poniedziałek, 7 sierpnia 2017

Microsoft Outlook 2010 - Write AV

During last few days I found another place where Outlook 2010 will crash. Below few details...

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Microsoft Office\Office14\outlook.exe" /f C:\sf_0fdd3f7336cf2cdead9127e734b42b0e-3.msg
(...)
Executable search path is:
ModLoad: 30000000 30f2a000   outlook.exe
(...)
ModLoad: 44020000 441b4000   C:\Program Files\Common Files\Microsoft Shared\OFFICE14\OGL.DLL
(...)
This exception may be expected and handled.
eax=09b71031 ebx=05a17a02 ecx=0000005a edx=0000005a esi=09cb0048 edi=0000017b
eip=440689a7 esp=0012b1cc ebp=0012b1f8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
OGL!GdipTransformMatrixPoints+0x1675:
440689a7 8818            mov     byte ptr [eax],bl          ds:0023:09b71031=??

0:000> r
eax=09b71031 ebx=05a17a02 ecx=0000005a edx=0000005a esi=09cb0048 edi=0000017b
eip=440689a7 esp=0012b1cc ebp=0012b1f8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
OGL!GdipTransformMatrixPoints+0x1675:
440689a7 8818            mov     byte ptr [eax],bl          ds:0023:09b71031=??

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
(...)
Exception Faulting Address: 0x9b71031
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:440689a7 mov byte ptr [eax],bl

Exception Hash (Major/Minor): 0x8dfecad1.0x2546ff73

 Hash Usage : Stack Trace:
Major+Minor : OGL!GdipTransformMatrixPoints+0x1675
Major+Minor : OGL!GdipTransformMatrixPoints+0x1994
Major+Minor : OGL!GdipGetPathWorldBoundsI+0x195
Major+Minor : OGL!GdipTransformMatrixPoints+0x13bc
Major+Minor : OGL!GdipSetStringFormatTrimming+0x185
Minor       : OGL!GdipSetStringFormatTrimming+0x133
Minor       : OGL!GdipCreateBitmapFromHICON+0x9f7
Minor       : OGL!GdipCreateBitmapFromHICON+0x214
Minor       : OGL!GdipCreateBitmapFromHICON+0x164
Minor       : OGL!GdipGetClip+0x6af
Minor       : OGL!GdipSetPixelOffsetMode+0x4f8
Minor       : OGL!GdipGetImageGraphicsContext+0x4ac
Minor       : OGL!GdipGetVisibleClipBoundsI+0x1c6
Minor       : OGL!GdipDrawImageRectRect+0x111
Minor       : gfx+0x147d74
Minor       : gfx+0x4f9f
Minor       : gfx+0x13ec8
Minor       : gfx+0x13ec8
Minor       : gfx+0x13ec8
Minor       : gfx+0x4ecd
Minor       : gfx+0xed1a
Minor       : gfx+0xecef
Minor       : gfx+0xecc3
Minor       : gfx+0xf6fc
Minor       : gfx+0xe84d
Minor       : gfx+0xf4db
Minor       : gfx+0xe84d
Minor       : gfx+0xf685
Minor       : gfx+0xe817
Minor       : gfx+0xebd8
Minor       : oart!Ordinal3680+0xb8
Minor       : oart!Ordinal1491+0x156
Minor       : oart!Ordinal7027+0xaf
Minor       : wwlib!DllGetLCID+0x151727
Minor       : wwlib!DllGetLCID+0x1515c7
Minor       : wwlib!DllGetLCID+0x150f22
Minor       : wwlib!DllGetLCID+0x151227
Minor       : wwlib!DllGetLCID+0x150ff2
Minor       : wwlib!DllGetLCID+0x14f066
Minor       : wwlib!DllGetLCID+0xda107
Minor       : wwlib!DllGetLCID+0x121e75
Minor       : wwlib!DllGetLCID+0x12214e
Minor       : wwlib!DllGetLCID+0x18cef6
Minor       : wwlib!GetAllocCounters+0x737e5
Minor       : wwlib!GetAllocCounters+0x94379
Minor       : outlook!FOutlookIsResuming+0x3ff8
Minor       : outlook!FOutlookIsResuming+0x3796
Minor       : outlook!FOutlookIsResuming+0x3647
Minor       : outlook!FOutlookIsDeepSyncing+0xf2a2
Minor       : outlook!GetCurrentDate+0x27f0d
Minor       : outlook!GetCurrentDate+0x234cb
Minor       : outlook!GetCurrentDate+0x233ce
Minor       : outlook!GetCurrentDate+0x23399
Minor       : outlook!GetCurrentDate+0x231ab
Minor       : outlook!GetCurrentDate+0x230f8
Minor       : outlook!GetCurrentDate+0x22dfb
Minor       : outlook!GetCurrentDate+0x22d14
Minor       : outlook!GetCurrentDate+0x1bab4
Minor       : outlook!GetCurrentDate+0x1b2db
Minor       : outlook!GetCurrentDate+0x95198
Minor       : outlook!UpdateContactTracker+0xa99c3
Minor       : outlook!OutlookSyncEventOccurredEx+0xc291
Minor       : outlook!GetCurrentDate+0x94fea
Minor       : outlook!GetCurrentDate+0x13d53a
Instruction Address: 0x00000000440689a7

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at OGL!GdipTransformMatrixPoints+0x0000000000001675 (Hash=0x8dfecad1.0x2546ff73)

User mode write access violations that are not near NULL are exploitable.


In case of any questions/comments - find me @twitter.

Cheers

Brak komentarzy:

Prześlij komentarz