Monday, 24 November 2014

Hopper 2.8.7 / 3.6.2 Mach-O Handling Buffer Overflow

Inspired by @j00ru talk @ SECURE 2014 i decided to do a quick check of Hopper Disassembler (which is a great tool btw, I highly recommend it).

As a sample i simply used one of the system tools from OS X (/bin/ls) and started fuzzing. I quickly began recording tons of crashes.The most interesting one was this:


And file diff showed something like that:
Its pretty straightforward right ? I checked the modules, and a standard SEH exploit should work for us:
I calculated the offsets:
By now i thought it's over, but first problems started to show when i wanted to substitute my A's and B's with pointers and other non printable characters (e.g. NOPs or INT 3) - Hopper would not crash at all.
Instead of NOPs i could use \x40\x48 which is inc eax, dec eax.


Regarding SEH overwrite i couldn't use short jump so i had to find a pointer that would later assemble to a instruction that wouldn't crash. Fortunately libpng had a nice ascii printable pointer which i could use for pop pop ret.


Next there was a problem with ascii only shellcode. I needed one of the register to point to it, but in case of SEH registers are XOR'ed. I found a solution here. Basically by using multiple POPAD instructions we can get ESP point to our buffer and then return to it.

Now we can just generate our shellcode and place it in the controlled area:

When we let it run we get:
Short demo:

The final result can be downloaded here: Hopper run calc

Vulnerable versions:
Hopper 2.8.7 and probably older versions (tested on Windows)
Hopper 3.6.2 and probably older versions (tested on Mac OS X)
Linux version was not tested.

Timeline:
17 Nov 2014 - issue reported to the vendor
18 Nov 2014 - vendor releases a fix for Mac OS X (3.6.3 version)
 24 Nov 2014 - publication of this article
Windows version remains unpatched as its development is currently on hold.






Tuesday, 22 July 2014

SyScan360 2014 - Mobile Browsers Security: iOS

Last week together with Lukasz Pilorz I was speaking about mobile browsers security on iOS @ SyScan360 in Beijing. Visiting China for the first time was a great experience, and the conference itself was just awesome. Cool people, very technical talks and good organization is what it makes this event exceptional.

Our slides are already available for download from the conference site here.

Sunday, 22 June 2014

Microsoft Internet Explorer 11 (11.0.9600.17107) MSHTML!CStr::_Free Crash

Another crash in IE11, maybe someone will find it interesting. It occurs when calling the Developer Tools (F12). After i finished minimizing the test case it turned out to be just one line:


 To reproduce the crash it is required to:
1. enable pageheap
2. open the html file
3. press F12/open Developer Tools
 Also you need the exact build version as in the title (or lower) because this issue was fixed in the last Microsoft Security Bulletin (https://technet.microsoft.com/en-us/library/security/ms14-jun.aspx). I have not really investigated that crash, because i found it the day before patch tuesday, and when it got fixed i moved on.

