Found 16.08.2017. Maybe you will find it useful.
Below you will find readAV bug found during quick fuzzing session.
TL;DR
Below few details:
------------------------------------------------------
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "C:\Program Files\IBM\Notes\notes.exe" C:\sf_879c13ad4eba231d656b7fa10f2487b5-7916.ntf
(...)
Executable search path is:
ModLoad: 000d0000 002b3000 notes.exe
(...)
(284.220): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=06f75b7c ebx=06f75f80 ecx=00000000 edx=00000070 esi=072de018 edi=06f75f80
eip=606f50ec esp=00144748 ebp=0014478c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
nnotesws!NEMKillCommonTimer+0x30bec:
606f50ec 8b19 mov ebx,dword ptr [ecx] ds:0023:00000000=????????
1:001>
eax=06f75b7c ebx=06f75f80 ecx=00000000 edx=00000070 esi=072de018 edi=06f75f80
eip=606f50ec esp=00144748 ebp=0014478c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
nnotesws!NEMKillCommonTimer+0x30bec:
606f50ec 8b19 mov ebx,dword ptr [ecx] ds:0023:00000000=????????
(284.220): Access violation - code c0000005 (!!! second chance !!!)
(...)
(284.220): Access violation - code c0000005 (!!! second chance !!!)
(...)
This exception may be expected and handled.
(284.220): Access violation - code c0000005 (!!! second chance !!!)
eax=06f75b7c ebx=06f75f80 ecx=00000000 edx=00000070 esi=072de018 edi=06f75f80
eip=606f50ec esp=00144748 ebp=0014478c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
nnotesws!NEMKillCommonTimer+0x30bec:
606f50ec 8b19 mov ebx,dword ptr [ecx] ds:0023:00000000=????????
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:606f50ec mov ebx,dword ptr [ecx]
Basic Block:
606f50ec mov ebx,dword ptr [ecx]
Tainted Input operands: 'ecx'
606f50ee jne nnotesws!nemkillcommontimer+0x30bf3 (606f50f3)
Exception Hash (Major/Minor): 0x5f1d1c7f.0x43181378
Hash Usage : Stack Trace:
Major+Minor : nnotesws!NEMKillCommonTimer+0x30bec
Major+Minor : nnotesws!NEMDisableWaitCursor+0x1323
Major+Minor : nnotesws!DeskLocateOrAddEntry+0x143b2
Major+Minor : nnotesws!DeskGetWorkspaceObject+0x7b3f
Major+Minor : nnotesws!EditNewSubprogram+0x30ab
Minor : nnotesws!EditNewSubprogram+0x354b
Minor : nnotesws!ICEDestroyURLDescriptor+0x47fcd
Minor : nnotesws!EditNewSubprogram+0x16a6
Minor : nnotesws!EditNewSubprogram+0x4f0
Minor : nnotesws!DeskFindFile+0xef2c
Minor : nnotesws!EditNewSubprogram+0x16a
Minor : nnotesws!DocumentModalEdit+0x14152c
Minor : nnotesws!DocumentModalEdit+0x1421cd
Minor : nnotesws!DocumentModalEdit+0x1426f8
Minor : nnotesws!DocumentModalEdit+0x9aa4
Minor : nnotesws!NEMGetWindowLong+0x775
Minor : nnotesws+0x513d
Minor : USER32!IsThreadDesktopComposited+0x11f
Minor : USER32!IsThreadDesktopComposited+0x2a6
Minor : USER32!IsThreadDesktopComposited+0x3e5
Minor : USER32!DispatchMessageW+0xf
Minor : nnotesws!NEMMainLoop+0x4a4
Minor : nlnotes+0x1f90
Minor : nlnotes+0x2fa4
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0x63
Excluded : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x00000000606f50ec
Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at nnotesws!NEMKillCommonTimer+0x0000000000030bec (Hash=0x5f1d1c7f.0x43181378)
This is a user mode read access violation near null, and is probably not exploitable.
> u eip-2
nnotesws!NEMKillCommonTimer+0x30bea:
606f50ea 50 push eax
606f50eb 42 inc edx
606f50ec 8b19 mov ebx,dword ptr [ecx]
606f50ee 7503 jne nnotesws!NEMKillCommonTimer+0x30bf3 (606f50f3)
606f50f0 03503a add edx,dword ptr [eax+3Ah]
606f50f3 8b8380000000 mov eax,dword ptr [ebx+80h]
606f50f9 ffd0 call eax
606f50fb f6473402 test byte ptr [edi+34h],2
> u eip-1
nnotesws!NEMKillCommonTimer+0x30beb:
606f50eb 42 inc edx
606f50ec 8b19 mov ebx,dword ptr [ecx]
606f50ee 7503 jne nnotesws!NEMKillCommonTimer+0x30bf3 (606f50f3)
606f50f0 03503a add edx,dword ptr [eax+3Ah]
606f50f3 8b8380000000 mov eax,dword ptr [ebx+80h]
606f50f9 ffd0 call eax
606f50fb f6473402 test byte ptr [edi+34h],2
606f50ff 0f853a010000 jne nnotesws!NEMKillCommonTimer+0x30d3f (606f523f)
> u eip
nnotesws!NEMKillCommonTimer+0x30bec:
606f50ec 8b19 mov ebx,dword ptr [ecx]
606f50ee 7503 jne nnotesws!NEMKillCommonTimer+0x30bf3 (606f50f3)
606f50f0 03503a add edx,dword ptr [eax+3Ah]
606f50f3 8b8380000000 mov eax,dword ptr [ebx+80h]
606f50f9 ffd0 call eax
606f50fb f6473402 test byte ptr [edi+34h],2
606f50ff 0f853a010000 jne nnotesws!NEMKillCommonTimer+0x30d3f (606f523f)
606f5105 8b4f24 mov ecx,dword ptr [edi+24h]
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
(...)
