I was a little bit confused when
I was planning how to separate one results from the other but finally I decide
to describe below - case by case – some bugs I found during (let’s say) “last
week or two” (of fuzzing multiple files extensions). I created 4 groups (basing
on Windbg proposal):
PROBABLY_NOT_EXPLOITABLE:
I choose this "group" as a first one to describe
because (in my opinion) it is the easiest to ‘find out’ and/or ‘understand’ if
the bug we’ve found is really ‘exploitable’* or not (where for *exploitable you
will put #with-your-current-skills-right-now ;)) – so again –if ‘in my opinion’ this is
a DoS or something “else” (I don’t understand yet…). So.
First case was related to M3U
files. Quick review from Windbg:
We can see a crash in ntdll!wtol. (Info about the purpose of the function you will find here or here.) Below some details:
And results from 2nd
link:
Let’s check more details about
the crash, review of the few steps before the crash:
For me it looks like the heap
crash. Another case is related to AIFF file parsing:
Very similar stacktrace (kb) and unassembled EIP (u eip; u eip-1, u eip-n…). Results
below:
Next section is related to PROBABLY_EXPLOITABLE bugs. Case 1 is
related to FLAC files:
REP MOVS is described here. Let’s
see the stacktrace:
Let’s check u eip(-1) for better understanding what’s
going on here:
Next format I decided to add
to fuzzer was OGG. It seems
that Winamp will crash in the same place again (as we saw before):
Another crash was related to parsing
MIDI files:
I think that you can already
see that for a few of last crashes, we can observe the same (crash) results.
For a Microsoft Wave Sound Format (wav) we have some results too:
Checking stacktrace:
Let’s analyze the function
again (u eip, and so on…):
As you can see, crash is very
similar like the MIDI and OGG described before. Again stc
command and again rep movs.
3rd section is related to EXPLOITABLE bugs. Let’s check few of
them. First one is for MIDI file:
Looks like we spotted the
heap. :) Let’s go deeper. Checking stacktrace:
Let’s find some details about
next crash – this time for AIFF format again:
As you can see wtol
is here again as well as realloc and
calloc. Next
example crash occurred for WAV format again. Below you will find some details
and stacktrace:
Good. Heap allocations. ;] I
also found that we can do some re/allocations by simple M3U file. Check this
out:
More details below:
Last group was described by
Windbg as UNKNOWN. Below some results for M3U file:
More information about InitializeCriticalSection function you
will find here.
And below you will find the stacktrace:
See the stacktrace for another example (described by debugger as “UNKNOWN”).
This time it is related to AIFF:
Crash occurred here:
Last bug I decided to publish
here was found for OGG format. Check the stacktrace
below:
It’s crashing here:
Update: version I used for those tests:
Maybe you will find it useful.
Cheers!
Brak komentarzy:
Prześlij komentarz