środa, 25 września 2019

Crashing WebAccess/HMI Designer 2.1.9.31

During last week one of the cases was to run fuzzer with some new software to find some new bugs. This time I decided to check WebAccess/HMI Designer (version 2.1.9.31). Below you will find the details...

We will start here:

Quick description from Vendor's page:


Version I tried:


First - few cases described as 'unknown', here we go:

; Exploitability: UNKNOWN  

Case #01:

; --- 
; Found : 26.09.2019 @ 00:15
; Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at mfc90u+0x0000000000053464 (Hash=0x9cd3fa35.0x4ba4804b) 
; > r
eax=fffffff0 ebx=0cca0a78 ecx=00000000 edx=0cc9f20d esi=0cca0a78 edi=00000002
eip=6cfc3464 esp=01fae668 ebp=01faf27c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
mfc90u+0x53464:
6cfc3464 8b38            mov     edi,dword ptr [eax]  ds:0023:fffffff0=????????

; ---



Case #02:
; --- 
; Found : 22.09.2019 @ 10:17
; Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at PM_V3!CTagInfoThreadBase::GetNICInfo+0x00000000005383b1 (Hash=0x16087300.0x1a347021)
; > r
eax=0000000a ebx=0cc2f1b0 ecx=0c9ca588 edx=00000000 esi=01faf27c edi=0ca8759c
eip=009ac1a1 esp=01fae5f8 ebp=0ca8c000 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
PM_V3!CTagInfoThreadBase::GetNICInfo+0x5383b1:
009ac1a1 807d0000        cmp     byte ptr [ebp],0           ss:0023:0ca8c000=??

; ---



Case #03:
; --- 
; Found : 21.09.2019 @ 23:34
; Recommended Bug Title: Read Access Violation starting at mfc90u+0x00000000000ad3d2 (Hash=0x244f9a35.0xf7787ed2)
; > r
eax=62800000 ebx=03190525 ecx=62800000 edx=03f3c401 esi=03f0f9e0 edi=0456019b
eip=6c50d3d2 esp=01faf8cc ebp=01faf8f0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
mfc90u+0xad3d2:
6c50d3d2 8b01            mov     eax,dword ptr [ecx]  ds:0023:62800000=????????

; ---


Case #04:

; --- 
; Found : 22.09.2019 @ 06:40
; Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at ntdll!RtlFreeHeap+0x000000000000003f called from MSVCR90!free+0x00000000000000cd (Hash=0x89e30c63.0xa99dfc11)
; > r
eax=200073f8 ebx=20007400 ecx=6d9538da edx=00000222 esi=003e0000 edi=00000000
eip=77da1f70 esp=01fade5c ebp=01fade6c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
ntdll!RtlFreeHeap+0x3f:
77da1f70 80780705        cmp     byte ptr [eax+7],5         ds:0023:200073ff=??

; ---

Now let's switch to 'probably exploitable' case:

Case #05:

; --- 
; Found : 22.09.2019 @ 02:00
; Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at PM_V3!CTagInfoThreadBase::GetNICInfo+0x0000000000512918 (Hash=0x5832774c.0xd1af3a01)
; > r
eax=00000000 ebx=0c9f59e0 ecx=37fc5dab edx=0c9ed6a2 esi=01faf27c edi=00000000
eip=00986708 esp=01fae7e0 ebp=00005efd iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
PM_V3!CTagInfoThreadBase::GetNICInfo+0x512918:
00986708 8b07            mov     eax,dword ptr [edi]  ds:0023:00000000=????????

; ---

For the end - two more bugs, this time described as 'exploitable':

Case #06:
; --- 
; Found : 22.09.2019 @ 04:14
; Recommended Bug Title: Exploitable - User Mode Write AV starting at MSVCR90!memcpy+0x000000000000015c (Hash=0xa7c9953f.0x94a31325)
; > r
eax=00000000 ebx=00000004 ecx=00000001 edx=00000000 esi=0cd8a1be edi=0ce4b26c
eip=6d92ac1c esp=01fae550 ebp=01fae558 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297
MSVCR90!memcpy+0x15c:
6d92ac1c 89448ffc        mov     dword ptr [edi+ecx*4-4],eax ds:0023:0ce4b26c=????????

; ---

Case #07:
; --- 
; Found : 23.09.2019 @ 09:27
; Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at Unknown Symbol @ 0x0000000000000000 called from ntdll!RtlRaiseStatus+0x00000000000000b4 (Hash=0x0500da3d.0x09b8429a)
; > r
eax=00000000 ebx=00000000 ecx=00000000 edx=775c660d esi=00000000 edi=00000000
eip=00000000 esp=01fae314 ebp=01fae334 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
00000000 ??              ???

; ---



"In case of any questions about the publication - quick&dirty 'timeline' FYI":

- 21-26.09.2019 - found bugs described on the blog
- 22.09.2019 - contact with ZDI
- 25.09.2019 - ticket closed by ZDI
- 26.09.2019 - full disclosure + sending the details to CVE Team
- 27.09.2019 - CVE-2019-16899, CVE-2019-16900, CVE-2019-16901

See you next time.

Cheers






Brak komentarzy:

Prześlij komentarz