czwartek, 17 sierpnia 2017

Read/Write Crash in IBM Notes 9

Found 16.08.2017. Maybe you will find it useful.


Below you will find 3 bugs:
- ReadAV - nnotes!Cmovmem+0x1c3
- WriteAVNearNull - nnotes!NSFDbOpenExtended6+0x3d6d
- ReadAV - nnotes!Cmovmem+0x1c3

TL;DR

Below details for Cmovmem():

 Hi

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\IBM\Notes\notes.exe" C:\sf_879c13ad4eba231d656b7fa10f2487b5-1490.ntf
(...)
Executable search path is:
ModLoad: 010e0000 012c3000   notes.exe
(...)
(12c4.1450): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00c01574 ebx=b9a29d14 ecx=b9a29d18 edx=b9a29d28 esi=00000014 edi=001636e8
eip=63b11be3 esp=00162e5c ebp=00162e68 iopl=0         nv up ei ng nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010287
nnotes!Cmovmem+0x1c3:
63b11be3 8b33            mov     esi,dword ptr [ebx]  ds:0023:b9a29d14=????????

1:001>
eax=00c01574 ebx=b9a29d14 ecx=b9a29d18 edx=b9a29d28 esi=00000014 edi=001636e8
eip=63b11be3 esp=00162e5c ebp=00162e68 iopl=0         nv up ei ng nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010287
nnotes!Cmovmem+0x1c3:
63b11be3 8b33            mov     esi,dword ptr [ebx]  ds:0023:b9a29d14=????????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xffffffffb9a29d14
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:63b11be3 mov esi,dword ptr [ebx]

Basic Block:
    63b11be3 mov esi,dword ptr [ebx]
       Tainted Input operands: 'ebx'
    63b11be5 mov ebx,ecx
    63b11be7 mov dword ptr [eax],esi
       Tainted Input operands: 'esi'
    63b11be9 lea ecx,[ebx+4]
    63b11bec add eax,4
    63b11bef cmp ecx,edx
    63b11bf1 jbe nnotes!cmovmem+0x1c3 (63b11be3)

Exception Hash (Major/Minor): 0x3ada1574.0x3c31aa8e

 Hash Usage : Stack Trace:
Major+Minor : nnotes!Cmovmem+0x1c3
Major+Minor : nnotes!ODSReadMemory+0x74
Major+Minor : nnotes!DbDumpSuperBlocks+0x21fd
Major+Minor : nnotes!DbSuperBlockRead+0x450
Major+Minor : nnotes!NSFDumpSuperBlock+0x29df
Minor       : nnotes!DbSuperBlockRead+0x6d
Minor       : nnotes!NSFNoteIsSignedOrSealed+0x29ac
Minor       : nnotes!NSFDbOpenExtended6+0x6d84
Minor       : nnotes!NSFDbOpenExtended3+0x47
Minor       : nnotes!NSFDbOpenExtended2+0x36
Minor       : nnotesws!NEMPostStatus+0x14b90
Minor       : nnotesws!DocumentModalEdit+0x44e32
Minor       : nnotesws!DocumentModalEdit+0x9a54
Minor       : nnotesws!NEMGetWindowLong+0x775
Minor       : nnotesws+0x513d
Minor       : USER32!IsThreadDesktopComposited+0x11f
Minor       : USER32!IsThreadDesktopComposited+0x2a6
Minor       : USER32!IsThreadDesktopComposited+0x3e5
Minor       : USER32!DispatchMessageW+0xf
Minor       : nnotesws!NEMMainLoop+0x4a4
Minor       : nlnotes+0x1f90
Minor       : nlnotes+0x2fa4
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x0000000063b11be3

Description: Read Access Violation
Short Description: ReadAV
Exploitability Classification: UNKNOWN
Recommended Bug Title: Read Access Violation starting at nnotes!Cmovmem+0x00000000000001c3 (Hash=0x3ada1574.0x3c31aa8e)

> u eip-2
nnotes!Cmovmem+0x1c1:
63b11be1 7710            ja      nnotes!Cmovmem+0x1d3 (63b11bf3)
63b11be3 8b33            mov     esi,dword ptr [ebx]
63b11be5 8bd9            mov     ebx,ecx
63b11be7 8930            mov     dword ptr [eax],esi
63b11be9 8d4b04          lea     ecx,[ebx+4]
63b11bec 83c004          add     eax,4
63b11bef 3bca            cmp     ecx,edx
63b11bf1 76f0            jbe     nnotes!Cmovmem+0x1c3 (63b11be3)
> u eip-1
nnotes!Cmovmem+0x1c2:
63b11be2 108b338bd989    adc     byte ptr [ebx-762674CDh],cl
63b11be8 308d4b0483c0    xor     byte ptr [ebp-3F7CFBB5h],cl
63b11bee 043b            add     al,3Bh
63b11bf0 ca76f0          retf    0F076h
63b11bf3 3bda            cmp     ebx,edx
63b11bf5 0f8333ffffff    jae     nnotes!Cmovmem+0x10e (63b11b2e)
63b11bfb 8bf3            mov     esi,ebx
63b11bfd 8d4900          lea     ecx,[ecx]
> u eip
nnotes!Cmovmem+0x1c3:
63b11be3 8b33            mov     esi,dword ptr [ebx]
63b11be5 8bd9            mov     ebx,ecx
63b11be7 8930            mov     dword ptr [eax],esi
63b11be9 8d4b04          lea     ecx,[ebx+4]
63b11bec 83c004          add     eax,4
63b11bef 3bca            cmp     ecx,edx
63b11bf1 76f0            jbe     nnotes!Cmovmem+0x1c3 (63b11be3)
63b11bf3 3bda            cmp     ebx,edx


