czwartek, 7 listopada 2019

Crashing EximiousSoft Logo Designer

Last time I tried to crash HoneyView and Better JPEG. This time I decided to check Logo Designer 3.82. Below you will find the details. Here we go...

We will start here:


TL;DR - few cases found after 22k iterations:

Case #01:

---<windbg>---

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Logo Designer\LogoDesigner.exe" C:\sf_d77f46b6521b09ce1eae9682f3fff802-10908.eld
(...)
Executable search path is:
ModLoad: 00eb0000 01159000   LogoDesigner.exe
(...)
ModLoad: 6e490000 6e5f1000   C:\Program Files\Logo Designer\Office2010.dll
(8a8.900): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=007e0003 ebx=00000000 ecx=0000001e edx=00000078 esi=00000168 edi=00000003
eip=6ea77657 esp=0018eca8 ebp=0018ed00 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
ExiVectorRender!StrokeText_Blend+0x3a7:
6ea77657 8808            mov     byte ptr [eax],cl          ds:0023:007e0003=78

0:000> r;!exploitable -v;q
eax=007e0003 ebx=00000000 ecx=0000001e edx=00000078 esi=00000168 edi=00000003
eip=6ea77657 esp=0018eca8 ebp=0018ed00 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
ExiVectorRender!StrokeText_Blend+0x3a7:
6ea77657 8808            mov     byte ptr [eax],cl          ds:0023:007e0003=78

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x7e0003
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:6ea77657 mov byte ptr [eax],cl

Exception Hash (Major/Minor): 0x8cc0ef3c.0xd6479f0d

 Hash Usage : Stack Trace:
Major+Minor : ExiVectorRender!StrokeText_Blend+0x3a7
Major+Minor : ExiVectorRender!BlurShadowDIB+0x132
Major+Minor : ExiCustomPathLib!ExiCustomPathLib::CBaseShapeObj::CreateDropShadowDIB+0x296
Major+Minor : ExiCustomPathLib!ExiCustomPathLib::CBaseShapeObj::CreateEffectsDIBs+0x2b
Major+Minor : LogoDesigner+0x7eea
Minor       : LogoDesigner!ExiImageTransform::CExiSingleFrmGIFOptimal::operator=+0x114f
Minor       : mfc100u+0x1f0ef6
Minor       : mfc100u+0x1f081f
Minor       : mfc100u+0x1f064c
Minor       : mfc100u+0x1a7de2
Minor       : LogoDesigner+0x9eaa
Minor       : mfc100u+0x24e3d0
Minor       : LogoDesigner!ExiImageTransform::CExiSingleFrmGIFOptimal::operator=+0x33f81
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0xef
Excluded    : ntdll!RtlInitializeExceptionChain+0xc2
Instruction Address: 0x000000006ea77657

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at ExiVectorRender!StrokeText_Blend+0x00000000000003a7 (Hash=0x8cc0ef3c.0xd6479f0d)

User mode write access violations that are not near NULL are exploitable.

---</windbg>---


Case #02:
---<windbg>---Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Logo Designer\LogoDesigner.exe" C:\sf_d77f46b6521b09ce1eae9682f3fff802-7224.eld
(...)
Executable search path is:
ModLoad: 01080000 01329000   LogoDesigner.exe
(...)
ModLoad: 6d200000 6d361000   C:\Program Files\Logo Designer\Office2010.dll
Critical error detected c0000374
(3e8.d58): Break instruction exception - code 80000003 (first chance)
(3e8.d58): Unknown exception - code c0000374 (first chance)
(3e8.d58): Unknown exception - code c0000374 (!!! second chance !!!)
eax=0027ed18 ebx=00000000 ecx=76ea1787 edx=0027eab5 esi=00940000 edi=00aacce0
eip=76f437b7 esp=0027ed08 ebp=0027ed80 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!RtlpNtMakeTemporaryKey+0x1a78:
76f437b7 eb12            jmp     ntdll!RtlpNtMakeTemporaryKey+0x1a8c (76f437cb)

