poniedziałek, 7 sierpnia 2017

Microsoft Outlook 2016 - WriteAV

During last few days I found a place where Microsoft Outlook 2016 (16.0.6014.1000) will crash. Below you will find few details about it...


Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Microsoft Office\Office16\outlook.exe" /f C:\sf_62990940d77974c6fa501074a66af6a2-14767.msg
(...)
Executable search path is:
ModLoad: 00007ff6`241b0000 00007ff6`26318000   outlook.exe
(...)
(ebc.240c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
olmapi32!HrConvertMAPIFormPropsToFDMProps+0x1c93:
00007ffd`9611f4b7 ff09            dec     dword ptr [rcx] ds:00000000`00000000=????????

0:000> r;!exploitable -v
rax=0000007feceff918 rbx=000002153bf10bf0 rcx=0000000000000000
rdx=000002153bf10bf0 rsi=0000000000000000 rdi=0000000000000000
rip=00007ffd9611f4b7 rsp=0000007feceff8e0 rbp=000002153bf10bf0
 r8=0000007feceff8f8  r9=0000007feceffb50 r10=0000000000000000
r11=0000000000000246 r12=00000000ffffffff r13=0000000000000000
r14=0000000000000000 r15=0000000000000001
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
olmapi32!HrConvertMAPIFormPropsToFDMProps+0x1c93:
00007ffd`9611f4b7 ff09            dec     dword ptr [rcx] ds:00000000`00000000=????????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x64
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
(...)
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:00007ffd`9611f4b7 dec dword ptr [rcx]

Basic Block:
    00007ffd`9611f4b7 dec dword ptr [rcx]
       Tainted Input operands: 'rcx'
    00007ffd`9611f4b9 test rdx,rdx
    00007ffd`9611f4bc jne olmapi32!setvisiblewindows+0x38723 (00007ffd`961f4ad3)

Exception Hash (Major/Minor): 0x3d5a1376.0x318771a5

 Hash Usage : Stack Trace:
Major+Minor : olmapi32!HrConvertMAPIFormPropsToFDMProps+0x1c93
Major+Minor : olmapi32!HrConvertMAPIFormPropsToFDMProps+0x1b9d
Major+Minor : olmapi32!HrRTFFromTextStream+0x190c9
Major+Minor : olmapi32!SetVisibleWindows+0x48959
Major+Minor : olmapi32!HrRTFFromTextStream+0x1cb9a
Minor       : olmapi32!SetVisibleWindows+0x7d1ff
Minor       : olmapi32!HrValidateIPMSubtree+0x365e
Minor       : olmapi32!MAPIUninitialize+0x9
Minor       : mso99Lwin32client!Ordinal1139+0x233d
Minor       : mso99Lwin32client!Ordinal1139+0x126f
Minor       : mso99Lwin32client!Ordinal1139+0xfb6
Minor       : mso99Lwin32client!Ordinal1402+0xb41
Minor       : mso!Ordinal2954+0x33
Minor       : outlook!GetFBPublishingInterval+0xb9bce
Minor       : outlook!HrGetCacheSetupProgressObject+0x14c1
Minor       : outlook!HrGetCacheSetupProgressObject+0x1ba1
Minor       : outlook+0x1d209
Minor       : outlook!UpdateSharingAccounts+0x1f215
Minor       : KERNEL32!BaseThreadInitThunk+0x14
Minor       : ntdll!RtlUserThreadStart+0x21
Instruction Address: 0x00007ffd9611f4b7

Description: User Mode Write AV near NULL
Short Description: WriteAVNearNull
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at olmapi32!HrConvertMAPIFormPropsToFDMProps+0x0000000000001c93 (Hash=0x3d5a1376.0x318771a5)

User mode write access violations that are near NULL are unknown.

In case of any questions - you can drop me an email or find me @twitter

Cheers



Brak komentarzy:

Prześlij komentarz