wtorek, 25 lipca 2017

Read/Write Access Violation - Acunetix

During last session fuzzing I found that Acunetix can be crashed by malformed PRE file. Below you will find few details about it...
Case #01 - Write AV

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "c:\Program Files\Acunetix\Web Vulnerability Scanner 8\Reporter.exe" /v C:\sf_b9ce485013b97b81215891d417e8d7a7-1602.pre
(...)
Executable search path is:
ModLoad: 00400000 00bbc000   reporter.exe
(...)
(c80.d48): Break instruction exception - code 80000003 (first chance)
(...)
(c80.d48): Unknown exception - code 0eedfade (first chance)
(...)
(c80.d48): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c9f0000 ebx=0c922e00 ecx=00004338 edx=0c9effd8 esi=00010000 edi=0000f000
eip=0070d37d esp=0012f8b0 ebp=0012f8f0 iopl=0         nv up ei ng nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210282
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for reporter.exe -
reporter!madTraceProcess+0x2b9f35:
0070d37d 8808            mov     byte ptr [eax],cl          ds:0023:0c9f0000=??

0:000>
eax=0c9f0000 ebx=0c922e00 ecx=00004338 edx=0c9effd8 esi=00010000 edi=0000f000
eip=0070d37d esp=0012f8b0 ebp=0012f8f0 iopl=0         nv up ei ng nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210282
reporter!madTraceProcess+0x2b9f35:
0070d37d 8808            mov     byte ptr [eax],cl          ds:0023:0c9f0000=??


!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xc9f0000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:0070d37d mov byte ptr [eax],cl

Exception Hash (Major/Minor): 0xef36b19d.0x2cae2493

 Hash Usage : Stack Trace:
Major+Minor : reporter!madTraceProcess+0x2b9f35
Major+Minor : reporter!madTraceProcess+0x2b8f40
Major+Minor : reporter!madTraceProcess+0x369563
Major+Minor : reporter!madTraceProcess+0x48bcaa
Major+Minor : reporter!madTraceProcess+0x48cba8
Minor       : reporter!madTraceProcess+0x48a8a1
Minor       : reporter!madTraceProcess+0x48a161
Minor       : reporter!madTraceProcess+0x8e50b
Minor       : reporter!madTraceProcess+0x9156c
Minor       : reporter!madTraceProcess+0x8e2db
Minor       : reporter!madTraceProcess+0x910c0
Minor       : reporter!madTraceProcess+0x9112b
Minor       : reporter!madTraceProcess+0x9156c
Minor       : reporter!madTraceProcess+0x8e2db
Minor       : reporter!madTraceProcess+0x8cfb8
Minor       : reporter!madTraceProcess+0x49497f
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x000000000070d37d

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at reporter!madTraceProcess+0x00000000002b9f35 (Hash=0xef36b19d.0x2cae2493)

User mode write access violations that are not near NULL are exploitable.


Case #02 - Read AV

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "c:\Program Files\Acunetix\Web Vulnerability Scanner 8\Reporter.exe" /v C:\sf_b9ce485013b97b81215891d417e8d7a7-115.pre
(...)
Executable search path is:
ModLoad: 00400000 00bbc000   reporter.exe
(...)
(2dc.a40): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c9e8b79 ebx=0c922e00 ecx=0c922400 edx=0c9f0000 esi=00704804 edi=00000004
eip=0070d37b esp=0012f900 ebp=0012f940 iopl=0         nv up ei ng nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210287
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for reporter.exe -
reporter!madTraceProcess+0x2b9f33:
0070d37b 8a0a            mov     cl,byte ptr [edx]          ds:0023:0c9f0000=??


0:000>
eax=0c9e8b79 ebx=0c922e00 ecx=0c922400 edx=0c9f0000 esi=00704804 edi=00000004
eip=0070d37b esp=0012f900 ebp=0012f940 iopl=0         nv up ei ng nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210287
reporter!madTraceProcess+0x2b9f33:
0070d37b 8a0a            mov     cl,byte ptr [edx]          ds:0023:0c9f0000=??


!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xc9f0000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:0070d37b mov cl,byte ptr [edx]

Basic Block:
    0070d37b mov cl,byte ptr [edx]
       Tainted Input operands: 'edx'
    0070d37d mov byte ptr [eax],cl
       Tainted Input operands: 'cl'
    0070d37f inc dword ptr [ebp-40h]
    0070d382 inc dword ptr [ebp-28h]
    0070d385 dec dword ptr [ebp-38h]
    0070d388 jne reporter!madtraceprocess+0x2b9f2d (0070d375)

Exception Hash (Major/Minor): 0xef36b19d.0xdc1bcd44

 Hash Usage : Stack Trace:
Major+Minor : reporter!madTraceProcess+0x2b9f33
Major+Minor : reporter!madTraceProcess+0x2b8f40
Major+Minor : reporter!madTraceProcess+0x48bcaa
Major+Minor : reporter!madTraceProcess+0x48cba8
Major+Minor : reporter!madTraceProcess+0x48a8a1
Minor       : reporter!madTraceProcess+0x48a161
Minor       : reporter!madTraceProcess+0x8e50b
Minor       : reporter!madTraceProcess+0x9156c
Minor       : reporter!madTraceProcess+0x8e2db
Minor       : reporter!madTraceProcess+0x910c0
Minor       : reporter!madTraceProcess+0x9112b
Minor       : reporter!madTraceProcess+0x9156c
Minor       : reporter!madTraceProcess+0x8e2db
Minor       : reporter!madTraceProcess+0x8cfb8
Minor       : reporter!madTraceProcess+0x49497f
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x000000000070d37b

Description: Read Access Violation
Short Description: ReadAV
Exploitability Classification: UNKNOWN
Recommended Bug Title: Read Access Violation starting at reporter!madTraceProcess+0x00000000002b9f33 (Hash=0xef36b19d.0xdc1bcd44)


I did not check if the bug can be triggered by the poc in other version(s).
If you would like to try it, drop me an email and I will send you a sample.

Bug was described as CVE-2017-11674


Cheers





Brak komentarzy:

Prześlij komentarz