Chrome Browser is vulnerable to Out of Bound Write/Invalid Pointer Write
vulnerability due to improper pointer arithmetic while parsing malformed PDF file due incorrect validation.
The exploitability of the bug has not been determined due to scarcity of time. Seeing the nature of the bug, I believe this bug could be used to gain Remote Code Execution
.
Edition: Windows 10 Pro x86
Version: 1607
OS Build 14393.447
Product: Google Chrome for Desktop x86 v54.0.2840.99
Product URL: https://www.google.com/chrome/browser/desktop/index.html
childdbg 1;g;
for each chrome.exe process)eax=00000004 ebx=00000000 ecx=0ddeeff0 edx=00000001 esi=00000001 edi=0b3b0d70
eip=555fb233 esp=00b3f3ac ebp=00b3f460 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0x1e4:
555fb233 f20f1144c1f8 movsd mmword ptr [ecx+eax*8-8],xmm0 ds:0023:0ddef008=????????????????
5:061> !gflag
Current NtGlobalFlag contents: 0x02000100
vrf - Enable application verifier
hpa - Place heap allocations at ends of pages
5:061> !address 0ddef008
Usage: PageHeap
Allocation Base: 0dd90000
Base Address: 0ddef000
End Address: 0ddf4000
Region Size: 00005000
Type: 00020000 MEM_PRIVATE
State: 00002000 MEM_RESERVE
Protect: 00000000
More info: !heap -p 0xb60000
More info: !heap -p -a 0xddef008
5:061> dc 0ddef008-20
0ddeefe8 010f7bdc dcbabbbb 00000020 00000000 .{...... .......
0ddeeff8 00000000 00000000 ???????? ???????? ........????????
0ddef008 ???????? ???????? ???????? ???????? ????????????????
0ddef018 ???????? ???????? ???????? ???????? ????????????????
0ddef028 ???????? ???????? ???????? ???????? ????????????????
0ddef038 ???????? ???????? ???????? ???????? ????????????????
0ddef048 ???????? ???????? ???????? ???????? ????????????????
0ddef058 ???????? ???????? ???????? ???????? ????????????????
5:061> !heap -p -a 0xddef008
address 0ddef008 found in
_DPH_HEAP_ROOT @ b61000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
dc92888: ddeeff0 10 - ddee000 2000
5cee9c2c verifier!AVrfDebugPageHeapAllocate+0x0000023c
77a4fff0 ntdll!RtlDebugAllocateHeap+0x0000003c
77999032 ntdll!RtlpAllocateHeap+0x00001642
7799673f ntdll!RtlpAllocateHeapInternal+0x0000042f
779962da ntdll!RtlAllocateHeap+0x0000002a
692ea792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
5cdd0196 vfbasics!AVrfpRtlAllocateHeap+0x000000e2
5462eae0 chrome_child!malloc+0x00000030
54d84021 chrome_child!operator new+0x0000002c
546cb217 chrome_child!std::_Allocate+0x00000028
559d9d38 chrome_child!std::vector<PP_PictureBuffer_Dev,std::allocator<PP_PictureBuffer_Dev> >::_Buy+0x00000038
562ba8e5 chrome_child!std::vector<gpu::gles2::TransformFeedbackVaryingInfo,std::allocator<gpu::gles2::TransformFeedbackVaryingInfo> >::vector<gpu::gles2::TransformFeedbackVaryingInfo,std::allocator<gpu::gles2::TransformFeedbackVaryingInfo> >+0x0000001a
555fb0d7 chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0x00000088
555fb462 +0x00000027
559cb765 chrome_child!ppapi::CallWhileUnlocked<void,PP_CompletionCallback *,int,PP_CompletionCallback *,int>+0x00000017
559cba59 chrome_child!ppapi::proxy::`anonymous namespace'::CallbackWrapper+0x00000070
559cbbdd chrome_child!base::internal::Invoker<base::internal::BindState<void (__cdecl*)(PP_CompletionCallback,int),PP_CompletionCallback,int>,void __cdecl(void)>::Run+0x00000019
559b9ed4 chrome_child!ppapi::internal::RunWhileLockedHelper<void __cdecl(void)>::CallWhileLocked+0x0000001d
55f84063 +0x00000029
548122c6 chrome_child!base::Callback<void __cdecl(void),1>::Run+0x00000005
54811f6a chrome_child!base::MessageLoop::RunTask+0x00000078
