wtorek, 22 października 2019

Random bytes in VLC 3.0.8

Last time we had some fun with previous versions of VLC. This time I decided to run VLC 3.0.8 on Windows 7 (32bit) and prepare a fuzzer to help. Below you will find some results. Here we go...
This time we will start here:


Crashing poc was tested only on Windows7 (32bit) but as you can see (icons above) there are few more 'platforms' where we can check/fuzz it. Example results you'll find below (tl;dr: file is located here because I wasn't able to upload it on my Github) :


---<windbg>---
; found: 20.10.2019 @ 13:42
; more: code610 blogspot com
;

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "c:\Program Files\VideoLAN\VLC\vlc.exe" C:\sf_4469a9da55bc87f10535b5a4e7831aed-15184.ogg
(...)
Executable search path is:
ModLoad: 01380000 01472000   vlc.exe
(...)
main libvlc debug: VLC media player - 3.0.8 Vetinari
main libvlc debug: Copyright © 1996-2019 the VideoLAN team
main libvlc debug: revision 3.0.8-0-gf350b6b5a7
main libvlc debug: configured with ../extras/package/win32/../../../configure  '--enable-update-check' '--enable-lua' '--enable-faad' '--enable-flac' '--enable-theora' '--enable-avcodec' '--enable-merge-ffmpeg' '--enable-dca' '--enable-mpc' '--enable-libass' '--enable-schroedinger' '--enable-realrtsp' '--enable-live555' '--enable-dvdread' '--enable-shout' '--enable-goom' '--enable-caca' '--enable-qt' '--enable-skins2' '--enable-sse' '--enable-mmx' '--enable-libcddb' '--enable-zvbi' '--disable-telx' '--enable-nls' '--host=i686-w64-mingw32' '--with-breakpad=https://win.crashes.videolan.org' 'host_alias=i686-w64-mingw32' 'PKG_CONFIG_LIBDIR=/home/jenkins/workspace/vlc-release/windows/vlc-release-win32-x86/contrib/i686-w64-mingw32/lib/pkgconfig'
(...)
lua generic debug: Script c:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac has the following capability flags: 0x5
main generic debug: using extension module "lua"
QApplication::regClass: Registering window class 'QTrayIconMessageWindowClass' failed. (Not enough storage is available to process this command.)
The platform plugin failed to create a message window.
QApplication::regClass: Registering window class 'Qt5QWindowIcon' failed. (Not enough storage is available to process this command.)
create: CreateWindowEx failed (Cannot find window class.)
Failed to create platform window for QWidgetWindow(0x4bc6e38, name="MainInterfaceClassWindow") with flags QFlags<Qt::WindowType>(Window|WindowTitleHint|WindowSystemMenuHint|WindowMinMaxButtonsHint|WindowCloseButtonHint|WindowFullscreenButtonHint)
(13bd8.1334c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=040ff564 ecx=04bc6e38 edx=003400ae esi=017d2318 edi=04bc6e38
eip=6604ebaa esp=040ff524 ebp=017ea748 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for c:\Program Files\VideoLAN\VLC\plugins\gui\libqt_plugin.dll -
libqt_plugin!vlc_entry_license__3_0_0f+0x3b9aba:
6604ebaa 8b10            mov     edx,dword ptr [eax]  ds:0023:00000000=????????

0:011> g;r;g;g;r;!exploitable -v;kb;r;q
(13bd8.1334c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=040ff564 ecx=04bc6e38 edx=003400ae esi=017d2318 edi=04bc6e38
eip=6604ebaa esp=040ff524 ebp=017ea748 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
libqt_plugin!vlc_entry_license__3_0_0f+0x3b9aba:
6604ebaa 8b10            mov     edx,dword ptr [eax]  ds:0023:00000000=????????

