środa, 25 października 2017

Night fuzzing session - Kaspersky10 on Windows 10 - part 2

In the middle of time, just like before I was playling a little bit with Kaspersky Endpoint Security 10 for Windows 10. New results from the 'night fuzzing session' you will find below...

We will go through the log like during the previous part. (TL;DR;])

https://www.kaspersky.com/


Ok. Let's go:

I started from the command line (cmd.exe). Windbg attached to it, .childdbg set to '1', we will use scan command (from the command line AV). We should be somewhere here:


So now:


(...)
Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "c:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\avp.exe" scan C:\sf_fc2a98f8a8428a9a6d5579c79a94fbd8-26676.ico
(...)
Executable search path is:
ModLoad: 00000000`01130000 00000000`0125a000   avp.exe
(...)
(14d4.2498): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Module load completed but symbols could not be loaded for avp.exe
avp+0x94802:
011c4802 8b4a08          mov     ecx,dword ptr [edx+8] ds:002b:dfbcd86b=????????

0:000:x86> r;!exploitable -v;!analyze -v;kb;u eip-2; u eip-1; u eip ;q
eax=00d5d3d8 ebx=00000000 ecx=00000000 edx=dfbcd863 esi=011f9838 edi=034021a0
eip=011c4802 esp=00d5d018 ebp=00d5d5b0 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
avp+0x94802:
011c4802 8b4a08          mov     ecx,dword ptr [edx+8] ds:002b:dfbcd86b=????????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xdfbcd86b
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:011c4802 mov ecx,dword ptr [edx+8]

Basic Block:
    011c4802 mov ecx,dword ptr [edx+8]
       Tainted Input operands: 'edx'
    011c4805 lea eax,[ebp-1d8h]
    011c480b push eax
    011c480c push offset avp+0xdcd90 (0120cd90)
    011c4811 push edi
    011c4812 call ecx
       Tainted Input operands: 'ecx','edx'

Exception Hash (Major/Minor): 0x75b1e34f.0xb5f0e36f

 Hash Usage : Stack Trace:
Major+Minor : avp+0x94802
Major+Minor : avp+0x9b61d
Major+Minor : avp+0x6b21a
Major+Minor : avp+0x9d7bb
Major+Minor : avp+0x7168d
Minor       : avp+0x82c5c
Minor       : avp+0x79605
Minor       : avp+0x7e0f0
Minor       : avp+0x7ed84
Minor       : avp+0x9fe35
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Minor       : ntdll_77a40000!RtlSubscribeWnfStateChangeNotification+0x439
Minor       : ntdll_77a40000!RtlSubscribeWnfStateChangeNotification+0x404
Instruction Address: 0x00000000011c4802

Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at avp+0x0000000000094802 (Hash=0x75b1e34f.0xb5f0e36f)

The data from the faulting address is later used as the target for a branch.

More:
-- https://code610.blogspot.com
-- https://twitter.com/CodySixteen

Cheers




Brak komentarzy:

Prześlij komentarz