poniedziałek, 14 czerwca 2021

Crashing Aspire 9.5

Hi :) This time I decided to publish few details from one of the fuzzing I runned for a while some about 2 weeks ago. Below you'll find 3 bugs I found for Aspire 9.5 software. Here we go...

This time we'll start here:


TL;DR - let's get directly to the first case. :)



#01 - "Data Execution Protection (DEP) Violation":

---<windbg>---
Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Aspire 9.5\x64\Aspire.exe" C:\sf_eafca65dede7570c5aee5abd178236d3-0.crv3d
(...)
Executable search path is:
ModLoad: 00007ff7`ebfd0000 00007ff7`ef5b7000   Vectric.exe
(...)
(ac0.b60): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
0000008b`9e06e3b0 f07a08          lock jp 0000008b`9e06e3bb              [br=0]

0:000> g;g;g;r;!exploitable -v;kb;q
(ac0.b60): Access violation - code c0000005 (!!! second chance !!!)
(ac0.b60): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
(ac0.b60): Access violation - code c0000005 (!!! second chance !!!)
rax=0000008b9e087af0 rbx=0000008b9e06e3b0 rcx=0000008b9e06e3b0
rdx=0000000000000001 rsi=0000008b9b07b470 rdi=0000008b9e06e3b0
rip=0000008b9e06e3b0 rsp=0000008b9b079348 rbp=0000008b9b07df60
 r8=0000000000000100  r9=0000000019930520 r10=00007ff7ee25e6c0
r11=0000008b9b079910 r12=0000008b9b079420 r13=0000000000000000
r14=0000008b9b07a6e8 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010200
0000008b`9e06e3b0 f07a08          lock jp 0000008b`9e06e3bb              [br=0]

(...)

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x64
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x8b9e06e3b0
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Data Execution Protection (DEP) Violation

Exception Hash (Major/Minor): 0x295428de.0xfefbc4f2

 Hash Usage : Stack Trace:
Major+Minor : Unknown
Major+Minor : Vectric!zip_source_win32handle_create+0x1bb593
Major+Minor : Vectric!zip_error_code_zip+0x295330
Major+Minor : Vectric!zip_error_code_zip+0x293020
Major+Minor : ntdll!RtlCaptureContext+0x3c3
Instruction Address: 0x0000008b9e06e3b0

Description: Data Execution Prevention Violation
Short Description: DEPViolation
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000008b9e06e3b0 called from Vectric!zip_source_win32handle_create+0x00000000001bb593 (Hash=0x295428de.0xfefbc4f2)

User mode DEP access violations are exploitable.
(...)
RetAddr           : Args to Child                                                           : Call Site
00007ff7`ee017da3 : 0000008b`9b07a0d0 00007ff7`edde91c9 0000008b`9b079420 0000008b`9b07b470 : 0x8b`9e06e3b0
00007ff7`edde9460 : 00007ff7`ee017d72 0000008b`9b07df60 0000008b`9b07df60 00000000`00000000 : Vectric!zip_source_win32handle_create+0x1bb593
00007ff7`edde7150 : 00007ff7`ee017d72 0000008b`9b07a6e8 00000000`00000100 00000000`00000000 : Vectric!zip_error_code_zip+0x295330
00007fff`22529e23 : 00000000`00000000 0000008b`9b07b470 00000000`00000000 00000000`00000000 : Vectric!zip_error_code_zip+0x293020
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlCaptureContext+0x3c3
---</windbg>---




Next one bug:

#02 - "Stack Buffer Overrun (/GS Exception)":

---<windbg>---
CommandLine: "C:\Program Files\Aspire 9.5\x64\Aspire.exe" C:\sf_0760280c4fa3b2ea3b55f254f52c8883-744.crv3d
(...)
Executable search path is:
ModLoad: 00007ff7`ebfd0000 00007ff7`ef5b7000   Vectric.exe
(...)
(574.794): Integer divide-by-zero - code c0000094 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for Vectric.exe -
Vectric+0xb8b936:
00007ff7`ecb5b936 f77528          div     eax,dword ptr [rbp+28h] ss:0000005e`af6be4e8=00000000
(...)
0:000> g;g;g;r;!exploitable -v;kb;q
(574.794): Stack buffer overflow - code c0000409 (!!! second chance !!!)
WARNING: Continuing a non-continuable exception
(574.794): Stack buffer overflow - code c0000409 (!!! second chance !!!)
WARNING: Continuing a non-continuable exception
(574.794): Stack buffer overflow - code c0000409 (!!! second chance !!!)
rax=0000000000000001 rbx=00007ff7eeb0cad4 rcx=0000000000000002
rdx=8afc963800010000 rsi=0000005eaf6bde10 rdi=0000005eaf6bcff0
rip=00007ff7edc44dc0 rsp=0000005eaf6bced0 rbp=0000005eaf6bdb30
 r8=00007ff7eeb0cad8  r9=8afc9666af6ade10 r10=0000005eaf6bde10
r11=0000000000000080 r12=0000000000000000 r13=0000000000000000
r14=0000005eaf6bd640 r15=0000005eaf6bd640
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
Vectric!zip_error_code_zip+0xf0c90:
00007ff7`edc44dc0 cd29            int     29h
(...)