(b5c.5fc): Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\MSHTML.dll -
eax=00000000 ebx=00000000 ecx=07d30fdc edx=6bda90b0 esi=07d30fdc edi=0a294fe8
eip=6bc0f36a esp=048b93a0 ebp=048b93bc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
MSHTML+0x4f36a:
6bc0f36a 8b06            mov     eax,dword ptr [esi]  ds:0023:07d30fdc=00000001
0:005> .symfix
0:005> .reload
Reloading current modules
................................................................
...............
0:005> r
eax=00000000 ebx=00000000 ecx=07d30fdc edx=6bda90b0 esi=07d30fdc edi=0a294fe8
eip=6bc0f36a esp=048b93a0 ebp=048b93bc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
MSHTML!CStr::_Free+0x5:
6bc0f36a 8b06            mov     eax,dword ptr [esi]  ds:0023:07d30fdc=00000001
0:005> k
ChildEBP RetAddr 
048b93a0 6c222df4 MSHTML!CStr::_Free+0x5
048b93bc 6c50fb52 MSHTML!CListenerDispatch::ConstructCode+0x78
048b9494 6c365616 MSHTML!CDoc::DynamicAttachDebugger+0x350
048ba078 6bd42176 MSHTML!CDoc::ExecHelper+0x623721
048ba098 6eeb93dd MSHTML!CDoc::Exec+0x21
048ba0e8 6eeb9097 DiagnosticsTap!DebugThreadController::IOleCommandTargetExec+0xb9
048ba11c 6eeb8ef0 DiagnosticsTap!DebugThreadController::EnableSourceRundown+0x4e
048ba134 6eec4294 DiagnosticsTap!DebugThreadController::Initialize+0x81
048ba154 6b5479f1 DiagnosticsTap!TapObject::CreateDebuggerController+0x9f
048ba1d0 6b5474a2 F12Tools!BHOSite::LaunchOutOfProcHost+0x205
048ba454 6b546bdc F12Tools!BHOSite::InitializeWindowsAndThreads+0x3bc
048ba480 75e07051 F12Tools!BHOSite::SetSite+0xb0
048ba498 66d226e8 shcore!IUnknown_SetSite+0x2c
048ba4cc 66f424ab IEFRAME!CBandSite::_AddBandByID+0xe5
048ba508 66f2a446 IEFRAME!CBandSite::AddBandWithCLSID+0x3b
048ba550 66f296e5 IEFRAME!CShellBrowser2::_GetInfoBandBS+0x177
048ba5a4 66f2e01d IEFRAME!CShellBrowser2::_EnsureAndNavigateBand+0x8e
048ba5c8 66ddf834 IEFRAME!CShellBrowser2::_ShowHideBrowserBar+0x60
048ba5ec 66e6712d IEFRAME!CShellBrowser2::_SetBrowserBarState+0x1b9
048ba878 66f2f2f0 IEFRAME!CShellBrowser2::Exec+0x23a758
048bbb38 66e654e8 IEFRAME!CShellBrowser2::v_OnCommand+0xc72
048bc390 66c3b164 IEFRAME!CBaseBrowser2::v_WndProc+0x228497
048bc484 66c281f5 IEFRAME!CShellBrowser2::v_WndProc+0x1ae
048bc4a8 779d75b3 IEFRAME!CShellBrowser2::s_WndProc+0x58
048bc4d4 779d77b8 user32!_InternalCallWinProc+0x23
048bc554 779d9744 user32!UserCallWinProcCheckWow+0x110
048bc5b0 779d9894 user32!DispatchClientMessage+0xb5
048bc5d8 77b92cde user32!__fnDWORD+0x2c
048bc608 779ed2a1 ntdll!KiUserCallbackDispatcher+0x2e
048bc60c 66d093e6 user32!NtUserTranslateAccelerator+0xa
048bc62c 66d09383 IEFRAME!CShellBrowser2::TranslateAcceleratorSB+0x34
048bc654 66d09214 IEFRAME!CShellBrowser2::_MayTranslateAccelerator_CCommonBrowser+0xb7
048bc680 66cf6d9f IEFRAME!CShellBrowser2::_MayTranslateAccelerator+0x3b
048bf840 66c8358f IEFRAME!CTabWindow::_TabWindowThreadProc+0x587
048bf8f8 71ec1b7c IEFRAME!LCIETab_ThreadProc+0x31c
048bf908 6eb531cc iertutil!_IsoThreadProc_WrapperToReleaseScope+0xe
048bf934 762b17ad IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x71
048bf940 77b73af4 KERNEL32!BaseThreadInitThunk+0xe
048bf984 77b73acd ntdll!__RtlUserThreadStart+0x20
048bf994 00000000 ntdll!_RtlUserThreadStart+0x1b

Thursday, 29 May 2014

Microsoft Internet Explorer 11 - WeakMap Integer Divide-by-Zero

Recently i was playing wit the WeakMap implementation in IE11. The following code caused the browser crash:


