czwartek, 17 sierpnia 2017

DEP Violation in IBM Notes 9

Found 16.08.2017. Maybe you will find it useful.

Below you will find DEP violation bug found during quick fuzzing session.

TL;DR

Crashed in NSFForEachNamObjEntry():
-----------------------------------------------------
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\IBM\Notes\notes.exe" C:\sf_879c13ad4eba231d656b7fa10f2487b5-653.ntf
(...)
Executable search path is:
ModLoad: 01330000 01513000   notes.exe
(...)
(1454.748): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000006e ebx=00000000 ecx=63725600 edx=6372aa00 esi=00000000 edi=061cc08c
eip=6413b87d esp=001c38c0 ebp=001c39a4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
nnotes!NSFForEachNamObjEntry+0x3aad:
6413b87d 668908          mov     word ptr [eax],cx        ds:0023:0000006e=????

1:001>
(1454.748): Access violation - code c0000005 (!!! second chance !!!)
eax=001c31b8 ebx=00000000 ecx=00000000 edx=00000000 esi=001c31b8 edi=00000000
eip=771f64f4 esp=001c3154 ebp=001c31a4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!KiFastSystemCallRet:
771f64f4 c3              ret
WARNING: Continuing a non-continuable exception
(1454.748): Access violation - code c0000005 (!!! second chance !!!)
WARNING: Continuing a non-continuable exception
(...)
(1454.748): Access violation - code c0000005 (!!! second chance !!!)
eax=001c31b8 ebx=00000000 ecx=00000000 edx=00000000 esi=001c31b8 edi=00000000
eip=771f64f4 esp=001c3154 ebp=001c31a4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!KiFastSystemCallRet:
771f64f4 c3              ret

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Data Execution Protection (DEP) Violation

Exception Hash (Major/Minor): 0x6b8f89be.0x39f1bda8

 Hash Usage : Stack Trace:
Excluded    : ntdll!KiFastSystemCallRet+0x0
Major+Minor : ntdll!RtlRemoteCall+0x236
Major+Minor : ntdll!RtlTimeToElapsedTimeFields+0x14877
Major+Minor : ntdll!TpSetTimer+0x25e
Excluded    : ntdll!KiUserExceptionDispatcher+0xf
Excluded    : Unknown
Excluded    : Unknown
Excluded    : Unknown
Excluded    : Unknown
Excluded    : Unknown
Instruction Address: 0x00000000771f64f4

Description: Exception Handler Chain Corrupted
Short Description: ExceptionHandlerCorrupted
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at ntdll!KiFastSystemCallRet+0x0000000000000000 called from ntdll!RtlRemoteCall+0x0000000000000236 (Hash=0x6b8f89be.0x39f1bda8)

Corruption of the exception handler chain is considered exploitable


>>
ntdll!KiFastSystemCall+0x2:
771f64f2 0f34            sysenter
ntdll!KiFastSystemCallRet:
771f64f4 c3              ret
771f64f5 8da42400000000  lea     esp,[esp]
771f64fc 8d642400        lea     esp,[esp]
ntdll!KiIntSystemCall:
771f6500 8d542408        lea     edx,[esp+8]
771f6504 cd2e            int     2Eh
771f6506 c3              ret
771f6507 90              nop
ntdll!KiFastSystemCall+0x3:
771f64f3 34c3            xor     al,0C3h
771f64f5 8da42400000000  lea     esp,[esp]
771f64fc 8d642400        lea     esp,[esp]
ntdll!KiIntSystemCall:
771f6500 8d542408        lea     edx,[esp+8]
771f6504 cd2e            int     2Eh
771f6506 c3              ret
771f6507 90              nop
ntdll!RtlRaiseException:
771f6508 55              push    ebp
ntdll!KiFastSystemCallRet:
771f64f4 c3              ret
771f64f5 8da42400000000  lea     esp,[esp]
771f64fc 8d642400        lea     esp,[esp]
ntdll!KiIntSystemCall:
771f6500 8d542408        lea     edx,[esp+8]
771f6504 cd2e            int     2Eh
771f6506 c3              ret
771f6507 90              nop
ntdll!RtlRaiseException:
771f6508 55              push    ebp

(...)
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
(...)
FAULTING_IP:
+6901952f0016d40c
00000000 ??              ???

EXCEPTION_RECORD:  6716a585 -- (.exr 0x6716a585)
.exr 0x6716a585
Cannot read Exception record @ 6716a585

FAULTING_THREAD:  00000748
PROCESS_NAME:  nlnotes.exe
MODULE_NAME: ntdll
FAULTING_MODULE: 771b0000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bdadb
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_PARAMETER1:  00000008
WRITE_ADDRESS:  00000000

FOLLOWUP_IP:
ntdll!KiFastSystemCallRet+0
771f64f4 c3              ret

FAILED_INSTRUCTION_ADDRESS:
+6901952f0016d40c
00000000 ??              ???

CONTEXT:  255f5600 -- (.cxr 0x255f5600)
.cxr 0x255f5600
Unable to read context, Win32 error 0n30
.cxr

BUGCHECK_STR:  APPLICATION_FAULT_SOFTWARE_NX_FAULT_FALSE_POSITIVE_SOFTWARE_NX_FAULT_NULL_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS:  SOFTWARE_NX_FAULT_FALSE_POSITIVE_NULL
DEFAULT_BUCKET_ID:  SOFTWARE_NX_FAULT_FALSE_POSITIVE_NULL
LAST_CONTROL_TRANSFER:  from 7726a862 to 771f64f4

STACK_TEXT: 
771f64f4 ntdll!KiFastSystemCallRet+0x0
7726a862 ntdll!RtlRemoteCall+0x236
7723dd0b ntdll!RtlTimeToElapsedTimeFields+0x14877
771d8d24 ntdll!TpSetTimer+0x25e
771f6457 ntdll!KiUserExceptionDispatcher+0xf
1e24229b unknown+0x0
4a250d53 unknown+0x0
255f5600 unknown+0x0
6716a585 unknown+0x0
2574aa00 unknown+0x0

SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  ntdll!KiFastSystemCallRet+1c31a4
FOLLOWUP_NAME:  MachineOwner
IMAGE_NAME:  ntdll.dll
STACK_COMMAND:  .cxr 255F5600 ; kb ; dds 1c3154 ; kb
BUCKET_ID:  WRONG_SYMBOLS
FAILURE_BUCKET_ID:  SOFTWARE_NX_FAULT_FALSE_POSITIVE_NULL_c0000005_ntdll.dll!KiFastSystemCallRet
WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/nlnotes_exe/9_0_10_13287/525ce2dd/unknown/0_0_0_0/bbbbbbb4/c0000005/00000000.htm?Retriage=1

---------
More:
>> https://code610.blogspot.com
>> https://twitter.com/CodySixteen

Cheers

Brak komentarzy:

Prześlij komentarz