*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

FAULTING_IP:
nnotes!Cmovmem+1c3
63b11be3 8b33            mov     esi,dword ptr [ebx]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 63b11be3 (nnotes!Cmovmem+0x000001c3)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: b9a29d14
Attempt to read from address b9a29d14

FAULTING_THREAD:  00001450
PROCESS_NAME:  nlnotes.exe

MODULE_NAME: nnotes
FAULTING_MODULE: 773b0000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  525ce30c
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_PARAMETER1:  00000000
EXCEPTION_PARAMETER2:  b9a29d14
READ_ADDRESS:  b9a29d14

FOLLOWUP_IP:
nnotes!Cmovmem+1c3
63b11be3 8b33            mov     esi,dword ptr [ebx]

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ
DEFAULT_BUCKET_ID:  INVALID_POINTER_READ
LAST_CONTROL_TRANSFER:  from 63b14b34 to 63b11be3

STACK_TEXT: 
WARNING: Stack unwind information not available. Following frames may be wrong.
00162e68 63b14b34 b9a29d54 00c01574 00000014 nnotes!Cmovmem+0x1c3
00162e84 64507cad 001636e8 0000002f 00c01574 nnotes!ODSReadMemory+0x74
00162ec0 63bf1a60 068467b0 001636f4 001633b0 nnotes!DbDumpSuperBlocks+0x21fd
0016304c 6450cebf 00166b30 001636f4 001633b0 nnotes!DbSuperBlockRead+0x450
00163868 63bf167d 00166b30 00000000 00000000 nnotes!NSFDumpSuperBlock+0x29df
00163888 63bf749c 00166b30 00000000 00000000 nnotes!DbSuperBlockRead+0x6d
00163a6c 64652c64 00166b30 05855524 00166e4c nnotes!NSFNoteIsSignedOrSealed+0x29ac
00166bc8 63b4db77 05855524 00006002 00000000 nnotes!NSFDbOpenExtended6+0x6d84
00166cb4 63bc4366 05855524 00006002 00000000 nnotes!NSFDbOpenExtended3+0x47
00166cec 616c87d0 05855524 00006002 00000000 nnotes!NSFDbOpenExtended2+0x36
00166e44 61c5e7b2 00000000 0016744c 00000000 nnotesws!NEMPostStatus+0x14b90
0016730c 61c233d4 0585006a 0000006e 0016744c nnotesws!DocumentModalEdit+0x44e32
00167450 61665be5 009a8618 00e7095a 00168ea4 nnotesws!DocumentModalEdit+0x9a54
00168a44 6166513d 009a8618 00000113 000003ef nnotesws!NEMGetWindowLong+0x775
00168ea8 76be86ef 00e7095a 00000113 000003ef nnotesws+0x513d
00168ed4 76be8876 61662f50 00e7095a 00000113 USER32!IsThreadDesktopComposited+0x11f
00168f4c 76be89b5 00000000 61662f50 00e7095a USER32!IsThreadDesktopComposited+0x2a6
00168fac 76be8e9c 61662f50 00000000 00168ff8 USER32!IsThreadDesktopComposited+0x3e5
00168fbc 61700574 00168fd4 61660000 76be7756 USER32!DispatchMessageW+0xf
00168ff8 01091f90 010913b0 01097c50 003321bd nnotesws!NEMMainLoop+0x4a4
0016f76c 01092fa4 01090000 00000000 00000001 nlnotes+0x1f90
0016f800 76d21174 7ffde000 0016f84c 7740b3f5 nlnotes+0x2fa4
0016f80c 7740b3f5 7ffde000 77021f65 00000000 kernel32!BaseThreadInitThunk+0x12
0016f84c 7740b3c8 010930e7 7ffde000 00000000 ntdll!RtlInitializeExceptionChain+0x63
0016f864 00000000 010930e7 7ffde000 00000000 ntdll!RtlInitializeExceptionChain+0x36

SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  nnotes!Cmovmem+1c3
FOLLOWUP_NAME:  MachineOwner
IMAGE_NAME:  nnotes.dll
STACK_COMMAND:  ~1s ; kb
BUCKET_ID:  WRONG_SYMBOLS
FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_nnotes.dll!Cmovmem
WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/nlnotes_exe/9_0_10_13287/525ce2dd/nnotes_dll/9_0_10_13287/525ce30c/c0000005/00001be3.htm?Retriage=1

Followup: MachineOwner

---------
More:
>> https://code610.blogspot.com
>> https://twitter.com/CodySixteen

Cheers


Brak komentarzy:

Prześlij komentarz