(1c58.20c0): Integer divide-by-zero - code c0000094 (!!! second chance !!!)
eax=00aee241 ebx=059f8cc0 ecx=059f8cc8 edx=00000000 esi=059f8cc8 edi=05171aa0
eip=668756f0 esp=06a6bcbc ebp=06a6bccc iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
jscript9!JsUtil::WeaklyReferencedKeyDictionary,1>::TryGetValueAndRemove+0x1f:
668756f0 f736            div     eax,dword ptr [esi]  ds:002b:059f8cc8=00000000
0:020> k
ChildEBP RetAddr 
06a6bccc 66874949 jscript9!JsUtil::WeaklyReferencedKeyDictionary,1>::TryGetValueAndRemove+0x1f
06a6bcec 668a28ca jscript9!Js::JavascriptWeakMapData::Delete+0x2c
06a6bd10 66537530 jscript9!Js::JavascriptWeakMap::EntryDelete+0xc5
06a6c058 66537028 jscript9!Js::InterpreterStackFrame::Process+0x1e3c
06a6c174 06550fe9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x1e8
WARNING: Frame IP not in any known module. Following frames may be wrong.
06a6c180 665319eb 0x6550fe9
06a6c1c0 66532032 jscript9!Js::JavascriptFunction::CallFunction<1>+0x88
06a6c22c 66531f84 jscript9!Js::JavascriptFunction::CallRootFunction+0x93
06a6c274 66531f0b jscript9!ScriptSite::CallRootFunction+0x42
06a6c298 66592bce jscript9!ScriptSite::Execute+0x6c
06a6c320 6660da36 jscript9!ScriptEngine::ExecutePendingScripts+0x1ab
06a6c3a8 6660eeb8 jscript9!ScriptEngine::ParseScriptTextCore+0x29c
06a6c3f8 56866ba5 jscript9!ScriptEngine::ParseScriptText+0x5a
06a6c430 56866ce1 MSHTML!CActiveScriptHolder::ParseScriptText+0x42
06a6c480 565ea155 MSHTML!CJScript9Holder::ParseScriptText+0x6d
06a6c4e8 56867fa3 MSHTML!CScriptCollection::ParseScriptText+0x155
06a6c5d4 56867bf3 MSHTML!CScriptData::CommitCode+0x2d0
06a6c64c 568679db MSHTML!CScriptData::Execute+0x1fe
06a6c660 5655ed1b MSHTML!CHtmScriptParseCtx::Execute+0x8b
06a6c6d8 56518d27 MSHTML!CHtmParseBase::Execute+0x135
06a6c7fc 565efece MSHTML!CHtmPost::Exec+0x474
06a6c814 565efe52 MSHTML!CHtmPost::Run+0x1c
06a6c834 565f11a2 MSHTML!PostManExecute+0x61
06a6c848 565f1103 MSHTML!PostManResume+0x7b
06a6c878 565e152f MSHTML!CHtmPost::OnDwnChanCallback+0x38
06a6c888 56499bb4 MSHTML!CDwnChan::OnMethodCall+0x19
06a6c8cc 56481c3a MSHTML!GlobalWndOnMethodCall+0x12c
06a6c918 74e562fa MSHTML!GlobalWndProc+0x115
06a6c944 74e56d3a user32!InternalCallWinProc+0x23
06a6c9bc 74e577c4 user32!UserCallWinProcCheckWow+0x109
06a6ca1c 74e5788a user32!DispatchMessageWorker+0x3bc
06a6ca2c 574dbe78 user32!DispatchMessageW+0xf
06a6fbec 5753358f IEFRAME!CTabWindow::_TabWindowThreadProc+0x445
06a6fca4 75f01b7c IEFRAME!LCIETab_ThreadProc+0x31c
06a6fcb4 695431cc iertutil!CIsoScope::_InitManagerEntanglementLock+0x53
06a6fce0 75cb338a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x71
06a6fcec 773e9f72 kernel32!BaseThreadInitThunk+0xe
06a6fd2c 773e9f45 ntdll!__RtlUserThreadStart+0x70
06a6fd44 00000000 ntdll!_RtlUserThreadStart+0x1b


It is caused by a division by zero, so the bug is not exploitable, only a simple DoS.

Monday, 19 May 2014

CVE-2014-3788 and MS14-028

Zero Day Initiative (ZDI) has published another advisory for a heap buffer overflow vulnerability in Cogent DataHub webserver that i found. The bug occured when passing a negative value in the Content-Length header. The original advisory can be read here ZDI-14-135.

Recently i also have been acknowledged by Microsoft for responsible disclosure (through SSD) of two denial of service vulnerabilities affecting the iSCSI Target (CVE-2014-0255 and CVE-2014-0256). MS Bulletin can be found here MS14-028.

Monday, 10 March 2014

Browser Shredders

Blog for a project that i'm a part of has been finally published - http://browser-shredders.blogspot.com. The research has started some time ago, and we already had some nice findings, currently there is not so much content, but this will change after the Hack in The Box talk which will be presented by my two colleges: http://haxpo.nl/hitb2014ams-pilorz-zmyslowski/.

Monday, 25 November 2013

ZDI-13-252 - Cogent DataHub Heap Overflow Remote Code Execution Vulnerability

Zero Day Initiative (ZDI) has published an advisory for a heap overflow vulnerability in Cogent DataHub which i have found few months ago. Full advisory can be read here ZDI-13-252.

Earlier this year i have also found some null pointer dereference bugs leading to a denial of service in DataHub. I will post some PoC's soon.