54811e2d chrome_child!base::MessageLoop::DoDelayedWork+0x000001ff
548117fc chrome_child!base::MessagePumpDefault::Run+0x00000036
549f08a4 chrome_child!base::MessageLoop::RunHandler+0x00000034
549f085c chrome_child!base::RunLoop::Run+0x0000002c
54b6ff9e chrome_child!content::PpapiPluginMain+0x00000194
5495373c chrome_child!content::RunNamedProcessTypeMain+0x0000004d
549536b9 chrome_child!content::ContentMainRunnerImpl::Run+0x00000098
5495307f chrome_child!content::ContentMain+0x00000054
00f2529a chrome!MainDllLoader::Launch+0x000002a1
00f21d59 chrome!wWinMain+0x00000179
00f85d6e chrome!__scrt_common_main_seh+0x000000fd
5:061> ub @eip
chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0x1c7 [c:\b\build\slave\win-pgo\build\src\pdf\out_of_process_instance.cc @ 682]:
555fb216 8bbd7cffffff mov edi,dword ptr [ebp-84h]
555fb21c 3bd0 cmp edx,eax
555fb21e 729f jb chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0x170 (555fb1bf)
555fb220 f30f1045f0 movss xmm0,dword ptr [ebp-10h]
555fb225 8d0419 lea eax,[ecx+ebx]
555fb228 8b8d58ffffff mov ecx,dword ptr [ebp-0A8h]
555fb22e 03c0 add eax,eax
555fb230 0f5ac0 cvtps2pd xmm0,xmm0
5:061> u @eip
chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0x1e4 [c:\b\build\slave\win-pgo\build\src\pdf\out_of_process_instance.cc @ 684]:
555fb233 f20f1144c1f8 movsd mmword ptr [ecx+eax*8-8],xmm0
555fb239 035d84 add ebx,dword ptr [ebp-7Ch]
555fb23c 3b9d70ffffff cmp ebx,dword ptr [ebp-90h]
555fb242 0f8cf0feffff jl chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0xe9 (555fb138)
555fb248 8b8568ffffff mov eax,dword ptr [ebp-98h]
555fb24e 8bb564ffffff mov esi,dword ptr [ebp-9Ch]
555fb254 2bc6 sub eax,esi
555fb256 6a28 push 28h
5:061> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
GetPageUrlData failed, server returned HTTP status 404
URL requested: http://watson.microsoft.com/StageOne/chrome_exe/54_0_2840_99/58220960/chrome_child_dll/54_0_2840_99/58223287/c0000005/010cb233.htm?Retriage=1
FAULTING_IP:
chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+1e4 [c:\b\build\slave\win-pgo\build\src\pdf\out_of_process_instance.cc @ 684]
555fb233 f20f1144c1f8 movsd mmword ptr [ecx+eax*8-8],xmm0
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 555fb233 (chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0x000001e4)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 0ddef008
Attempt to write to address 0ddef008
FAULTING_THREAD: 00003004
PROCESS_NAME: chrome.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 0ddef008
WRITE_ADDRESS: 0ddef008
FOLLOWUP_IP:
chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+1e4 [c:\b\build\slave\win-pgo\build\src\pdf\out_of_process_instance.cc @ 684]
555fb233 f20f1144c1f8 movsd mmword ptr [ecx+eax*8-8],xmm0
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 2000100
APPLICATION_VERIFIER_FLAGS: 80000041
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE_EXPLOITABLE
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE_EXPLOITABLE
LAST_CONTROL_TRANSFER: from 555fb462 to 555fb233
STACK_TEXT:
00b3f460 555fb462 00000001 00b3f4a8 00b3f484 chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0x1e4 [c:\b\build\slave\win-pgo\build\src\pdf\out_of_process_instance.cc @ 684]
00b3f470 559cb765 09a28ff8 00000001 570246b3 chrome_child!pp::CompletionCallbackFactory<chrome_pdf::OutOfProcessInstance,pp::ThreadSafeThreadTraits>::CallbackData<pp::CompletionCallbackFactory<chrome_pdf::OutOfProcessInstance,pp::ThreadSafeThreadTraits>::Dispatcher0<void (__thiscall chrome_pdf::OutOfProcessInstance::*)(int)> >::Thunk+0x27 [c:\b\build\slave\win-pgo\build\src\ppapi\utility\completion_callback_factory.h @ 586]
