We will start here:
Quick description from Vendor's page:
First - few cases described as 'unknown', here we go:
; Exploitability: UNKNOWN
Case #01:
; ---
; Found : 26.09.2019 @ 00:15
; Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at mfc90u+0x0000000000053464 (Hash=0x9cd3fa35.0x4ba4804b)
; > r
eax=fffffff0 ebx=0cca0a78 ecx=00000000 edx=0cc9f20d esi=0cca0a78 edi=00000002
eip=6cfc3464 esp=01fae668 ebp=01faf27c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
mfc90u+0x53464:
6cfc3464 8b38 mov edi,dword ptr [eax] ds:0023:fffffff0=????????
; ---
Case #02:
; ---
; Found : 22.09.2019 @ 10:17
; Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at PM_V3!CTagInfoThreadBase::GetNICInfo+0x00000000005383b1 (Hash=0x16087300.0x1a347021)
; > r
eax=0000000a ebx=0cc2f1b0 ecx=0c9ca588 edx=00000000 esi=01faf27c edi=0ca8759c
eip=009ac1a1 esp=01fae5f8 ebp=0ca8c000 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
PM_V3!CTagInfoThreadBase::GetNICInfo+0x5383b1:
009ac1a1 807d0000 cmp byte ptr [ebp],0 ss:0023:0ca8c000=??
; ---
Case #03:
; ---
; Found : 21.09.2019 @ 23:34
; Recommended Bug Title: Read Access Violation starting at mfc90u+0x00000000000ad3d2 (Hash=0x244f9a35.0xf7787ed2)
; > r
eax=62800000 ebx=03190525 ecx=62800000 edx=03f3c401 esi=03f0f9e0 edi=0456019b
eip=6c50d3d2 esp=01faf8cc ebp=01faf8f0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mfc90u+0xad3d2:
6c50d3d2 8b01 mov eax,dword ptr [ecx] ds:0023:62800000=????????
; ---
Case #04:
; ---
; Found : 22.09.2019 @ 06:40
; Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at ntdll!RtlFreeHeap+0x000000000000003f called from MSVCR90!free+0x00000000000000cd (Hash=0x89e30c63.0xa99dfc11)
; > r
eax=200073f8 ebx=20007400 ecx=6d9538da edx=00000222 esi=003e0000 edi=00000000
eip=77da1f70 esp=01fade5c ebp=01fade6c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlFreeHeap+0x3f:
77da1f70 80780705 cmp byte ptr [eax+7],5 ds:0023:200073ff=??
; ---
Now let's switch to 'probably exploitable' case:
Case #05:
; ---
; Found : 22.09.2019 @ 02:00
; Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at PM_V3!CTagInfoThreadBase::GetNICInfo+0x0000000000512918 (Hash=0x5832774c.0xd1af3a01)
; > r
eax=00000000 ebx=0c9f59e0 ecx=37fc5dab edx=0c9ed6a2 esi=01faf27c edi=00000000
eip=00986708 esp=01fae7e0 ebp=00005efd iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
PM_V3!CTagInfoThreadBase::GetNICInfo+0x512918:
00986708 8b07 mov eax,dword ptr [edi] ds:0023:00000000=????????
; ---
For the end - two more bugs, this time described as 'exploitable':
Case #06:
; ---
; Found : 22.09.2019 @ 04:14
; Recommended Bug Title: Exploitable - User Mode Write AV starting at MSVCR90!memcpy+0x000000000000015c (Hash=0xa7c9953f.0x94a31325)
; > r
eax=00000000 ebx=00000004 ecx=00000001 edx=00000000 esi=0cd8a1be edi=0ce4b26c
eip=6d92ac1c esp=01fae550 ebp=01fae558 iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297
MSVCR90!memcpy+0x15c:
6d92ac1c 89448ffc mov dword ptr [edi+ecx*4-4],eax ds:0023:0ce4b26c=????????
; ---
Case #07:
; ---
; Found : 23.09.2019 @ 09:27
; Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at Unknown Symbol @ 0x0000000000000000 called from ntdll!RtlRaiseStatus+0x00000000000000b4 (Hash=0x0500da3d.0x09b8429a)
; > r
eax=00000000 ebx=00000000 ecx=00000000 edx=775c660d esi=00000000 edi=00000000
eip=00000000 esp=01fae314 ebp=01fae334 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
00000000 ?? ???
; ---
"In case of any questions about the publication - quick&dirty 'timeline' FYI":
- 21-26.09.2019 - found bugs described on the blog
- 22.09.2019 - contact with ZDI
- 25.09.2019 - ticket closed by ZDI
- 26.09.2019 - full disclosure + sending the details to CVE Team
- 27.09.2019 - CVE-2019-16899, CVE-2019-16900, CVE-2019-16901
See you next time.
Cheers
Brak komentarzy:
Prześlij komentarz