FAULTING_IP:
nnotesws!NEMKillCommonTimer+30bec
606f50ec 8b19 mov ebx,dword ptr [ecx]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 606f50ec (nnotesws!NEMKillCommonTimer+0x00030bec)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
FAULTING_THREAD: 00000220
PROCESS_NAME: nlnotes.exe
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
FAULTING_MODULE: 77570000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 525ce2e1
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000000
READ_ADDRESS: 00000000
FOLLOWUP_IP:
nnotesws!NEMKillCommonTimer+30bec
606f50ec 8b19 mov ebx,dword ptr [ecx]
BUGCHECK_STR: APPLICATION_FAULT_NULL_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: NULL_POINTER_READ
DEFAULT_BUCKET_ID: NULL_POINTER_READ
LAST_CONTROL_TRANSFER: from 605cfb63 to 606f50ec
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0014478c 605cfb63 00000000 072de018 00000000 nnotesws!NEMKillCommonTimer+0x30bec
001447a8 6068e162 00000001 00000000 072de018 nnotesws!NEMDisableWaitCursor+0x1323
00144c0c 606ac8cf 00000000 00000000 00000040 nnotesws!DeskLocateOrAddEntry+0x143b2
001458ec 6062c26b 00000000 00800000 072de018 nnotesws!DeskGetWorkspaceObject+0x7b3f
00145a50 6062c70b 00000000 00000000 072de018 nnotesws!EditNewSubprogram+0x30ab
00145cbc 60f6a7cd 00146852 00146b16 00146fbc nnotesws!EditNewSubprogram+0x354b
001467c0 6062a866 00010001 00b40460 00000000 nnotesws!ICEDestroyURLDescriptor+0x47fcd
00146b34 606296b0 00000000 00000001 00146fbc nnotesws!EditNewSubprogram+0x16a6
00146c80 6060837c 072dcc18 00146f1c 00146fbc nnotesws!EditNewSubprogram+0x4f0
00146e00 6062932a 00000001 00146f1c 00000000 nnotesws!DeskFindFile+0xef2c
00146f7c 60cbaeac 00000000 00000000 00000000 nnotesws!EditNewSubprogram+0x16a
001470fc 60cbbb4d 06ad70a0 00000023 00000000 nnotesws!DocumentModalEdit+0x14152c
001474d8 60cbc078 06ad70a0 0000203c 00020000 nnotesws!DocumentModalEdit+0x1421cd
001474f8 60b83424 06ad70a0 0000203c 00000001 nnotesws!DocumentModalEdit+0x1426f8
00147638 605c5be5 01908618 00f504cc 0014908c nnotesws!DocumentModalEdit+0x9aa4
00148c2c 605c513d 01908618 00000113 000003ef nnotesws!NEMGetWindowLong+0x775
00149090 772c86ef 00f504cc 00000113 000003ef nnotesws+0x513d
001490bc 772c8876 605c2f50 00f504cc 00000113 USER32!IsThreadDesktopComposited+0x11f
00149134 772c89b5 00000000 605c2f50 00f504cc USER32!IsThreadDesktopComposited+0x2a6
00149194 772c8e9c 605c2f50 00000000 001491e0 USER32!IsThreadDesktopComposited+0x3e5
001491a4 60660574 001491bc 605c0000 772c7756 USER32!DispatchMessageW+0xf
001491e0 001d1f90 001d13b0 001d7c50 004821bd nnotesws!NEMMainLoop+0x4a4
0014f954 001d2fa4 001d0000 00000000 00000001 nlnotes+0x1f90
0014f9e8 76a21174 7ffde000 0014fa34 775cb3f5 nlnotes+0x2fa4
0014f9f4 775cb3f5 7ffde000 773f196e 00000000 kernel32!BaseThreadInitThunk+0x12
0014fa34 775cb3c8 001d30e7 7ffde000 00000000 ntdll!RtlInitializeExceptionChain+0x63
0014fa4c 00000000 001d30e7 7ffde000 00000000 ntdll!RtlInitializeExceptionChain+0x36
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nnotesws!NEMKillCommonTimer+30bec
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nnotesws
IMAGE_NAME: nnotesws.dll
STACK_COMMAND: ~1s ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_nnotesws.dll!NEMKillCommonTimer
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/nlnotes_exe/9_0_10_13287/525ce2dd/nnotesws_dll/9_0_10_13287/525ce2e1/c0000005/001350ec.htm?Retriage=1
---------
More:
>> https://code610.blogspot.com
>> https://twitter.com/CodySixteen
Cheers
Brak komentarzy:
Prześlij komentarz