(13bd8.1334c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
(13bd8.1334c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=040ff564 ecx=04bc6e38 edx=003400ae esi=017d2318 edi=04bc6e38
eip=6604ebaa esp=040ff524 ebp=017ea748 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
libqt_plugin!vlc_entry_license__3_0_0f+0x3b9aba:
6604ebaa 8b10            mov     edx,dword ptr [eax]  ds:0023:00000000=????????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:6604ebaa mov edx,dword ptr [eax]

Basic Block:
    6604ebaa mov edx,dword ptr [eax]
       Tainted Input operands: 'eax'
    6604ebac mov ecx,eax
       Tainted Input operands: 'eax'
    6604ebae mov dword ptr [esp],1
    6604ebb5 call dword ptr [edx+84h]
       Tainted Input operands: 'ecx','edx'

Exception Hash (Major/Minor): 0xf4f38c46.0x5be850d7

 Hash Usage : Stack Trace:
Major+Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x3b9aba
Major+Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x3e7b03
Major+Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x3b8ceb
Major+Minor : libqt_plugin!vlc_entry_license__3_0_0f+0xa0e10e
Major+Minor : libqt_plugin!vlc_entry_license__3_0_0f+0xa0e164
Minor       : libqt_plugin!vlc_entry_license__3_0_0f+0x16d9e7
Minor       : libqt_plugin+0x26d6
Minor       : libvlccore!vlc_rand_bytes+0xa9d
Minor       : msvcrt!endthreadex+0x6c
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x000000006604ebaa

Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at libqt_plugin!vlc_entry_license__3_0_0f+0x00000000003b9aba (Hash=0xf4f38c46.0x5be850d7)

The data from the faulting address is later used as the target for a branch.
ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
040ff52c 6607cbf3 040ff5d3 0180c701 01838588 libqt_plugin!vlc_entry_license__3_0_0f+0x3b9aba
040ff59c 6604dddb 00000000 00000001 00000001 libqt_plugin!vlc_entry_license__3_0_0f+0x3e7b03
040ff5ac 666a31fe 040ff6c0 7770f176 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x3b8ceb
040ff5cc 666a3254 00000029 040ff6c0 04bbf070 libqt_plugin!vlc_entry_license__3_0_0f+0xa0e10e
040ff84c 65e02ad7 0180c0f8 040ff9bc 006fbe78 libqt_plugin!vlc_entry_license__3_0_0f+0xa0e164
040ff8cc 65c926d6 0180c0f8 668e2227 00000020 libqt_plugin!vlc_entry_license__3_0_0f+0x16d9e7
040ffa6c 69dd555d 0180c0f8 01826c40 75c0a53a libqt_plugin+0x26d6
040ffac4 75c11328 040ffad8 77711174 0183b840 libvlccore!vlc_rand_bytes+0xa9d
040ffacc 77711174 0183b840 040ffb18 777fb3f5 msvcrt!endthreadex+0x6c
040ffad8 777fb3f5 0183b840 502e216c 00000000 kernel32!BaseThreadInitThunk+0x12
040ffb18 777fb3c8 75c112e5 0183b840 00000000 ntdll!RtlInitializeExceptionChain+0x63
040ffb30 00000000 75c112e5 0183b840 00000000 ntdll!RtlInitializeExceptionChain+0x36
eax=00000000 ebx=040ff564 ecx=04bc6e38 edx=003400ae esi=017d2318 edi=04bc6e38
eip=6604ebaa esp=040ff524 ebp=017ea748 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
libqt_plugin!vlc_entry_license__3_0_0f+0x3b9aba:
6604ebaa 8b10            mov     edx,dword ptr [eax]  ds:0023:00000000=????????
---</windbg>---

Maybe you'll find it useful.

In case of any questions - you know how to find me. ;)

Cheers


* Updated: 19.12.2019 @00:29 *

I had a pleasure to talk with 'the vendor' and we were not able to reproduce the bug.
We decided to inform the Mitre Team about it and delete the CVE ID assigned to the bug described above.

Anyhow: investigation in progress... ;)

Case we'll be updated ASAP.

 





1 komentarz: