piątek, 15 lipca 2016

MS Publisher 2010 another crash

Another crash in Publisher 2010. Details below.


TL;DR

Few details about the crash:

+---------------------------------------------------------------------------+
| Title ............... | MS Office 2010 - Publisher
| Found ............ | 24.05.2016
| Version .......... | MS Office Proffessional 2010
| Tested against | Windows XP SP3
+---------------------------------------------------------------------------+
| Details : ...................................................................................... |



0:007> g
(...)
(604.460): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=09dbe460 ebx=09db6a00 ecx=09dbe460 edx=00000081 esi=00000000 edi=0012fa30
eip=3940f8fe esp=0012f7e4 ebp=0012fa80 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll -
mso!Ordinal4211+0x51a:
3940f8fe a5              movs    dword ptr es:[edi],dword ptr [esi] es:0023:0012fa30=00000000 ds:0023:00000000=????????


0:000> kv
ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fa80 39194819 023eb2b0 0012fb8c 391947ff mso!Ordinal4211+0x51a
0012fa8c 391947ff 09db6acc 00003210 0012fbc0 mso!Ordinal1774+0x594
*** ERROR: Module load completed but symbols could not be loaded for C:\PROGRA~1\MICROS~2\Office14\MSPUB.EXE
0012fb8c 2e07d277 023962a0 0012fd30 0012fbc0 mso!Ordinal1774+0x57a
0012fbd4 2e01d7b7 00000017 000000aa 0012fd30 MSPUB+0x7d277
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\USER32.dll -
0012fd90 7e418734 0014025e 00000200 00000000 MSPUB+0x1d7b7
0012fdbc 7e418816 2e01d3a2 0014025e 00000200 USER32!GetDC+0x6d
0012fe24 7e4189cd 00000000 2e01d3a2 0014025e USER32!GetDC+0x14f
0012fe84 7e418a10 2e7146d8 00000000 0012fea4 USER32!GetWindowLongW+0x127
0012fe94 3917b55b 2e7146d8 00000000 0012fee4 USER32!DispatchMessageW+0xf
0012fea4 2e0347ec 2e7146d8 2e7c577c 0115effa mso!Ordinal9774+0x23
0012fee4 2e00212d 00000000 00000000 0012ff30 MSPUB+0x347ec
0012fef4 2e0020d0 2e000000 00000000 00000001 MSPUB+0x212d
0012ff30 2e002083 2e000000 00000000 0115effa MSPUB+0x20d0
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
0012ffc0 7c817067 0240d6c4 7c90d950 7ffda000 MSPUB+0x2083
0012fff0 00000000 2e001af8 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49


0:000> ub eip
mso!Ordinal4211+0x4fd:
3940f8e1 54              push    esp
3940f8e2 d8ff            fdivr   st,st(7)
3940f8e4 f6465808        test    byte ptr [esi+58h],8
3940f8e8 0f84a652d8ff    je      mso!Ordinal1774+0x90f (39194b94)
3940f8ee 83bd40ffffff00  cmp     dword ptr [ebp-0C0h],0
3940f8f5 8b45e8          mov     eax,dword ptr [ebp-18h]
3940f8f8 8b7010          mov     esi,dword ptr [eax+10h]
3940f8fb 8d7db0          lea     edi,[ebp-50h]


0:000> u eip
mso!Ordinal4211+0x51a:
3940f8fe a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f8ff a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f900 a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f901 a5              movs    dword ptr es:[edi],dword ptr [esi]
3940f902 0f85307c2f00    jne     mso!Ordinal6819+0xa12c5 (39707538)
3940f908 83bd44ffffff00  cmp     dword ptr [ebp-0BCh],0
3940f90f 0f85487c2f00    jne     mso!Ordinal6819+0xa12ea (3970755d)
3940f915 8d852cffffff    lea     eax,[ebp-0D4h]


0:000> r esi
esi=00000000


0:000> dd esi
00000000  ???????? ???????? ???????? ????????
00000010  ???????? ???????? ???????? ????????
00000020  ???????? ???????? ???????? ????????
00000030  ???????? ???????? ???????? ????????
00000040  ???????? ???????? ???????? ????????
00000050  ???????? ???????? ???????? ????????
00000060  ???????? ???????? ???????? ????????
00000070  ???????? ???????? ???????? ????????


0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
(...)

FAULTING_IP:
mso!Ordinal4211+51a
3940f8fe a5              movs    dword ptr es:[edi],dword ptr [esi]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 3940f8fe (mso!Ordinal4211+0x0000051a)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000000
Attempt to read from address 00000000

FAULTING_THREAD:  00000460

PROCESS_NAME:  MSPUB.EXE

ADDITIONAL_DEBUG_TEXT: 

Use '!findthebuild' command to search for the target build information.

If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

MODULE_NAME: mso

FAULTING_MODULE: 7c900000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  4ba90130

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  00000000

READ_ADDRESS:  00000000

FOLLOWUP_IP:
mso!Ordinal4211+51a
3940f8fe a5              movs    dword ptr es:[edi],dword ptr [esi]

MOD_LIST: <ANALYSIS/>

BUGCHECK_STR:  APPLICATION_FAULT_STRING_DEREFERENCE_NULL_POINTER_READ_WRONG_SYMBOLS

PRIMARY_PROBLEM_CLASS:  STRING_DEREFERENCE

DEFAULT_BUCKET_ID:  STRING_DEREFERENCE

LAST_CONTROL_TRANSFER:  from 39194819 to 3940f8fe

STACK_TEXT: 
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fa80 39194819 023eb2b0 0012fb8c 391947ff mso!Ordinal4211+0x51a
0012fa8c 391947ff 09db6acc 00003210 0012fbc0 mso!Ordinal1774+0x594
0012fb8c 2e07d277 023962a0 0012fd30 0012fbc0 mso!Ordinal1774+0x57a
0012fbd4 2e01d7b7 00000017 000000aa 0012fd30 MSPUB+0x7d277
0012fd90 7e418734 0014025e 00000200 00000000 MSPUB+0x1d7b7
0012fdbc 7e418816 2e01d3a2 0014025e 00000200 USER32!GetDC+0x6d
0012fe24 7e4189cd 00000000 2e01d3a2 0014025e USER32!GetDC+0x14f
0012fe84 7e418a10 2e7146d8 00000000 0012fea4 USER32!GetWindowLongW+0x127
0012fe94 3917b55b 2e7146d8 00000000 0012fee4 USER32!DispatchMessageW+0xf
0012fea4 2e0347ec 2e7146d8 2e7c577c 0115effa mso!Ordinal9774+0x23
0012fee4 2e00212d 00000000 00000000 0012ff30 MSPUB+0x347ec
0012fef4 2e0020d0 2e000000 00000000 00000001 MSPUB+0x212d
0012ff30 2e002083 2e000000 00000000 0115effa MSPUB+0x20d0
0012ffc0 7c817067 0240d6c4 7c90d950 7ffda000 MSPUB+0x2083
0012fff0 00000000 2e001af8 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  mso!Ordinal4211+51a

FOLLOWUP_NAME:  MachineOwner

IMAGE_NAME:  mso.dll

STACK_COMMAND:  ~0s ; kb

BUCKET_ID:  WRONG_SYMBOLS

FAILURE_BUCKET_ID:  STRING_DEREFERENCE_c0000005_mso.dll!Ordinal4211

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/MSPUB_EXE/14_0_4750_1000/4b8bab0b/mso_dll/14_0_4760_1000/4ba90130/c0000005/0040f8fe.htm?Retriage=1

Followup: MachineOwner
---------


0:000> !exploitable -v

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:3940f8fe movs dword ptr es:[edi],dword ptr [esi]

Basic Block:
    3940f8fe movs dword ptr es:[edi],dword ptr [esi]
       Tainted Input operands: 'esi'
    3940f8ff movs dword ptr es:[edi],dword ptr [esi]
       Tainted Input operands: 'esi'
    3940f900 movs dword ptr es:[edi],dword ptr [esi]
       Tainted Input operands: 'esi'
    3940f901 movs dword ptr es:[edi],dword ptr [esi]
       Tainted Input operands: 'esi'
    3940f902 jne mso!ordinal6819+0xa12c5 (39707538)

Exception Hash (Major/Minor): 0x7220f779.0x8841e9f2

 Hash Usage : Stack Trace:
Major+Minor : mso!Ordinal4211+0x51a
Major+Minor : mso!Ordinal1774+0x594
Major+Minor : mso!Ordinal1774+0x57a
Major+Minor : MSPUB+0x7d277
Major+Minor : MSPUB+0x1d7b7
Minor       : USER32!GetDC+0x6d
Minor       : USER32!GetDC+0x14f
Minor       : USER32!GetWindowLongW+0x127
Minor       : USER32!DispatchMessageW+0xf
Minor       : mso!Ordinal9774+0x23
Minor       : MSPUB+0x347ec
Minor       : MSPUB+0x212d
Minor       : MSPUB+0x20d0
Minor       : MSPUB+0x2083
Minor       : kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x000000003940f8fe

Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at mso!Ordinal4211+0x000000000000051a (Hash=0x7220f779.0x8841e9f2)

This is a user mode read access violation near null, and is probably not exploitable.
0:000> q

+---------------------------------------------------------------------------+
More: code610.blogspot.com
Or twitter @CodySixteen.

+---------------------------------------------------------------------------+
Cheers,
Cody



Brak komentarzy:

Prześlij komentarz