00b3f484 559cba59 00b3f4c4 09b88ffc 00000000 chrome_child!ppapi::CallWhileUnlocked<void,PP_CompletionCallback *,int,PP_CompletionCallback *,int>+0x17 [c:\b\build\slave\win-pgo\build\src\ppapi\shared_impl\proxy_lock.h @ 135]
00b3f4b0 559cbbdd 555fb43b 09a28ff8 00000000 chrome_child!ppapi::proxy::`anonymous namespace'::CallbackWrapper+0x70 [c:\b\build\slave\win-pgo\build\src\ppapi\proxy\ppb_core_proxy.cc @ 52]
00b3f4d0 559b9ed4 09b88fe0 09d1cff8 00b3f4f0 chrome_child!base::internal::Invoker<base::internal::BindState<void (__cdecl*)(PP_CompletionCallback,int),PP_CompletionCallback,int>,void __cdecl(void)>::Run+0x19 [c:\b\build\slave\win-pgo\build\src\base\bind_internal.h @ 324]
00b3f4e0 55f84063 09c70ff8 00000000 00b3f548 chrome_child!ppapi::internal::RunWhileLockedHelper<void __cdecl(void)>::CallWhileLocked+0x1d [c:\b\build\slave\win-pgo\build\src\ppapi\shared_impl\proxy_lock.h @ 199]
00b3f4f0 548122c6 09dbcfe8 5481227c 00b3f5f0 chrome_child!base::internal::Invoker<base::internal::BindState<void (__cdecl*)(std::unique_ptr<base::Callback<void __cdecl(scoped_refptr<media::VideoFrame> const &,base::TimeTicks),1>,std::default_delete<base::Callback<void __cdecl(scoped_refptr<media::VideoFrame> const &,base::TimeTicks),1> > >),base::internal::PassedWrapper<std::unique_ptr<base::Callback<void __cdecl(scoped_refptr<media::VideoFrame> const &,base::TimeTicks),1>,std::default_delete<base::Callback<void __cdecl(scoped_refptr<media::VideoFrame> const &,base::TimeTicks),1> > > > >,void __cdecl(void)>::Run+0x29 [c:\b\build\slave\win-pgo\build\src\base\bind_internal.h @ 324]
00b3f4f8 5481227c 00b3f5f0 00b3f728 00b3f7c0 chrome_child!base::Callback<void __cdecl(void),1>::Run+0x5 [c:\b\build\slave\win-pgo\build\src\base\callback.h @ 388]
00b3f548 54811f6a 5654f514 00b3f5f0 00b3f600 chrome_child!base::debug::TaskAnnotator::RunTask+0x6a [c:\b\build\slave\win-pgo\build\src\base\debug\task_annotator.cc @ 56]
00b3f5a4 54811e2d 00b3f5f0 08916ff8 08916fe8 chrome_child!base::MessageLoop::RunTask+0x78 [c:\b\build\slave\win-pgo\build\src\base\message_loop\message_loop.cc @ 489]
00b3f664 548117fc 08916ff8 00000000 00b3f728 chrome_child!base::MessageLoop::DoDelayedWork+0x1ff [c:\b\build\slave\win-pgo\build\src\base\message_loop\message_loop.cc @ 660]
00b3f6a4 549f08a4 00b3f728 565bf270 00b3f808 chrome_child!base::MessagePumpDefault::Run+0x36 [c:\b\build\slave\win-pgo\build\src\base\message_loop\message_pump_default.cc @ 39]
00b3f6f0 549f085c 0751afe0 0a353a05 00000000 chrome_child!base::MessageLoop::RunHandler+0x34 [c:\b\build\slave\win-pgo\build\src\base\message_loop\message_loop.cc @ 452]
00b3f710 54b6ff9e 00b3f8d8 00000000 00b3f8e4 chrome_child!base::RunLoop::Run+0x2c [c:\b\build\slave\win-pgo\build\src\base\run_loop.cc @ 36]
00b3f894 5495373c 00b3f8d8 07510fd0 088d2fe0 chrome_child!content::PpapiPluginMain+0x194 [c:\b\build\slave\win-pgo\build\src\content\ppapi_plugin\ppapi_plugin_main.cc @ 146]
00b3f8b4 549536b9 00b3f920 07510fd0 ffffffff chrome_child!content::RunNamedProcessTypeMain+0x4d [c:\b\build\slave\win-pgo\build\src\content\app\content_main_runner.cc @ 418]
00b3f904 5495307f 06c28fe0 06e28fd8 54cd43fa chrome_child!content::ContentMainRunnerImpl::Run+0x98 [c:\b\build\slave\win-pgo\build\src\content\app\content_main_runner.cc @ 786]
00b3f910 54cd43fa 06e28fd8 06e28fe0 565dbb68 chrome_child!content::ContentMain+0x54 [c:\b\build\slave\win-pgo\build\src\content\app\content_main.cc @ 20]
