Google Chrome Bug Report - Project Srishti

Chrome Browser is vulnerable to Out of Bound Write/Invalid Pointer Write vulnerability due to improper pointer arithmetic while parsing malformed PDF file due incorrect validation.

The exploitability of the bug has not been determined due to scarcity of time. Seeing the nature of the bug, I believe this bug could be used to gain Remote Code Execution.

Test Bed

Edition: Windows 10 Pro x86
Version: 1607
OS Build 14393.447
Product: Google Chrome for Desktop x86 v54.0.2840.99
Product URL: https://www.google.com/chrome/browser/desktop/index.html

Steps to reproduce

  1. Enable Application Verifier and make sure Full option in Heap section is turned ON
  2. Launch chrome.exe --no-sandbox --disable-seccomp-filter-sandbox --disable-seccomp-sandbox --disable-popup-blocking --disable-default-apps --disable-extensions --no-first-run --disable-session-crashed-bubble --allow-file-access-from-files --noerrdialogs --disable-hang-monitor --js-flags="–expose-gc" --disable-prompt-on-repost --force-renderer-accessibility --disable-infobars --disable-plugins --disable-plugins-discovery --disable-translate file:///C:/Users/Srishti/Desktop/crash_57b76df0d1b74dbb86d0bbb592b59a37eb9da399.pdf inside a debugger (make sure you do childdbg 1;g; for each chrome.exe process)

Crash Point

eax=00000004 ebx=00000000 ecx=0ddeeff0 edx=00000001 esi=00000001 edi=0b3b0d70
eip=555fb233 esp=00b3f3ac ebp=00b3f460 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0x1e4:
555fb233 f20f1144c1f8    movsd   mmword ptr [ecx+eax*8-8],xmm0 ds:0023:0ddef008=????????????????

GFlag Value

5:061> !gflag
Current NtGlobalFlag contents: 0x02000100
    vrf - Enable application verifier
    hpa - Place heap allocations at ends of pages

Address

5:061> !address 0ddef008

                                     
Usage:                  PageHeap
Allocation Base:        0dd90000
Base Address:           0ddef000
End Address:            0ddf4000
Region Size:            00005000
Type:                   00020000    MEM_PRIVATE
State:                  00002000    MEM_RESERVE
Protect:                00000000    
More info:              !heap -p 0xb60000
More info:              !heap -p -a 0xddef008

Memory Dump

5:061> dc 0ddef008-20
0ddeefe8  010f7bdc dcbabbbb 00000020 00000000  .{...... .......
0ddeeff8  00000000 00000000 ???????? ????????  ........????????
0ddef008  ???????? ???????? ???????? ????????  ????????????????
0ddef018  ???????? ???????? ???????? ????????  ????????????????
0ddef028  ???????? ???????? ???????? ????????  ????????????????
0ddef038  ???????? ???????? ???????? ????????  ????????????????
0ddef048  ???????? ???????? ???????? ????????  ????????????????
0ddef058  ???????? ???????? ???????? ????????  ????????????????

Heap Operations

5:061> !heap -p -a 0xddef008
    address 0ddef008 found in
    _DPH_HEAP_ROOT @ b61000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 dc92888:          ddeeff0               10 -          ddee000             2000
    5cee9c2c verifier!AVrfDebugPageHeapAllocate+0x0000023c
    77a4fff0 ntdll!RtlDebugAllocateHeap+0x0000003c
    77999032 ntdll!RtlpAllocateHeap+0x00001642
    7799673f ntdll!RtlpAllocateHeapInternal+0x0000042f
    779962da ntdll!RtlAllocateHeap+0x0000002a
    692ea792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
    5cdd0196 vfbasics!AVrfpRtlAllocateHeap+0x000000e2
    5462eae0 chrome_child!malloc+0x00000030
    54d84021 chrome_child!operator new+0x0000002c
    546cb217 chrome_child!std::_Allocate+0x00000028
    559d9d38 chrome_child!std::vector<PP_PictureBuffer_Dev,std::allocator<PP_PictureBuffer_Dev> >::_Buy+0x00000038
    562ba8e5 chrome_child!std::vector<gpu::gles2::TransformFeedbackVaryingInfo,std::allocator<gpu::gles2::TransformFeedbackVaryingInfo> >::vector<gpu::gles2::TransformFeedbackVaryingInfo,std::allocator<gpu::gles2::TransformFeedbackVaryingInfo> >+0x0000001a
    555fb0d7 chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0x00000088
    555fb462 +0x00000027
    559cb765 chrome_child!ppapi::CallWhileUnlocked<void,PP_CompletionCallback *,int,PP_CompletionCallback *,int>+0x00000017
    559cba59 chrome_child!ppapi::proxy::`anonymous namespace'::CallbackWrapper+0x00000070
    559cbbdd chrome_child!base::internal::Invoker<base::internal::BindState<void (__cdecl*)(PP_CompletionCallback,int),PP_CompletionCallback,int>,void __cdecl(void)>::Run+0x00000019
    559b9ed4 chrome_child!ppapi::internal::RunWhileLockedHelper<void __cdecl(void)>::CallWhileLocked+0x0000001d
    55f84063 +0x00000029
    548122c6 chrome_child!base::Callback<void __cdecl(void),1>::Run+0x00000005
    54811f6a chrome_child!base::MessageLoop::RunTask+0x00000078
    54811e2d chrome_child!base::MessageLoop::DoDelayedWork+0x000001ff
    548117fc chrome_child!base::MessagePumpDefault::Run+0x00000036
    549f08a4 chrome_child!base::MessageLoop::RunHandler+0x00000034
    549f085c chrome_child!base::RunLoop::Run+0x0000002c
    54b6ff9e chrome_child!content::PpapiPluginMain+0x00000194
    5495373c chrome_child!content::RunNamedProcessTypeMain+0x0000004d
    549536b9 chrome_child!content::ContentMainRunnerImpl::Run+0x00000098
    5495307f chrome_child!content::ContentMain+0x00000054
    00f2529a chrome!MainDllLoader::Launch+0x000002a1
    00f21d59 chrome!wWinMain+0x00000179
    00f85d6e chrome!__scrt_common_main_seh+0x000000fd

