czwartek, 17 sierpnia 2017

ReadAV Crash in IBM Notes9

Found 16.08.2017. Maybe you will find it useful.

Below you will find readAV bug found during quick fuzzing session.

TL;DR

Below few details:
------------------------------------------------------
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\IBM\Notes\notes.exe" C:\sf_879c13ad4eba231d656b7fa10f2487b5-7916.ntf
(...)
Executable search path is:
ModLoad: 000d0000 002b3000   notes.exe
(...)
(284.220): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=06f75b7c ebx=06f75f80 ecx=00000000 edx=00000070 esi=072de018 edi=06f75f80
eip=606f50ec esp=00144748 ebp=0014478c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
nnotesws!NEMKillCommonTimer+0x30bec:
606f50ec 8b19            mov     ebx,dword ptr [ecx]  ds:0023:00000000=????????

1:001>
eax=06f75b7c ebx=06f75f80 ecx=00000000 edx=00000070 esi=072de018 edi=06f75f80
eip=606f50ec esp=00144748 ebp=0014478c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
nnotesws!NEMKillCommonTimer+0x30bec:
606f50ec 8b19            mov     ebx,dword ptr [ecx]  ds:0023:00000000=????????

(284.220): Access violation - code c0000005 (!!! second chance !!!)
(...)
(284.220): Access violation - code c0000005 (!!! second chance !!!)
(...)
This exception may be expected and handled.
(284.220): Access violation - code c0000005 (!!! second chance !!!)
eax=06f75b7c ebx=06f75f80 ecx=00000000 edx=00000070 esi=072de018 edi=06f75f80
eip=606f50ec esp=00144748 ebp=0014478c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
nnotesws!NEMKillCommonTimer+0x30bec:
606f50ec 8b19            mov     ebx,dword ptr [ecx]  ds:0023:00000000=????????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:606f50ec mov ebx,dword ptr [ecx]

Basic Block:
    606f50ec mov ebx,dword ptr [ecx]
       Tainted Input operands: 'ecx'
    606f50ee jne nnotesws!nemkillcommontimer+0x30bf3 (606f50f3)

Exception Hash (Major/Minor): 0x5f1d1c7f.0x43181378

 Hash Usage : Stack Trace:
Major+Minor : nnotesws!NEMKillCommonTimer+0x30bec
Major+Minor : nnotesws!NEMDisableWaitCursor+0x1323
Major+Minor : nnotesws!DeskLocateOrAddEntry+0x143b2
Major+Minor : nnotesws!DeskGetWorkspaceObject+0x7b3f
Major+Minor : nnotesws!EditNewSubprogram+0x30ab
Minor       : nnotesws!EditNewSubprogram+0x354b
Minor       : nnotesws!ICEDestroyURLDescriptor+0x47fcd
Minor       : nnotesws!EditNewSubprogram+0x16a6
Minor       : nnotesws!EditNewSubprogram+0x4f0
Minor       : nnotesws!DeskFindFile+0xef2c
Minor       : nnotesws!EditNewSubprogram+0x16a
Minor       : nnotesws!DocumentModalEdit+0x14152c
Minor       : nnotesws!DocumentModalEdit+0x1421cd
Minor       : nnotesws!DocumentModalEdit+0x1426f8
Minor       : nnotesws!DocumentModalEdit+0x9aa4
Minor       : nnotesws!NEMGetWindowLong+0x775
Minor       : nnotesws+0x513d
Minor       : USER32!IsThreadDesktopComposited+0x11f
Minor       : USER32!IsThreadDesktopComposited+0x2a6
Minor       : USER32!IsThreadDesktopComposited+0x3e5
Minor       : USER32!DispatchMessageW+0xf
Minor       : nnotesws!NEMMainLoop+0x4a4
Minor       : nlnotes+0x1f90
Minor       : nlnotes+0x2fa4
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x00000000606f50ec

Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at nnotesws!NEMKillCommonTimer+0x0000000000030bec (Hash=0x5f1d1c7f.0x43181378)

This is a user mode read access violation near null, and is probably not exploitable.

> u eip-2
nnotesws!NEMKillCommonTimer+0x30bea:
606f50ea 50              push    eax
606f50eb 42              inc     edx
606f50ec 8b19            mov     ebx,dword ptr [ecx]
606f50ee 7503            jne     nnotesws!NEMKillCommonTimer+0x30bf3 (606f50f3)
606f50f0 03503a          add     edx,dword ptr [eax+3Ah]
606f50f3 8b8380000000    mov     eax,dword ptr [ebx+80h]
606f50f9 ffd0            call    eax
606f50fb f6473402        test    byte ptr [edi+34h],2

> u eip-1
nnotesws!NEMKillCommonTimer+0x30beb:
606f50eb 42              inc     edx
606f50ec 8b19            mov     ebx,dword ptr [ecx]
606f50ee 7503            jne     nnotesws!NEMKillCommonTimer+0x30bf3 (606f50f3)
606f50f0 03503a          add     edx,dword ptr [eax+3Ah]
606f50f3 8b8380000000    mov     eax,dword ptr [ebx+80h]
606f50f9 ffd0            call    eax
606f50fb f6473402        test    byte ptr [edi+34h],2
606f50ff 0f853a010000    jne     nnotesws!NEMKillCommonTimer+0x30d3f (606f523f)

