niedziela, 28 marca 2021

FuzzLabs: OpenAPC 5.5-1

Hi ;) From time to time you're asking me about 'pentesting SCADA'. During this weekend I decided to check the topic and mix it a bit with my 'FuzzLabs'. Below you'll find few details about it. Here we go...

Today we'll start here:


 My first idea was to:
- find a software I can 'easily' fuzz
- prepare a valid sample file for the fuzzer
- wait 24h for the 'first results'.

Simple as usual ;) Let's move forward. 

After first few hours I found multiple crashes. Two of them are presented below:

Crash#01 - libio_hmi_plot2d!oapc_set_num_value:
---<cut>---

CommandLine: "c:\Program Files\OpenAPC\OpenEditor.exe" C:\sf_c8a5a0b83d9203aefa1ac7336f85f4e6-z9_qiq.apcp
(...)
(3c4.fac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=6d6c01d0 ebx=6f4af2df ecx=018499c8 edx=005ad480 esi=00000002 edi=6f4af34d
eip=39e8c833 esp=0012eacc ebp=0012eb14 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
39e8c833 ??              ???
0:000> g;g;r;!exploitable -v;kb; u eip-1;u eip;q
(3c4.fac): Access violation - code c0000005 (!!! second chance !!!)
(3c4.fac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=6d6c01d0 ebx=6f4af2df ecx=018499c8 edx=005ad480 esi=00000002 edi=6f4af34d
eip=39e8c833 esp=0012eacc ebp=0012eb14 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
39e8c833 ??              ???

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x39e8c833
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Exception Hash (Major/Minor): 0x3c000d6f.0x84cae8bc

 Hash Usage : Stack Trace:
Major+Minor : Unknown
Major+Minor : libio_hmi_plot2d!oapc_set_num_value+0x41e1
Major+Minor : libio_hmi_plot2d!oapc_set_num_value+0x3212
Major+Minor : libio_hmi_plot2d!oapc_paint+0x3b
Major+Minor : image002b0000+0x9431d
Minor       : wxbase30u_vc_custom!wxAppConsoleBase::HandleEvent+0xf
(...)
Minor       : wxmsw30u_core_vc_custom!wxMessageBox+0x84
Minor       : image002b0000+0x88415
Minor       : image002b0000+0x56fc4
Minor       : wxbase30u_vc_custom!wxEntryCleanup+0xb2
Minor       : wxbase30u_vc_custom!wxEntry+0x53
Minor       : wxmsw30u_core_vc_custom!wxEntry+0x7b
Minor       : image002b0000+0x56ba4
Minor       : image002b0000+0xa6132
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x0000000039e8c833

Description: Read Access Violation at the Instruction Pointer
Short Description: ReadAVonIP
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at Unknown Symbol @ 0x0000000039e8c833 called from libio_hmi_plot2d!oapc_set_num_value+0x00000000000041e1 (Hash=0x3c000d6f.0x84cae8bc)

Access violations at the instruction pointer are exploitable if not near NULL.
ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012eac8 6a1b70c1 00000001 005ad320 005ad320 0x39e8c833
0012eb14 6a1b60f2 0056cdb0 00000014 00539e68 libio_hmi_plot2d!oapc_set_num_value+0x41e1
0012eb34 6a1b2a2b 00000001 00539e68 0056cdb0 libio_hmi_plot2d!oapc_set_num_value+0x3212
0012ebd8 0034431d 017fa8a8 0012ebf4 0056cdb0 libio_hmi_plot2d!oapc_paint+0x3b
0012ec38 6d5d6f2f 0012ed28 0012ec64 6d5d5bf7 image002b0000+0x9431d
0012ec44 6d5d5bf7 0056cdb0 00344280 00000000 wxbase30u_vc_custom!wxAppConsoleBase::HandleEvent+0xf
0012ec64 6d60aba2 0056cdb0 018937a8 0012ed28 wxbase30u_vc_custom!wxAppConsoleBase::CallEventHandler+0x27
0012ec7c 6d60af84 0055e300 0056cdb0 0012ed28 wxbase30u_vc_custom!wxEvtHandler::ProcessEventIfMatchesId+0x52
0012eca0 6d60b093 0012ed28 0012ed28 0056cdb0 wxbase30u_vc_custom!wxEvtHandler::SearchDynamicEventTable+0x44
0012ecb4 6d60abde 0012ed28 0012ed28 00000000 wxbase30u_vc_custom!wxEvtHandler::TryHereOnly+0x23
0012ecc8 6d60ab1d 0012ed28 0056cdb0 c2040c58 wxbase30u_vc_custom!wxEvtHandler::ProcessEventLocally+0x1e
0012ece0 6d60aeba 0012ed28 4e4f0462 0056cdb0 wxbase30u_vc_custom!wxEvtHandler::ProcessEvent+0x7d
0012ed0c 6c33ff11 0012ed28 4e4f0bba 0056cdb0 wxbase30u_vc_custom!wxEvtHandler::SafelyProcessEvent+0x3a
0012ed94 6c341941 4e4f08ce 00b008c0 0056cdb0 wxmsw30u_core_vc_custom!wxWindow::HandlePaint+0xb1
0012eee0 6c3436b0 0012eefc 0000000f 00000000 wxmsw30u_core_vc_custom!wxWindow::MSWHandleMessage+0x1d1
0012ef00 6c3455df 0000000f 00000000 00000000 wxmsw30u_core_vc_custom!wxWindow::MSWWindowProc+0x20
0012ef1c 76e186ef 00b008c0 0000000f 00000000 wxmsw30u_core_vc_custom!wxWndProc+0x7f
0012ef48 76e179cc 6c345560 00b008c0 0000000f USER32!IsThreadDesktopComposited+0x11f
0012efc0 76e170f4 00000000 6c345560 00b008c0 USER32!MapWindowPoints+0xb7
0012f01c 76e1738f 008238a8 0000000f 00000000 USER32!InflateRect+0x74
39e8c832 ??              ???
                                       ^ Memory access error in 'g;g;r;!exploitable -v;kb; u eip-1;u eip;q'