Disassembly Around Crash

5:061> ub @eip
chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0x1c7 [c:\b\build\slave\win-pgo\build\src\pdf\out_of_process_instance.cc @ 682]:
555fb216 8bbd7cffffff    mov     edi,dword ptr [ebp-84h]
555fb21c 3bd0            cmp     edx,eax
555fb21e 729f            jb      chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0x170 (555fb1bf)
555fb220 f30f1045f0      movss   xmm0,dword ptr [ebp-10h]
555fb225 8d0419          lea     eax,[ecx+ebx]
555fb228 8b8d58ffffff    mov     ecx,dword ptr [ebp-0A8h]
555fb22e 03c0            add     eax,eax
555fb230 0f5ac0          cvtps2pd xmm0,xmm0
5:061> u @eip
chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0x1e4 [c:\b\build\slave\win-pgo\build\src\pdf\out_of_process_instance.cc @ 684]:
555fb233 f20f1144c1f8    movsd   mmword ptr [ecx+eax*8-8],xmm0
555fb239 035d84          add     ebx,dword ptr [ebp-7Ch]
555fb23c 3b9d70ffffff    cmp     ebx,dword ptr [ebp-90h]
555fb242 0f8cf0feffff    jl      chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0xe9 (555fb138)
555fb248 8b8568ffffff    mov     eax,dword ptr [ebp-98h]
555fb24e 8bb564ffffff    mov     esi,dword ptr [ebp-9Ch]
555fb254 2bc6            sub     eax,esi
555fb256 6a28            push    28h

Analyze -v

5:061> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

GetPageUrlData failed, server returned HTTP status 404
URL requested: http://watson.microsoft.com/StageOne/chrome_exe/54_0_2840_99/58220960/chrome_child_dll/54_0_2840_99/58223287/c0000005/010cb233.htm?Retriage=1

FAULTING_IP: 
chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+1e4 [c:\b\build\slave\win-pgo\build\src\pdf\out_of_process_instance.cc @ 684]
555fb233 f20f1144c1f8    movsd   mmword ptr [ecx+eax*8-8],xmm0

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 555fb233 (chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0x000001e4)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 0ddef008
Attempt to write to address 0ddef008

FAULTING_THREAD:  00003004

PROCESS_NAME:  chrome.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  0ddef008

WRITE_ADDRESS:  0ddef008 

FOLLOWUP_IP: 
chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+1e4 [c:\b\build\slave\win-pgo\build\src\pdf\out_of_process_instance.cc @ 684]
555fb233 f20f1144c1f8    movsd   mmword ptr [ecx+eax*8-8],xmm0