> u eip
nnotesws!NEMKillCommonTimer+0x30bec:
606f50ec 8b19            mov     ebx,dword ptr [ecx]
606f50ee 7503            jne     nnotesws!NEMKillCommonTimer+0x30bf3 (606f50f3)
606f50f0 03503a          add     edx,dword ptr [eax+3Ah]
606f50f3 8b8380000000    mov     eax,dword ptr [ebx+80h]
606f50f9 ffd0            call    eax
606f50fb f6473402        test    byte ptr [edi+34h],2
606f50ff 0f853a010000    jne     nnotesws!NEMKillCommonTimer+0x30d3f (606f523f)
606f5105 8b4f24          mov     ecx,dword ptr [edi+24h]


*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
(...)
FAULTING_IP:
nnotesws!NEMKillCommonTimer+30bec
606f50ec 8b19            mov     ebx,dword ptr [ecx]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 606f50ec (nnotesws!NEMKillCommonTimer+0x00030bec)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000000
Attempt to read from address 00000000

FAULTING_THREAD:  00000220

PROCESS_NAME:  nlnotes.exe

ADDITIONAL_DEBUG_TEXT: 

Use '!findthebuild' command to search for the target build information.

If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 77570000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  525ce2e1
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_PARAMETER1:  00000000
EXCEPTION_PARAMETER2:  00000000
READ_ADDRESS:  00000000
FOLLOWUP_IP:
nnotesws!NEMKillCommonTimer+30bec
606f50ec 8b19            mov     ebx,dword ptr [ecx]

BUGCHECK_STR:  APPLICATION_FAULT_NULL_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS:  NULL_POINTER_READ
DEFAULT_BUCKET_ID:  NULL_POINTER_READ
LAST_CONTROL_TRANSFER:  from 605cfb63 to 606f50ec

STACK_TEXT: 
WARNING: Stack unwind information not available. Following frames may be wrong.
0014478c 605cfb63 00000000 072de018 00000000 nnotesws!NEMKillCommonTimer+0x30bec
001447a8 6068e162 00000001 00000000 072de018 nnotesws!NEMDisableWaitCursor+0x1323
00144c0c 606ac8cf 00000000 00000000 00000040 nnotesws!DeskLocateOrAddEntry+0x143b2
001458ec 6062c26b 00000000 00800000 072de018 nnotesws!DeskGetWorkspaceObject+0x7b3f
00145a50 6062c70b 00000000 00000000 072de018 nnotesws!EditNewSubprogram+0x30ab
00145cbc 60f6a7cd 00146852 00146b16 00146fbc nnotesws!EditNewSubprogram+0x354b
001467c0 6062a866 00010001 00b40460 00000000 nnotesws!ICEDestroyURLDescriptor+0x47fcd
00146b34 606296b0 00000000 00000001 00146fbc nnotesws!EditNewSubprogram+0x16a6
00146c80 6060837c 072dcc18 00146f1c 00146fbc nnotesws!EditNewSubprogram+0x4f0
00146e00 6062932a 00000001 00146f1c 00000000 nnotesws!DeskFindFile+0xef2c
00146f7c 60cbaeac 00000000 00000000 00000000 nnotesws!EditNewSubprogram+0x16a
001470fc 60cbbb4d 06ad70a0 00000023 00000000 nnotesws!DocumentModalEdit+0x14152c
001474d8 60cbc078 06ad70a0 0000203c 00020000 nnotesws!DocumentModalEdit+0x1421cd
001474f8 60b83424 06ad70a0 0000203c 00000001 nnotesws!DocumentModalEdit+0x1426f8
00147638 605c5be5 01908618 00f504cc 0014908c nnotesws!DocumentModalEdit+0x9aa4
00148c2c 605c513d 01908618 00000113 000003ef nnotesws!NEMGetWindowLong+0x775
00149090 772c86ef 00f504cc 00000113 000003ef nnotesws+0x513d
001490bc 772c8876 605c2f50 00f504cc 00000113 USER32!IsThreadDesktopComposited+0x11f
00149134 772c89b5 00000000 605c2f50 00f504cc USER32!IsThreadDesktopComposited+0x2a6
00149194 772c8e9c 605c2f50 00000000 001491e0 USER32!IsThreadDesktopComposited+0x3e5
001491a4 60660574 001491bc 605c0000 772c7756 USER32!DispatchMessageW+0xf
001491e0 001d1f90 001d13b0 001d7c50 004821bd nnotesws!NEMMainLoop+0x4a4
0014f954 001d2fa4 001d0000 00000000 00000001 nlnotes+0x1f90
0014f9e8 76a21174 7ffde000 0014fa34 775cb3f5 nlnotes+0x2fa4
0014f9f4 775cb3f5 7ffde000 773f196e 00000000 kernel32!BaseThreadInitThunk+0x12
0014fa34 775cb3c8 001d30e7 7ffde000 00000000 ntdll!RtlInitializeExceptionChain+0x63
0014fa4c 00000000 001d30e7 7ffde000 00000000 ntdll!RtlInitializeExceptionChain+0x36


SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  nnotesws!NEMKillCommonTimer+30bec
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: nnotesws
IMAGE_NAME:  nnotesws.dll
STACK_COMMAND:  ~1s ; kb
BUCKET_ID:  WRONG_SYMBOLS
FAILURE_BUCKET_ID:  NULL_POINTER_READ_c0000005_nnotesws.dll!NEMKillCommonTimer
WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/nlnotes_exe/9_0_10_13287/525ce2dd/nnotesws_dll/9_0_10_13287/525ce2e1/c0000005/001350ec.htm?Retriage=1

---------
More:
>> https://code610.blogspot.com
>> https://twitter.com/CodySixteen

Cheers


Brak komentarzy:

Prześlij komentarz