niedziela, 29 października 2017

Microsoft Outlook 2016 - RW/RA Crash

Below I will present 2 bugs from last fuzzing session with Microsoft Outlook 2016. Vendor was notified about those bugs. Just like before (1, 2, 3, 4) here you will find some details...

1) Read Access Violation

Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Microsoft Office\Office16\outlook.exe" /f C:\sf_62990940d77974c6fa501074a66af6a2-302099.msg
(...)
Executable search path is:
ModLoad: 00007ff6`9def0000 00007ff6`a0051000   outlook.exe
ModLo(...)
(1b70.27a4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll!RtlImageNtHeaderEx+0x56:
00007ffb`4b2f9506 66443902        cmp     word ptr [rdx],r8w ds:00000255`40020000=????

0:000> r;!exploitable -v;!analyze -v;kb;u eip-2; u eip-1; u eip ;q
rax=0000000000000000 rbx=0000000000000000 rcx=000002554001ff00
rdx=0000025540020000 rsi=0000025540020000 rdi=0000025540020002
rip=00007ffb4b2f9506 rsp=00000094f9f3ee50 rbp=00000094f9f3f050
 r8=0000000000005a4d  r9=00000094f9f3eed8 r10=0000000000000000
r11=0000000000000001 r12=0000000000000002 r13=0000000000000002
r14=ffffffffffffffff r15=00007ff69f5ccf30
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
ntdll!RtlImageNtHeaderEx+0x56:
00007ffb`4b2f9506 66443902        cmp     word ptr [rdx],r8w ds:00000255`40020000=????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x64
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:00007ffb`4b2f9506 cmp word ptr [rdx],r8w

Basic Block:
    00007ffb`4b2f9506 cmp word ptr [rdx],r8w
       Tainted Input operands: 'rdx'
    00007ffb`4b2f950a jne ntdll!rtlimagentheaderex+0xa3 (00007ffb`4b2f9553)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0x1931d26b.0x95a66733

 Hash Usage : Stack Trace:
Major+Minor : ntdll!RtlImageNtHeaderEx+0x56
Major+Minor : ntdll!RtlImageNtHeader+0x1e
Major+Minor : KERNELBASE!FreeLibrary+0x4a
Major+Minor : mso30win32client!Ordinal1394+0x15
Major+Minor : mso99Lwin32client!Ordinal624+0x83c47
Minor       : mso99Lwin32client!Ordinal1716+0x305
Minor       : mso99Lwin32client!Ordinal1716+0x1c9
Minor       : mso99Lwin32client!Ordinal652+0x332
Minor       : mso99Lwin32client!Ordinal88+0x25
Minor       : mso!Ordinal4303+0x3ab
Minor       : mso!Ordinal3689+0x31
Minor       : outlook+0x216dc
Minor       : outlook+0x1e78f
Minor       : outlook+0x1e481
Minor       : outlook+0x1dbc0
Minor       : outlook+0x1d1eb
Minor       : outlook!UpdateSharingAccounts+0x1fa91
Minor       : KERNEL32!BaseThreadInitThunk+0x14
Minor       : ntdll!RtlUserThreadStart+0x21
Instruction Address: 0x00007ffb4b2f9506

Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at ntdll!RtlImageNtHeaderEx+0x0000000000000056 (Hash=0x1931d26b.0x95a66733)

The data from the faulting address is later used to determine whether or not a branch is taken.
(...)

*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

FAULTING_IP:
ntdll!RtlImageNtHeaderEx+56
00007ffb`4b2f9506 66443902        cmp     word ptr [rdx],r8w

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 00007ffb4b2f9506 (ntdll!RtlImageNtHeaderEx+0x0000000000000056)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000025540020000
Attempt to read from address 0000025540020000

FAULTING_THREAD:  00000000000027a4
PROCESS_NAME:  outlook.exe
FAULTING_MODULE: 00007ffb4b2b0000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  59c154f7
EXCEPTION_PARAMETER1:  0000000000000000
EXCEPTION_PARAMETER2:  0000025540020000
READ_ADDRESS:  0000025540020000

FOLLOWUP_IP:
mso30win32client!Ordinal1394+15
00007ffb`2a12efc5 4883250bbe3b0000 and     qword ptr [mso30win32client!Ordinal75+0x1fa150 (00007ffb`2a4eadd8)],0

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ
DEFAULT_BUCKET_ID:  INVALID_POINTER_READ
LAST_CONTROL_TRANSFER:  from 00007ffb4b2f683e to 00007ffb4b2f9506

