wtorek, 11 kwietnia 2017

Multiple Crashes in MS Publisher 2010/16

Below you will find few details about it...

06.02.2017:
======================================================

Case #01:

(...)
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Microsoft Office\Office14\MSPUB.EXE" C:\sf_a4f51cf9de2546169858028b21554388-2192.pub
(...)
Executable search path is:
ModLoad: 2d760000 2e131000   mspub.exe
ModLoad: 77490000 775cc000   ntdll.dll
ModLoad: 6d200000 6d260000   C:\Windows\system32\verifier.dll
(...)
(e90.de0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=001dfc48 edx=001dfc4c esi=00000200 edi=0f340e30
eip=2d800200 esp=001df96c ebp=001dfc80 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
*** ERROR: Module load completed but symbols could not be loaded for mspub.exe
mspub+0xa0200:
2d800200 395804          cmp     dword ptr [eax+4],ebx ds:0023:00000004=????????


0:000> r
eax=00000000 ebx=00000000 ecx=001dfc48 edx=001dfc4c esi=00000200 edi=0f340e30
eip=2d800200 esp=001df96c ebp=001dfc80 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
mspub+0xa0200:
2d800200 395804          cmp     dword ptr [eax+4],ebx ds:0023:00000004=????????


0:000> !load winext\msec.dll;!exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x4
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:2d800200 cmp dword ptr [eax+4],ebx

Basic Block:
    2d800200 cmp dword ptr [eax+4],ebx
       Tainted Input operands: 'eax','ebx'
    2d800203 je mspub+0xa036a (2d80036a)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0x3c4a0b35.0xa9404962

 Hash Usage : Stack Trace:
Major+Minor : mspub+0xa0200
Major+Minor : mspub+0xa1805
Major+Minor : mspub+0xa1756
Major+Minor : mspub+0xa163d
Major+Minor : mspub+0x15686c
Minor       : mspub+0x351e9
Minor       : mspub+0x212d
Minor       : mspub+0x20d0
Minor       : mspub+0x2083
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x000000002d800200

Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at mspub+0x00000000000a0200 (Hash=0x3c4a0b35.0xa9404962)


======================================================
Case #02:

(...)

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Microsoft Office\Office14\MSPUB.EXE" C:\sf_a4f51cf9de2546169858028b21554388-81.pub

(...)
ModLoad: 2df30000 2e901000   mspub.exe
(...)
(a1c.438): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=10552f98 ebx=00ffffff ecx=0d1c4e30 edx=10552f98 esi=0c91eff4 edi=00000001
eip=6bbcb827 esp=001fb130 ebp=001fb130 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll -
mso!Ordinal7862+0x14c:
6bbcb827 8b4258          mov     eax,dword ptr [edx+58h] ds:0023:10552ff0=????????


0:000> r
eax=10552f98 ebx=00ffffff ecx=0d1c4e30 edx=10552f98 esi=0c91eff4 edi=00000001
eip=6bbcb827 esp=001fb130 ebp=001fb130 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
mso!Ordinal7862+0x14c:
6bbcb827 8b4258          mov     eax,dword ptr [edx+58h] ds:0023:10552ff0=????????

0:000> !load winext\msec.dll;!exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
*** ERROR: Module load completed but symbols could not be loaded for mspub.exe
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\kernel32.dll -
Exception Faulting Address: 0x10552ff0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:6bbcb827 mov eax,dword ptr [edx+58h]

Basic Block:
    6bbcb827 mov eax,dword ptr [edx+58h]
       Tainted Input operands: 'edx'
    6bbcb82a mov ecx,40000h
    6bbcb82f test ecx,eax
       Tainted Input operands: 'eax'
    6bbcb831 jne mso!ordinal7862+0x15d (6bbcb838)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0x302d39fa.0xc81d45f3

 Hash Usage : Stack Trace:
Major+Minor : mso!Ordinal7862+0x14c
Major+Minor : mspub+0x11577a
Major+Minor : mspub+0x115a15
Major+Minor : mspub+0x115c67
Major+Minor : mspub+0x74b66
Minor       : mspub+0x76237
Minor       : mspub+0x1e3466
Minor       : mspub+0xa72e8
Minor       : mspub+0x2d9af9
Minor       : mspub+0x17f557
Minor       : mspub+0x2a90
Minor       : mspub+0x2117
Minor       : mspub+0x20d0
Minor       : mspub+0x2083
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x000000006bbcb827

Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at mso!Ordinal7862+0x000000000000014c (Hash=0x302d39fa.0xc81d45f3)



======================================================
Case #03:

(...)

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Microsoft Office\Office14\MSPUB.EXE" C:\sf_a4f51cf9de2546169858028b21554388-71.pub
(...)
ModLoad: 2d6c0000 2e091000   mspub.exe

(...)
(f8c.dfc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=00000000 edx=ffffffff esi=000008f0 edi=002e9d04
eip=6cf17d6e esp=002e99c4 ebp=002e99e4 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210212
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\PTXT9.DLL -
PTXT9!QSManager_GetInstance+0x5914:
6cf17d6e 813b01000080    cmp     dword ptr [ebx],80000001h ds:0023:00000000=????????


0:000> r
eax=00000000 ebx=00000000 ecx=00000000 edx=ffffffff esi=000008f0 edi=002e9d04
eip=6cf17d6e esp=002e99c4 ebp=002e99e4 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210212
PTXT9!QSManager_GetInstance+0x5914:
6cf17d6e 813b01000080    cmp     dword ptr [ebx],80000001h ds:0023:00000000=????????


0:000> !load winext\msec.dll;!exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:6cf17d6e cmp dword ptr [ebx],80000001h

Basic Block:
    6cf17d6e cmp dword ptr [ebx],80000001h
       Tainted Input operands: 'ebx'
    6cf17d74 je ptxt9!qstextbox_createinstance+0x32d65 (6cf595d5)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0x086477ff.0xa2d00ef6

 Hash Usage : Stack Trace:
Major+Minor : PTXT9!QSManager_GetInstance+0x5914
Major+Minor : PTXT9!QSManager_GetInstance+0x3993
Major+Minor : ole32!OleQueryLinkFromData+0x407a
Major+Minor : ole32!OleQueryLinkFromData+0x4089
Major+Minor : PTXT9!QSManager_GetInstance+0x121bb
Minor       : mspub+0x56068
Minor       : mspub+0x562de
Minor       : PTXT9!QSManager_GetInstance+0xa9dd
Minor       : Unknown
(...)
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Instruction Address: 0x000000006cf17d6e

Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at PTXT9!QSManager_GetInstance+0x0000000000005914 (Hash=0x086477ff.0xa2d00ef6)

======================================================

For all those cases (and soon for a few more too), example file(s) you will find @github.

Use it only for legal purposes.

Thanks.

Cheers.


Brak komentarzy:

Prześlij komentarz