---</cut>---

Another bug is  presented below:


Crash#02 - MSVCR110!free:


---<cut>---

CommandLine: "c:\Program Files\OpenAPC\OpenEditor.exe" C:\sf_d371e17a019c6d1d5c532856b2901a2a-orr5rb.apcp
(...)
(81c.d98): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=74eb2900 ebx=00388380 ecx=00310000 edx=00388380 esi=7a33973b edi=00388378
eip=77471ffe esp=0029eaf0 ebp=0029eb24 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
ntdll!RtlFreeHeap+0xcd:
77471ffe 8b4604          mov     eax,dword ptr [esi+4] ds:0023:7a33973f=????????

0:000> !exploitable -v;kb; u eip-1;u eip;q

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x7a33973f
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:77471ffe mov eax,dword ptr [esi+4]

Basic Block:
    77471ffe mov eax,dword ptr [esi+4]
       Tainted Input operands: 'esi'
    77472001 mov dword ptr [ebp-0ch],eax
       Tainted Input operands: 'eax'
    77472004 mov byte ptr [edi+7],80h
    77472008 mov byte ptr [edi+6],0
    7747200c mov ebx,dword ptr [esi+8]
       Tainted Input operands: 'esi'
    7747200f mov ecx,dword ptr [esi+0ch]
       Tainted Input operands: 'esi'
    77472012 mov dword ptr [ebp-20h],ebx
       Tainted Input operands: 'ebx'
    77472015 add ebx,1
       Tainted Input operands: 'ebx'
    77472018 mov dword ptr [ebp-1ch],ecx
       Tainted Input operands: 'ecx'
    7747201b adc ecx,1
       Tainted Input operands: 'ecx','CarryFlag'
    7747201e and ebx,7fffh
       Tainted Input operands: 'ebx'
    77472024 cmp bx,word ptr [esi+14h]
       Tainted Input operands: 'bx','esi'
    77472028 je ntdll!rtlacquiresrwlockexclusive+0x18d (77475789)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0x5b762bc3.0x0abb63b3

 Hash Usage : Stack Trace:
Excluded    : ntdll!RtlFreeHeap+0xcd
Excluded    : ntdll!RtlFreeHeap+0x7e
Excluded    : kernel32!HeapFree+0x14
Major+Minor : MSVCR110!free+0x1a
Major+Minor : image01340000+0x67cd8
Major+Minor : image01340000+0x79fdb
Major+Minor : image01340000+0x7fc36
Major+Minor : image01340000+0x5e794
Minor       : image01340000+0x61b53
Minor       : image01340000+0x42734
Minor       : image01340000+0x5c992
Minor       : image01340000+0x56f9c
Minor       : wxbase30u_vc_custom!wxEntryCleanup+0xb2
Minor       : wxbase30u_vc_custom!wxEntry+0x53
Minor       : wxmsw30u_core_vc_custom!wxEntry+0x7b
Minor       : image01340000+0x56ba4
Minor       : image01340000+0xa6132
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x0000000077471ffe

Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at ntdll!RtlFreeHeap+0x00000000000000cd called from MSVCR110!free+0x000000000000001a (Hash=0x5b762bc3.0x0abb63b3)

The data from the faulting address is later used to determine whether or not a branch is taken.
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
0029eb24 77471faf 00388380 00000012 000014c8 ntdll!RtlFreeHeap+0xcd
0029eb3c 7611f1ac 00310000 00000000 00388380 ntdll!RtlFreeHeap+0x7e
0029eb50 6d23dcc2 00310000 00000000 00388380 kernel32!HeapFree+0x14
0029eb64 013a7cd8 00388380 00388380 0029ebb4 MSVCR110!free+0x1a
0029eb74 013b9fdb 00000001 0029ec30 00396ff0 image01340000+0x67cd8
(...)

---</cut>---

Nice and cool but I was wondering what is the reason of an error message box I found when I was checking few of the files generated by the fuzzer.

And that's how we'll land here:


I hope you'll find it useful during your legal pentsts . ;)

In case of any comments/questions - you know how to find me.

See you next time!

Cheers



 

 

Brak komentarzy:

Prześlij komentarz