STACK_TEXT: 
00000094`f9f3ee50 00007ffb`4b2f683e : 00000000`00000001 00000000`00000000 00007ffb`2a4ea310 00000094`f9f3eed8 : ntdll!RtlImageNtHeaderEx+0x56
00000094`f9f3eea0 00007ffb`484402fa : 00000255`40020002 00000000`00000000 00000000`00050063 00000000`00000002 : ntdll!RtlImageNtHeader+0x1e
00000094`f9f3eed0 00007ffb`2a12efc5 : 00000000`00000000 00000000`00000000 00000255`3e255638 00000255`40020000 : KERNELBASE!FreeLibrary+0x4a
00000094`f9f3ef00 00007ffb`1eb2df37 : 00000000`00000000 00000000`00000000 00000000`0000012d 00000255`3e2a7565 : mso30win32client!Ordinal1394+0x15
00000094`f9f3ef30 00007ffb`1ea41fbd : 00000000`0000032c 00000000`00000000 00000000`00000000 00000000`00000000 : mso99Lwin32client!Ordinal624+0x83c47
00000094`f9f3f590 00007ffb`1ea41e81 : 00000000`00000002 00007ffb`1f106e20 00000000`00000004 00000094`f9f3f6ac : mso99Lwin32client!Ordinal1716+0x305
00000094`f9f3f670 00007ffb`1e9b4c96 : 00000255`3e26e7b0 00000000`0000000a 00000255`3e270bb0 00000255`3e279ba0 : mso99Lwin32client!Ordinal1716+0x1c9
00000094`f9f3f730 00007ffb`1ea46729 : 00000000`00000001 00000000`00000001 00007ff6`9f5ccf30 00000094`f9f3f7d0 : mso99Lwin32client!Ordinal652+0x332
00000094`f9f3f780 00007ffb`17cd348b : 00000000`00000006 00000000`ffffffff 00000000`00000000 00007ff6`9fc7dce0 : mso99Lwin32client!Ordinal88+0x25
00000094`f9f3f7b0 00007ffb`17c4e181 : 00007ff6`9f5ccf30 00000000`00000001 00000000`00000000 00000000`00000000 : mso!Ordinal4303+0x3ab
00000094`f9f3f830 00007ff6`9df116dc : 00000000`00000002 00007ff6`9f5ccf30 00000094`f9f3f890 00000000`00000000 : mso!Ordinal3689+0x31
00000094`f9f3f860 00007ff6`9df0e78f : 00007ff6`9fc7ece8 00000000`0000000a 00000255`3e2422f8 00007ff6`9fc8e5e0 : outlook+0x216dc
00000094`f9f3f8b0 00007ff6`9df0e481 : 00000000`00000000 00000094`f9f3f939 00000000`00000000 00007ffb`4a730678 : outlook+0x1e78f
00000094`f9f3f8e0 00007ff6`9df0dbc0 : 00000000`0000000a 00000000`00000000 00000000`00000000 00000255`3e2422f8 : outlook+0x1e481
00000094`f9f3f9a0 00007ff6`9df0d1eb : 00000000`00000001 00000000`0000000a 00000255`3e2433d9 00007ff6`9fc8e5e0 : outlook+0x1dbc0
00000094`f9f3f9e0 00007ff6`9e143065 : 00000000`0000000a 00000000`00000000 00000000`00000000 01d34925`c512ca14 : outlook+0x1d1eb
00000094`f9f3fa20 00007ffb`4a408364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : outlook!UpdateSharingAccounts+0x1fa91
00000094`f9f3fa60 00007ffb`4b317091 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000094`f9f3fa90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


SYMBOL_STACK_INDEX:  3
SYMBOL_NAME:  mso30win32client!Ordinal1394+15
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: mso30win32client
IMAGE_NAME:  mso30win32client.dll
STACK_COMMAND:  ~0s ; kb
BUCKET_ID:  WRONG_SYMBOLS
FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_mso30win32client.dll!Ordinal1394
WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/outlook_exe/16_0_4600_1000/59b873e2/ntdll_dll/10_0_14393_1715/59b0d03e/c0000005/00049506.htm?Retriage=1
Followup: MachineOwner