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x64
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x7ff7edc44dc0
Second Chance Exception Type: STATUS_STACK_BUFFER_OVERRUN (0xC0000409)

Exception Hash (Major/Minor): 0x850dbfd8.0x5979137e

 Hash Usage : Stack Trace:
Major+Minor : Vectric!zip_error_code_zip+0xf0c90
Major+Minor : Vectric!zip_error_code_zip+0xf0be8
Major+Minor : ntdll!_chkstk+0x9d
Excluded    : ntdll!RtlRaiseException+0x483
Excluded    : ntdll!KiUserExceptionDispatcher+0x2e
Major+Minor : Vectric+0xb8b936
Major+Minor : Vectric+0x65864d
Minor       : Vectric+0xa0cb7e
Minor       : Unknown
(...)
Minor       : Unknown
Instruction Address: 0x00007ff7edc44dc0

Description: Stack Buffer Overrun (/GS Exception)
Short Description: GSViolation
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Stack Buffer Overrun (/GS Exception) starting at Vectric!zip_error_code_zip+0x00000000000f0c90 (Hash=0x850dbfd8.0x5979137e)

An overrun of a protected stack buffer has been detected. This is considered exploitable, and must be fixed.
(...)
RetAddr           : Args to Child                                                           : Call Site
00007ff7`edc44d18 : 8afc9666`af6ade10 00007fff`224d4f5f 0000005e`af6bd500 0000005e`af6bde10 : Vectric!zip_error_code_zip+0xf0c90
00007fff`2252a77d : 00000000`00000000 0000005e`af6bd070 0000005e`af6bdb30 00000000`00000000 : Vectric!zip_error_code_zip+0xf0be8
00007fff`224d29fb : 00000000`00000001 00007ff7`ebfd0000 00000000`00000000 00007ff7`ef2abc30 : ntdll!_chkstk+0x9d
(...)
28ec5f23`a79e70e1 : 2a7e8a98`95d185cb 06c019f7`7527f291 90d5afd8`fd984d98 3691f5f8`5325c40f : 0x248f39be`a792160c
---</windbg>---


3rd one bug is presented below:

#03 - "Write Access Violation":

---<windbg>---
CommandLine: "C:\Program Files\Aspire 9.5\x64\Aspire.exe" C:\sf_0760280c4fa3b2ea3b55f254f52c8883-2222.crv3d
(...)
Executable search path is:
ModLoad: 00007ff7`ebfd0000 00007ff7`ef5b7000   Vectric.exe
(...)
(78c.3b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Vectric+0xa16286:
00007ff7`ec9e6286 c6812803000000  mov     byte ptr [rcx+328h],0 ds:00000000`00000328=??
(...)

0:000> g;g;g;r;!exploitable -v;kb;q
(78c.3b4): Access violation - code c0000005 (!!! second chance !!!)
(78c.3b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
(78c.3b4): Access violation - code c0000005 (!!! second chance !!!)
rax=0000000000000002 rbx=0000005e82ecf280 rcx=0000000000000000
rdx=0000005e0098df38 rsi=0000005e82efecb0 rdi=0000005e82ecf5b0
rip=00007ff7ec9e6286 rsp=0000005e0098dee0 rbp=0000000000000000
 r8=0000005e82efe550  r9=0000000000000000 r10=00007fff22490000
r11=0000005e0098de20 r12=0000005e0098eea0 r13=0000005e0098e220
r14=0000005e82f2f800 r15=0000005e0098dfb4
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010200
Vectric+0xa16286:
00007ff7`ec9e6286 c6812803000000  mov     byte ptr [rcx+328h],0 ds:00000000`00000328=??
(...)

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x64
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x328
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:00007ff7`ec9e6286 mov byte ptr [rcx+328h],0

Basic Block:
    00007ff7`ec9e6286 mov byte ptr [rcx+328h],0
       Tainted Input operands: 'rcx'
    00007ff7`ec9e628d mov rbx,rdx
    00007ff7`ec9e6290 add rcx,318h
    00007ff7`ec9e6297 call vectric+0x5f6010 (00007ff7`ec5c6010)

Exception Hash (Major/Minor): 0xba38b796.0x50b9cba0

 Hash Usage : Stack Trace:
Major+Minor : Vectric+0xa16286
Major+Minor : Vectric+0x5bac2d
Major+Minor : Vectric+0x2fe78e
Major+Minor : Vectric+0x2f9b18
Major+Minor : Vectric+0x2f88ce
Minor       : Vectric+0x2f2c4e
Minor       : Vectric+0x2e9108
Minor       : Vectric+0xb9a346
Minor       : Vectric+0xbdedd5
Minor       : Vectric+0x2aaec3
Minor       : Vectric+0xb987ea
Minor       : Vectric+0x2a8b03
Minor       : Vectric!zip_source_win32handle_create+0x47f
Minor       : Vectric!zip_error_code_zip+0xf06f3
Minor       : KERNEL32!BaseThreadInitThunk+0xd
Minor       : ntdll!RtlUserThreadStart+0x1d
Instruction Address: 0x00007ff7ec9e6286

Description: User Mode Write AV near NULL
Short Description: WriteAVNearNull
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at Vectric+0x0000000000a16286 (Hash=0xba38b796.0x50b9cba0)

User mode write access violations that are near NULL are unknown.
(...)

RetAddr           : Args to Child                                                           : Call Site
00007ff7`ec58ac2d : 0000005e`82ecf220 0000005e`82ecf280 00000000`00000000 0000005e`82efecb0 : Vectric+0xa16286
00007ff7`ec2ce78e : 0000005e`00000000 0000005e`0098e110 0000005e`0098eea0 7fefffff`00000001 : Vectric+0x5bac2d
00007ff7`ec2c9b18 : 0000005e`0098e110 0000005e`0098e428 0000005e`0098e428 00000000`00000000 : Vectric+0x2fe78e
(...)
---</windbg>---*


Maybe you'll find it useful.

See you next time! ;)


Cheers

o/





*(Sample files available 'for request' _for_researchers_only_.)




Posted by at
Labels: , , , , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)