0:000> r;!exploitable -v;q
eax=0027ed18 ebx=00000000 ecx=76ea1787 edx=0027eab5 esi=00940000 edi=00aacce0
eip=76f437b7 esp=0027ed08 ebp=0027ed80 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!RtlpNtMakeTemporaryKey+0x1a78:
76f437b7 eb12            jmp     ntdll!RtlpNtMakeTemporaryKey+0x1a8c (76f437cb)

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x76f437b7
Second Chance Exception Type: STATUS_HEAP_CORRUPTION (0xC0000374)

Exception Hash (Major/Minor): 0x10da63ce.0x2d04843a

 Hash Usage : Stack Trace:
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x1a78
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x29a8
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x2a88
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x2cf1
Major+Minor : ntdll!EtwSetMark+0xde9c
Minor       : ntdll!wcsnicmp+0x98b
Minor       : ntdll!wcsnicmp+0xcaa
Excluded    : kernel32!HeapFree+0x14
Minor       : MSVCR100!free+0x1c
Minor       : ExiVectorRender!ExiVecLib::CExiCurve4::vertex+0xa6
Minor       : LogoDesigner+0x7ecc
Minor       : LogoDesigner!ExiImageTransform::CExiSingleFrmGIFOptimal::operator=+0x114f
Minor       : mfc100u+0x1f0ef6
Minor       : mfc100u+0x1f081f
Minor       : mfc100u+0x1f064c
Minor       : mfc100u+0x1a7de2
Minor       : LogoDesigner+0x9eaa
Minor       : mfc100u+0x24e3d0
Minor       : LogoDesigner!ExiImageTransform::CExiSingleFrmGIFOptimal::operator=+0x33f81
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0xef
Excluded    : ntdll!RtlInitializeExceptionChain+0xc2
Instruction Address: 0x0000000076f437b7

Description: Heap Corruption
Short Description: HeapCorruption
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Heap Corruption starting at ntdll!RtlpNtMakeTemporaryKey+0x0000000000001a78 (Hash=0x10da63ce.0x2d04843a)

Heap Corruption has been detected. This is considered exploitable, and must be fixed.


---</windbg>---


Case #03:
---<windbg>---
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Logo Designer\LogoDesigner.exe" C:\sf_d77f46b6521b09ce1eae9682f3fff802-appmvq.eld
(...)
Executable search path is:
ModLoad: 00be0000 00e89000   LogoDesigner.exe
(...)
ModLoad: 6d1f0000 6d351000   C:\Program Files\Logo Designer\Office2010.dll
(c84.77c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0001536d ebx=03263a10 ecx=0025ebc8 edx=0000317c esi=fff6ead4 edi=030eacbc
eip=6dccb733 esp=0025eb30 ebp=0025eb6c iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297
ExiCustomPathLib!ExiCustomPathLib::CGradientColorsProfile::BuildGradientColorsTable+0x53:
6dccb733 893493          mov     dword ptr [ebx+edx*4],esi ds:0023:03270000=????????

0:000> r;!exploitable -v;q
eax=0001536d ebx=03263a10 ecx=0025ebc8 edx=0000317c esi=fff6ead4 edi=030eacbc
eip=6dccb733 esp=0025eb30 ebp=0025eb6c iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297
ExiCustomPathLib!ExiCustomPathLib::CGradientColorsProfile::BuildGradientColorsTable+0x53:
6dccb733 893493          mov     dword ptr [ebx+edx*4],esi ds:0023:03270000=????????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x3270000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:6dccb733 mov dword ptr [ebx+edx*4],esi