---------
RetAddr           : Args to Child                                                           : Call Site
00007ffb`4b2f683e : 00000000`00000001 00000000`00000000 00007ffb`2a4ea310 00000094`f9f3eed8 : ntdll!RtlImageNtHeaderEx+0x56
00007ffb`484402fa : 00000255`40020002 00000000`00000000 00000000`00050063 00000000`00000002 : ntdll!RtlImageNtHeader+0x1e
00007ffb`2a12efc5 : 00000000`00000000 00000000`00000000 00000255`3e255638 00000255`40020000 : KERNELBASE!FreeLibrary+0x4a
00007ffb`1eb2df37 : 00000000`00000000 00000000`00000000 00000000`0000012d 00000255`3e2a7565 : mso30win32client!Ordinal1394+0x15
00007ffb`1ea41fbd : 00000000`0000032c 00000000`00000000 00000000`00000000 00000000`00000000 : mso99Lwin32client!Ordinal624+0x83c47
00007ffb`1ea41e81 : 00000000`00000002 00007ffb`1f106e20 00000000`00000004 00000094`f9f3f6ac : mso99Lwin32client!Ordinal1716+0x305
00007ffb`1e9b4c96 : 00000255`3e26e7b0 00000000`0000000a 00000255`3e270bb0 00000255`3e279ba0 : mso99Lwin32client!Ordinal1716+0x1c9
00007ffb`1ea46729 : 00000000`00000001 00000000`00000001 00007ff6`9f5ccf30 00000094`f9f3f7d0 : mso99Lwin32client!Ordinal652+0x332
00007ffb`17cd348b : 00000000`00000006 00000000`ffffffff 00000000`00000000 00007ff6`9fc7dce0 : mso99Lwin32client!Ordinal88+0x25
00007ffb`17c4e181 : 00007ff6`9f5ccf30 00000000`00000001 00000000`00000000 00000000`00000000 : mso!Ordinal4303+0x3ab
00007ff6`9df116dc : 00000000`00000002 00007ff6`9f5ccf30 00000094`f9f3f890 00000000`00000000 : mso!Ordinal3689+0x31
00007ff6`9df0e78f : 00007ff6`9fc7ece8 00000000`0000000a 00000255`3e2422f8 00007ff6`9fc8e5e0 : outlook+0x216dc
00007ff6`9df0e481 : 00000000`00000000 00000094`f9f3f939 00000000`00000000 00007ffb`4a730678 : outlook+0x1e78f
00007ff6`9df0dbc0 : 00000000`0000000a 00000000`00000000 00000000`00000000 00000255`3e2422f8 : outlook+0x1e481
00007ff6`9df0d1eb : 00000000`00000001 00000000`0000000a 00000255`3e2433d9 00007ff6`9fc8e5e0 : outlook+0x1dbc0
00007ff6`9e143065 : 00000000`0000000a 00000000`00000000 00000000`00000000 01d34925`c512ca14 : outlook+0x1d1eb
00007ffb`4a408364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : outlook!UpdateSharingAccounts+0x1fa91
00007ffb`4b317091 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

ntdll!RtlImageNtHeaderEx+0x54:
00007ffb`4b2f9504 0000            add     byte ptr [rax],al
00007ffb`4b2f9506 66443902        cmp     word ptr [rdx],r8w
00007ffb`4b2f950a 7547            jne     ntdll!RtlImageNtHeaderEx+0xa3 (00007ffb`4b2f9553)
00007ffb`4b2f950c 448b423c        mov     r8d,dword ptr [rdx+3Ch]
00007ffb`4b2f9510 84c9            test    cl,cl
00007ffb`4b2f9512 7526            jne     ntdll!RtlImageNtHeaderEx+0x8a (00007ffb`4b2f953a)
00007ffb`4b2f9514 4181f800000010  cmp     r8d,10000000h
00007ffb`4b2f951b 734d            jae     ntdll!RtlImageNtHeaderEx+0xba (00007ffb`4b2f956a)

ntdll!RtlImageNtHeaderEx+0x55:
00007ffb`4b2f9505 006644          add     byte ptr [rsi+44h],ah
00007ffb`4b2f9508 3902            cmp     dword ptr [rdx],eax
00007ffb`4b2f950a 7547            jne     ntdll!RtlImageNtHeaderEx+0xa3 (00007ffb`4b2f9553)
00007ffb`4b2f950c 448b423c        mov     r8d,dword ptr [rdx+3Ch]
00007ffb`4b2f9510 84c9            test    cl,cl
00007ffb`4b2f9512 7526            jne     ntdll!RtlImageNtHeaderEx+0x8a (00007ffb`4b2f953a)
00007ffb`4b2f9514 4181f800000010  cmp     r8d,10000000h
00007ffb`4b2f951b 734d            jae     ntdll!RtlImageNtHeaderEx+0xba (00007ffb`4b2f956a)

ntdll!RtlImageNtHeaderEx+0x56:
00007ffb`4b2f9506 66443902        cmp     word ptr [rdx],r8w
00007ffb`4b2f950a 7547            jne     ntdll!RtlImageNtHeaderEx+0xa3 (00007ffb`4b2f9553)
00007ffb`4b2f950c 448b423c        mov     r8d,dword ptr [rdx+3Ch]
00007ffb`4b2f9510 84c9            test    cl,cl
00007ffb`4b2f9512 7526            jne     ntdll!RtlImageNtHeaderEx+0x8a (00007ffb`4b2f953a)
00007ffb`4b2f9514 4181f800000010  cmp     r8d,10000000h
00007ffb`4b2f951b 734d            jae     ntdll!RtlImageNtHeaderEx+0xba (00007ffb`4b2f956a)
00007ffb`4b2f951d 4e8d1402        lea     r10,[rdx+r8]



