mov ebx,100h
75a7ddae test ebx,eax
Tainted Input operands: 'eax'
75a7ddb0 jne msvfw32!getsavefilenamepreviewa+0x10cc (75a7ddba)
Tainted Input operands: 'ZeroFlag'
Exception Hash (Major/Minor): 0xebaad6bc.0x14230a6e
Hash Usage : Stack Trace:
Major+Minor : MSVFW32!GetSaveFileNamePreviewA+0x10b8
Major+Minor : USER32!GetDC+0x6d
Major+Minor : USER32!GetDC+0x14f
Major+Minor : USER32!GetParent+0x16c
Major+Minor : USER32!SendMessageA+0x49
Minor : i_view32+0xa3ff7
Minor : Unknown
Instruction Address: 0x0000000075a7dda6
Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at MSVFW32!GetSaveFileNamePreviewA+0x00000000000010b8 (Hash=0xebaad6bc.0x14230a6e)
The data from the faulting address is later used to determine whether or not a branch is taken.
0:000> .logclose
+---------------------------------------------------------------------------+
More: code610.blogspot.com
Or twitter @CodySixteen.
+---------------------------------------------------------------------------+
Cheers,
Cody
Brak komentarzy:
Prześlij komentarz