Exception Hash (Major/Minor): 0x51cfe2c2.0x3a8122ef

 Hash Usage : Stack Trace:
Major+Minor : ExiCustomPathLib!ExiCustomPathLib::CGradientColorsProfile::BuildGradientColorsTable+0x53
Major+Minor : ExiCustomPathLib!ExiCustomPathLib::CRenderVectorShapeDef::RenderGradient+0x8d7
Major+Minor : ExiCustomPathLib!ExiCustomPathLib::CRenderVectorShapeDef::RenderPath+0xa5
Major+Minor : ExiCustomPathLib!ExiCustomPathLib::CCustomPathObj::DrawEx+0x3e6
Major+Minor : ExiCustomPathLib!ExiCustomPathLib::CWorkspaceView::UpdateMainRenderBitmap+0x339
Minor       : ExiCustomPathLib!ExiCustomPathLib::CWorkspaceView::OnUpdate+0x4e
Minor       : mfc100u+0x1ea4d2
Minor       : LogoDesigner!ExiImageTransform::CExiSingleFrmGIFOptimal::operator=+0x1251
Minor       : mfc100u+0x1f0ef6
Minor       : mfc100u+0x1f081f
Minor       : mfc100u+0x1f064c
Minor       : mfc100u+0x1a7de2
Minor       : LogoDesigner+0x9eaa
Minor       : mfc100u+0x24e3d0
Minor       : LogoDesigner!ExiImageTransform::CExiSingleFrmGIFOptimal::operator=+0x33f81
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0xef
Excluded    : ntdll!RtlInitializeExceptionChain+0xc2
Instruction Address: 0x000000006dccb733

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at ExiCustomPathLib!ExiCustomPathLib::CGradientColorsProfile::BuildGradientColorsTable+0x0000000000000053 (Hash=0x51cfe2c2.0x3a8122ef)

User mode write access violations that are not near NULL are exploitable.
---</windbg>---



Case #04:
---<windbg>---Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Logo Designer\LogoDesigner.exe" C:\sf_d77f46b6521b09ce1eae9682f3fff802-5431.eld
(...)
Executable search path is:
ModLoad: 01190000 01439000   LogoDesigner.exe
(...)
ModLoad: 6d200000 6d361000   C:\Program Files\Logo Designer\Office2010.dll
Critical error detected c0000374
(4ac.a08): Break instruction exception - code 80000003 (first chance)
(4ac.a08): Unknown exception - code c0000374 (first chance)
(4ac.a08): Unknown exception - code c0000374 (!!! second chance !!!)
eax=0015efa0 ebx=00000000 ecx=76ea1787 edx=0015ed3d esi=00930000 edi=030ea408
eip=76f437b7 esp=0015ef90 ebp=0015f008 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!RtlpNtMakeTemporaryKey+0x1a78:
76f437b7 eb12            jmp     ntdll!RtlpNtMakeTemporaryKey+0x1a8c (76f437cb)

0:000> r;!exploitable -v;q
eax=0015efa0 ebx=00000000 ecx=76ea1787 edx=0015ed3d esi=00930000 edi=030ea408
eip=76f437b7 esp=0015ef90 ebp=0015f008 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!RtlpNtMakeTemporaryKey+0x1a78:
76f437b7 eb12            jmp     ntdll!RtlpNtMakeTemporaryKey+0x1a8c (76f437cb)

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x76f437b7
Second Chance Exception Type: STATUS_HEAP_CORRUPTION (0xC0000374)

Exception Hash (Major/Minor): 0x2877cde1.0xb97d6983

 Hash Usage : Stack Trace:
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x1a78
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x29a8
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x2a88
Major+Minor : ntdll!EtwSetMark+0xeac4
Major+Minor : ntdll!wcsnicmp+0x1e4
Minor       : MSVCR100!malloc+0x36
Minor       : mfc100u+0xb5da2
Minor       : LogoDesigner+0x7a94
Minor       : LogoDesigner!ExiImageTransform::CExiSingleFrmGIFOptimal::operator=+0x114f
Minor       : mfc100u+0x1f0ef6
Minor       : mfc100u+0x1f081f
Minor       : mfc100u+0x1f064c
Minor       : mfc100u+0x1a7de2
Minor       : LogoDesigner+0x9eaa
Minor       : mfc100u+0x24e3d0
Minor       : LogoDesigner!ExiImageTransform::CExiSingleFrmGIFOptimal::operator=+0x33f81
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0xef
Excluded    : ntdll!RtlInitializeExceptionChain+0xc2
Instruction Address: 0x0000000076f437b7

Description: Heap Corruption
Short Description: HeapCorruption
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Heap Corruption starting at ntdll!RtlpNtMakeTemporaryKey+0x0000000000001a78 (Hash=0x2877cde1.0xb97d6983)

Heap Corruption has been detected. This is considered exploitable, and must be fixed.


---</windbg>---

Maybe you will find it useful.

See you next time!

Cheers



 

Brak komentarzy:

Prześlij komentarz