2) Write Access Violation

Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Microsoft Office\Office16\outlook.exe" /f C:\sf_62990940d77974c6fa501074a66af6a2-235790.msg
(...)
Executable search path is:
ModLoad: 00007ff6`f6850000 00007ff6`f89b1000   outlook.exe
(...)
ModLoad: 00007ffc`2cbe0000 00007ffc`2d6da000   C:\Program Files\Microsoft Office\Office16\chart.dll
(112c.158c): C++ EH exception - code e06d7363 (first chance)
(112c.158c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Microsoft Office\Office16\olmapi32.dll -
olmapi32!HrConvertMAPIFormPropsToFDMProps+0x1c97:
00007ffc`36f8ef6f ff09            dec     dword ptr [rcx] ds:00000000`00000000=????????

0:000> r;!exploitable -v;!analyze -v;kb;u eip-2; u eip-1; u eip ;q
rax=00000093b030f948 rbx=000001db7fd01060 rcx=0000000000000000
rdx=000001db7fd01060 rsi=0000000000000000 rdi=0000000000000000
rip=00007ffc36f8ef6f rsp=00000093b030f910 rbp=000001db7fd01060
 r8=00000093b030f928  r9=00000093b030fb80 r10=0000000000000000
r11=0000000000000246 r12=00000000ffffffff r13=0000000000000000
r14=0000000000000000 r15=0000000000000001
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
olmapi32!HrConvertMAPIFormPropsToFDMProps+0x1c97:
00007ffc`36f8ef6f ff09            dec     dword ptr [rcx] ds:00000000`00000000=????????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x64
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:00007ffc`36f8ef6f dec dword ptr [rcx]

Basic Block:
    00007ffc`36f8ef6f dec dword ptr [rcx]
       Tainted Input operands: 'rcx'
    00007ffc`36f8ef71 test rdx,rdx
    00007ffc`36f8ef74 jne olmapi32!dllcanunloadnow+0x3af32 (00007ffc`3706052e)

Exception Hash (Major/Minor): 0x862f1b3a.0x47867ed4

 Hash Usage : Stack Trace:
Major+Minor : olmapi32!HrConvertMAPIFormPropsToFDMProps+0x1c97
Major+Minor : olmapi32!HrConvertMAPIFormPropsToFDMProps+0x1ba1
Major+Minor : olmapi32!HrRTFFromTextStream+0x190e1
Major+Minor : olmapi32!DllCanUnloadNow+0x4b0df
Major+Minor : olmapi32!HrRTFFromTextStream+0x1a9fe
Minor       : olmapi32!DllCanUnloadNow+0x7f3d1
Minor       : olmapi32!HrValidateIPMSubtree+0x350a
Minor       : olmapi32!MAPIUninitialize+0x9
Minor       : mso99Lwin32client!Ordinal1139+0x2339
Minor       : mso99Lwin32client!Ordinal1139+0x1273
Minor       : mso99Lwin32client!Ordinal1139+0xfba
Minor       : mso99Lwin32client!Ordinal979+0xa3d
Minor       : mso!Ordinal2954+0x33
Minor       : outlook!HrProcessConvActionForSentItem+0x7aab6
Minor       : outlook!HrGetCacheSetupProgressObject+0x14a5
Minor       : outlook!HrGetCacheSetupProgressObject+0x1b95
Minor       : outlook+0x1d209
Minor       : outlook!UpdateSharingAccounts+0x1fa91
Minor       : KERNEL32!BaseThreadInitThunk+0x14
Minor       : ntdll!RtlUserThreadStart+0x21
Instruction Address: 0x00007ffc36f8ef6f

Description: User Mode Write AV near NULL
Short Description: WriteAVNearNull
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at olmapi32!HrConvertMAPIFormPropsToFDMProps+0x0000000000001c97 (Hash=0x862f1b3a.0x47867ed4)

User mode write access violations that are near NULL are unknown.
*******************************************************************************

Those bugs was not considered as a 'security problem' by MSRC Team. Big thanks goes to Microsoft for a very fast and detailed responses.

Attachment you will find at my github.



; more at:
; code610.blogspot.com
; twitter.com/CodySixteen
; thanks
;       o/

Posted by at
Labels: , , , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)