sobota, 10 kwietnia 2021

FuzzLabs vs Acme CAD Converter

Hi ;) since last week I tried to prepare another article for the upcomoing 'Notes Magazine' (#07) - this time related to the fuzzing. My goal was to prepare a sample fuzzer and grab few new bugs. Below you'll find few of the "very first results". Here we go...

Today we'll start here:


I decided that this software will be a good example to use with the code I created during last week*. Version I tried was: 8.9.8.1480. I prepared the sample ("seed") file in the same way I did it before. When it was ready I used it as an input for my (super lame;)) "fuzzer".

After few hours I saw some results:

 

For example:

#01 - crashed in gsio!CDrawing::operator:

---<cut>---

Opened log file 'c:\tests\fuzzed2check\app_0c18_2021-04-09_03-23-29-847.log'
(...)
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ef64 10946c73 00000200 01889db4 01889d98 gsio!CDrawing::operator=+0x169b6
0012ef80 10947573 0187d338 01889db4 00000100 gsio!CDwgExport::lineStyle+0xc1d3
00000000 00000000 00000000 00000000 00000000 gsio!CDwgExport::lineStyle+0xcad3
eax=00000200 ebx=0187d3cc ecx=0189fec8 edx=0189fec8 esi=01889db4 edi=00000200
eip=106c8166 esp=0012ef64 ebp=00000100 iopl=0         nv up ei pl nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010213
gsio!CDrawing::operator=+0x169b6:
106c8166 c6041000        mov     byte ptr [eax+edx],0       ds:0023:018a00c8=??

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x18a00c8
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:106c8166 mov byte ptr [eax+edx],0

Exception Hash (Major/Minor): 0xd3ec65e4.0x8a22cb43

 Hash Usage : Stack Trace:
Major+Minor : gsio!CDrawing::operator=+0x169b6
Major+Minor : gsio!CDwgExport::lineStyle+0xc1d3
Major+Minor : gsio!CDwgExport::lineStyle+0xcad3
Instruction Address: 0x00000000106c8166

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at gsio!CDrawing::operator=+0x00000000000169b6 (Hash=0xd3ec65e4.0x8a22cb43)

User mode write access violations that are not near NULL are exploitable.
Closing open log file c:\tests\fuzzed2check\app_0c18_2021-04-09_03-23-29-847.log

---</cut>---

 

Another one is presented below:

#02 - crashed in gsio!CDwgExport::NeedRasterOutline:

---<cut>---

Opened log file 'c:\tests\fuzzed2check\app_08d4_2021-04-09_16-37-37-112.log'
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 gsio!CDwgExport::NeedRasterOutline+0x9010
eax=0012ee80 ebx=016bdd68 ecx=00000000 edx=00000000 esi=016a00c0 edi=00000000
eip=106fcc80 esp=0012edf0 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
gsio!CDwgExport::NeedRasterOutline+0x9010:
106fcc80 8b11            mov     edx,dword ptr [ecx]  ds:0023:00000000=????????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:106fcc80 mov edx,dword ptr [ecx]

Basic Block:
    106fcc80 mov edx,dword ptr [ecx]
       Tainted Input operands: 'ecx'
    106fcc82 mov edx,dword ptr [edx+138h]
       Tainted Input operands: 'edx'
    106fcc88 push 0
    106fcc8a push eax
    106fcc8b lea eax,[esp+34h]
    106fcc8f push eax
    106fcc90 call edx
       Tainted Input operands: 'ecx','edx'

Exception Hash (Major/Minor): 0xf8d00f22.0xb52647ad

 Hash Usage : Stack Trace:
Major+Minor : gsio!CDwgExport::NeedRasterOutline+0x9010
Instruction Address: 0x00000000106fcc80

Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at gsio!CDwgExport::NeedRasterOutline+0x0000000000009010 (Hash=0xf8d00f22.0xb52647ad)

The data from the faulting address is later used as the target for a branch.
gsio!CDwgExport::NeedRasterOutline+0x900f:
106fcc7f 188b118b9238    sbb     byte ptr [ebx+38928B11h],cl
106fcc85 0100            add     dword ptr [eax],eax
106fcc87 006a00          add     byte ptr [edx],ch
106fcc8a 50              push    eax
106fcc8b 8d442434        lea     eax,[esp+34h]
106fcc8f 50              push    eax
106fcc90 ffd2            call    edx
106fcc92 8b00            mov     eax,dword ptr [eax]
gsio!CDwgExport::NeedRasterOutline+0x9010:
106fcc80 8b11            mov     edx,dword ptr [ecx]
106fcc82 8b9238010000    mov     edx,dword ptr [edx+138h]
106fcc88 6a00            push    0
106fcc8a 50              push    eax
106fcc8b 8d442434        lea     eax,[esp+34h]
106fcc8f 50              push    eax
106fcc90 ffd2            call    edx
106fcc92 8b00            mov     eax,dword ptr [eax]
Closing open log file c:\tests\fuzzed2check\app_08d4_2021-04-09_16-37-37-112.log
---</cut>---

More about it you'll soon find in the new Notes Magazine. Stay tuned...


In the meantime I'll also try to prepare a small video for you. ;)

In case of any questions - you know how to find me.

Cheers

 

 



Posted by at
Labels: , , , , , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)