wtorek, 28 sierpnia 2018

Crashing FreePlane

Below you will find few crashes for the latest FreePlane (1.6.15 32bit). Found few weeks ago (~10.08.2018) during one fuzzing session. Enjoy...

I found the app here:

https://sourceforge.net/projects/freeplane/

but you should also check the Wiki for some news and updates.

Below few results:

Case #01:

---<windbg>---
1:016>
eax=00100000 ebx=37d62f20 ecx=00000000 edx=70500001 esi=3750981d edi=03e2e3d4
eip=014a0677 esp=03e2e35c ebp=03e2e384 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
014a0677 3b01            cmp     eax,dword ptr [ecx]  ds:0023:00000000=????????


(...)
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:014a0677 cmp eax,dword ptr [ecx]

Basic Block:
    014a0677 cmp eax,dword ptr [ecx]
       Tainted Input operands: 'eax','ecx'
    014a0679 lea esi,[esp+4]
    014a067d mov dword ptr [ebp-8],esi
    014a0680 jmp dword ptr [ebx+44h]

Exception Hash (Major/Minor): 0x226007ee.0x6fccfb32

 Hash Usage : Stack Trace:
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : jvm!JVM_Clone+0x41e62
Major+Minor : jvm!JVM_Clone+0x4259a
Major+Minor : jvm!JVM_FindSignal+0x62d3e
Minor       : jvm!JVM_Clone+0x4261d
Minor       : jvm+0xa6436
Minor       : jvm+0xa6e3e
Minor       : jvm+0xa7294
Minor       : jvm+0xa75a8
Minor       : jvm+0x6fc3c
Minor       : jvm+0x70ee2
Minor       : jvm+0x6d069
Minor       : jvm!JVM_Clone+0x41e62
Minor       : jvm!JVM_Clone+0x4259a
Minor       : jvm!JVM_FindSignal+0x62d3e
Minor       : jvm!JVM_Clone+0x4261d
Minor       : jvm+0xa6436
Minor       : jvm+0xa6e3e
Minor       : jvm+0xa7294
Minor       : jvm+0xa75a8
Minor       : jvm+0x6fc3c
Minor       : jvm+0x70ee2
Minor       : jvm+0x6d069
Minor       : jvm!JVM_Clone+0x41e62
Minor       : jvm!JVM_Clone+0x4259a
Minor       : jvm!JVM_FindSignal+0x62d3e
Minor       : jvm!JVM_Clone+0x4261d
Minor       : jvm+0xa6436
Minor       : jvm+0xa6e3e
Minor       : jvm+0xa7294
Minor       : jvm+0xa75a8
Minor       : jvm+0x70f7e
Minor       : jvm+0x717e6
Minor       : jvm+0x71aa7
Minor       : jvm+0x6dc30
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : jvm!JVM_Clone+0x41e62
Minor       : jvm!JVM_Clone+0x4259a
Minor       : jvm!JVM_FindSignal+0x62d3e
Minor       : jvm!JVM_Clone+0x42765
Minor       : jvm!JVM_Clone+0x427c7
Minor       : jvm!jio_printf+0xaf
Minor       : jvm!JVM_Clone+0x637dc
Minor       : jvm!JVM_Clone+0x64217
Minor       : jvm!JVM_FindSignal+0x4c49
Minor       : msvcr100!endthreadex+0x3a
Minor       : msvcr100!endthreadex+0xe4
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x00000000014a0677

Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at Unknown Symbol @ 0x00000000014a0677 called from jvm!JVM_Clone+0x0000000000041e62 (Hash=0x226007ee.0x6fccfb32)

This is a user mode read access violation near null, and is probably not exploitable.
---</windbg>---


Case #02:

---<windbg>--
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x100100
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:01705529 test dword ptr ds:[100100h],eax

Basic Block:
    01705529 test dword ptr ds:[100100h],eax
       Tainted Input operands: 'eax'
    0170552f ret

       Tainted Input operands: 'eax'

Exception Hash (Major/Minor): 0x83f3e768.0x2ae6309c

 Hash Usage : Stack Trace:
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : jvm!JVM_Clone+0x41e62
Minor       : jvm!JVM_Clone+0x4259a
Minor       : jvm!JVM_FindSignal+0x62d3e
Minor       : jvm!JVM_Clone+0x42765
Minor       : jvm!JVM_Clone+0x427c7
Minor       : jvm!jio_printf+0xaf
Minor       : jvm!JVM_Clone+0x637dc
Minor       : jvm!JVM_Clone+0x64217
Minor       : jvm!JVM_FindSignal+0x4c49
Minor       : msvcr100!endthreadex+0x3a
Minor       : msvcr100!endthreadex+0xe4
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x0000000001705529

Description: Data from Faulting Address may be used as a return value
Short Description: TaintedDataReturnedFromFunction
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address may be used as a return value starting at Unknown Symbol @ 0x0000000001705529 called from jvm!JVM_Clone+0x0000000000041e62 (Hash=0x83f3e768.0x2ae6309c)
---</windbg>--


Case #03:

---<windbg>--
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x190100
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:01a2f823 test dword ptr ds:[190100h],eax

Basic Block:
    01a2f823 test dword ptr ds:[190100h],eax
       Tainted Input operands: 'eax'
    01a2f829 ret

       Tainted Input operands: 'eax'

Exception Hash (Major/Minor): 0xb6fdbb4a.0x914e6706

 Hash Usage : Stack Trace:
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : jvm!JVM_Clone+0x41e62
Minor       : jvm!JVM_Clone+0x4259a
Minor       : jvm!JVM_FindSignal+0x62d3e
Minor       : jvm!JVM_Clone+0x4261d
Minor       : jvm!JVM_DoPrivileged+0x2ea
Minor       : java!Java_java_security_AccessController_doPrivileged__Ljava_security_PrivilegedAction_2+0x15
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : jvm!JVM_Clone+0x41e62
Minor       : jvm!JVM_Clone+0x4259a
Minor       : jvm!JVM_FindSignal+0x62d3e
Minor       : jvm!JVM_Clone+0x42765
Minor       : jvm!JVM_Clone+0x427c7
Minor       : jvm!jio_printf+0xaf
Minor       : jvm!JVM_Clone+0x637dc
Minor       : jvm!JVM_Clone+0x64217
Minor       : jvm!JVM_FindSignal+0x4c49
Minor       : msvcr100!endthreadex+0x3a
Minor       : msvcr100!endthreadex+0xe4
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x0000000001a2f823

Description: Data from Faulting Address may be used as a return value
Short Description: TaintedDataReturnedFromFunction
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address may be used as a return value starting at Unknown Symbol @ 0x0000000001a2f823 called from jvm!JVM_Clone+0x0000000000041e62 (Hash=0xb6fdbb4a.0x914e6706)

The data from the faulting address may later be used as a return value from this function.
---</windbg>--

All described (and not yet) cases you can find here.

In case of any questions - you'll know how to find me.

Cheers



Brak komentarzy:

Prześlij komentarz