00b3f950 00f2529a 00f20000 00b3f970 06e28ffc chrome_child!ChromeMain+0x6d [c:\b\build\slave\win-pgo\build\src\chrome\app\chrome_main.cc @ 91]
00b3fa0c 00f21d59 00f20000 00000000 00fd8984 chrome!MainDllLoader::Launch+0x2a1 [c:\b\build\slave\win-pgo\build\src\chrome\app\main_dll_loader_win.cc @ 182]
00b3fb44 00f85d6e 00f20000 00000000 00b77d88 chrome!wWinMain+0x179 [c:\b\build\slave\win-pgo\build\src\chrome\app\chrome_exe_main_win.cc @ 253]
00b3fb90 77718e94 009c3000 77718e70 8c76e4f6 chrome!__scrt_common_main_seh+0xfd [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 255]
00b3fba4 779be9f2 009c3000 8caeef8d 00000000 KERNEL32!BaseThreadInitThunk+0x24
00b3fbec 779be9c1 ffffffff 77a05d00 00000000 ntdll!__RtlUserThreadStart+0x2b
00b3fbfc 00000000 00f85de7 009c3000 00000000 ntdll!_RtlUserThreadStart+0x1b
FAULTING_SOURCE_CODE:
No source found for 'c:\b\build\slave\win-pgo\build\src\pdf\out_of_process_instance.cc'
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+1e4
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: chrome_child
IMAGE_NAME: chrome_child.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 58223287
STACK_COMMAND: ~61s ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_EXPLOITABLE_c0000005_chrome_child.dll!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+1e4
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/chrome_exe/54_0_2840_99/58220960/chrome_child_dll/54_0_2840_99/58223287/c0000005/010cb233.htm?Retriage=1
Followup: MachineOwner
---------
5:061> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0x00000000000001e4 (Hash=0xdefb8f78.0x98b06d2a)
User mode write access violations that are not near NULL are exploitable.
5:061> lmvm chrome
start end module name
00f20000 01005000 chrome (private pdb symbols) c:\symbols\chrome.exe.pdb\78490D163650454D9120581B9BD785DC1\chrome.exe.pdb
Loaded symbol image file: C:\Program Files\Google\Chrome\Application\chrome.exe
Image path: chrome.exe
Image name: chrome.exe
Timestamp: Tue Nov 08 22:50:32 2016 (58220960)
CheckSum: 000E3297
ImageSize: 000E5000
File version: 54.0.2840.99
Product version: 54.0.2840.99
File flags: 0 (Mask 17)
File OS: 4 Unknown Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Google Inc.
ProductName: Google Chrome
InternalName: chrome_exe
OriginalFilename: chrome.exe
ProductVersion: 54.0.2840.99
FileVersion: 54.0.2840.99
FileDescription: Google Chrome
LegalCopyright: Copyright 2016 Google Inc. All rights reserved.
5:061> lmvm chrome_child
start end module name
54530000 571c4000 chrome_child (private pdb symbols) c:\symbols\chrome_child.dll.pdb\38F4760F84D14E2FBAE3F72ECAEB3FD72\chrome_child.dll.pdb
Loaded symbol image file: C:\Program Files\Google\Chrome\Application\54.0.2840.99\chrome_child.dll
Image path: C:\Program Files\Google\Chrome\Application\54.0.2840.99\chrome_child.dll
Image name: chrome_child.dll
Timestamp: Wed Nov 09 01:46:07 2016 (58223287)
CheckSum: 02B1C93C
ImageSize: 02C94000
File version: 54.0.2840.99
Product version: 54.0.2840.99
File flags: 0 (Mask 17)
File OS: 4 Unknown Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Google Inc.
ProductName: Google Chrome
InternalName: chrome_dll
OriginalFilename: chrome.dll
ProductVersion: 54.0.2840.99
FileVersion: 54.0.2840.99
FileDescription: Google Chrome
LegalCopyright: Copyright 2016 Google Inc. All rights reserved.
While parsing malformed PDF file, due to incorrect bound check and pointer arithmetic validation Out of Bound Write/Invalid Pointer Write
occurs.
Ashfaq Ansari - Project Srishti