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  2000100

APPLICATION_VERIFIER_FLAGS:  80000041

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE_EXPLOITABLE

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE_EXPLOITABLE

LAST_CONTROL_TRANSFER:  from 555fb462 to 555fb233

STACK_TEXT:  
00b3f460 555fb462 00000001 00b3f4a8 00b3f484 chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0x1e4 [c:\b\build\slave\win-pgo\build\src\pdf\out_of_process_instance.cc @ 684]
00b3f470 559cb765 09a28ff8 00000001 570246b3 chrome_child!pp::CompletionCallbackFactory<chrome_pdf::OutOfProcessInstance,pp::ThreadSafeThreadTraits>::CallbackData<pp::CompletionCallbackFactory<chrome_pdf::OutOfProcessInstance,pp::ThreadSafeThreadTraits>::Dispatcher0<void (__thiscall chrome_pdf::OutOfProcessInstance::*)(int)> >::Thunk+0x27 [c:\b\build\slave\win-pgo\build\src\ppapi\utility\completion_callback_factory.h @ 586]
00b3f484 559cba59 00b3f4c4 09b88ffc 00000000 chrome_child!ppapi::CallWhileUnlocked<void,PP_CompletionCallback *,int,PP_CompletionCallback *,int>+0x17 [c:\b\build\slave\win-pgo\build\src\ppapi\shared_impl\proxy_lock.h @ 135]
00b3f4b0 559cbbdd 555fb43b 09a28ff8 00000000 chrome_child!ppapi::proxy::`anonymous namespace'::CallbackWrapper+0x70 [c:\b\build\slave\win-pgo\build\src\ppapi\proxy\ppb_core_proxy.cc @ 52]
00b3f4d0 559b9ed4 09b88fe0 09d1cff8 00b3f4f0 chrome_child!base::internal::Invoker<base::internal::BindState<void (__cdecl*)(PP_CompletionCallback,int),PP_CompletionCallback,int>,void __cdecl(void)>::Run+0x19 [c:\b\build\slave\win-pgo\build\src\base\bind_internal.h @ 324]
00b3f4e0 55f84063 09c70ff8 00000000 00b3f548 chrome_child!ppapi::internal::RunWhileLockedHelper<void __cdecl(void)>::CallWhileLocked+0x1d [c:\b\build\slave\win-pgo\build\src\ppapi\shared_impl\proxy_lock.h @ 199]
00b3f4f0 548122c6 09dbcfe8 5481227c 00b3f5f0 chrome_child!base::internal::Invoker<base::internal::BindState<void (__cdecl*)(std::unique_ptr<base::Callback<void __cdecl(scoped_refptr<media::VideoFrame> const &,base::TimeTicks),1>,std::default_delete<base::Callback<void __cdecl(scoped_refptr<media::VideoFrame> const &,base::TimeTicks),1> > >),base::internal::PassedWrapper<std::unique_ptr<base::Callback<void __cdecl(scoped_refptr<media::VideoFrame> const &,base::TimeTicks),1>,std::default_delete<base::Callback<void __cdecl(scoped_refptr<media::VideoFrame> const &,base::TimeTicks),1> > > > >,void __cdecl(void)>::Run+0x29 [c:\b\build\slave\win-pgo\build\src\base\bind_internal.h @ 324]
00b3f4f8 5481227c 00b3f5f0 00b3f728 00b3f7c0 chrome_child!base::Callback<void __cdecl(void),1>::Run+0x5 [c:\b\build\slave\win-pgo\build\src\base\callback.h @ 388]
00b3f548 54811f6a 5654f514 00b3f5f0 00b3f600 chrome_child!base::debug::TaskAnnotator::RunTask+0x6a [c:\b\build\slave\win-pgo\build\src\base\debug\task_annotator.cc @ 56]
00b3f5a4 54811e2d 00b3f5f0 08916ff8 08916fe8 chrome_child!base::MessageLoop::RunTask+0x78 [c:\b\build\slave\win-pgo\build\src\base\message_loop\message_loop.cc @ 489]
00b3f664 548117fc 08916ff8 00000000 00b3f728 chrome_child!base::MessageLoop::DoDelayedWork+0x1ff [c:\b\build\slave\win-pgo\build\src\base\message_loop\message_loop.cc @ 660]
00b3f6a4 549f08a4 00b3f728 565bf270 00b3f808 chrome_child!base::MessagePumpDefault::Run+0x36 [c:\b\build\slave\win-pgo\build\src\base\message_loop\message_pump_default.cc @ 39]
00b3f6f0 549f085c 0751afe0 0a353a05 00000000 chrome_child!base::MessageLoop::RunHandler+0x34 [c:\b\build\slave\win-pgo\build\src\base\message_loop\message_loop.cc @ 452]
00b3f710 54b6ff9e 00b3f8d8 00000000 00b3f8e4 chrome_child!base::RunLoop::Run+0x2c [c:\b\build\slave\win-pgo\build\src\base\run_loop.cc @ 36]
00b3f894 5495373c 00b3f8d8 07510fd0 088d2fe0 chrome_child!content::PpapiPluginMain+0x194 [c:\b\build\slave\win-pgo\build\src\content\ppapi_plugin\ppapi_plugin_main.cc @ 146]
00b3f8b4 549536b9 00b3f920 07510fd0 ffffffff chrome_child!content::RunNamedProcessTypeMain+0x4d [c:\b\build\slave\win-pgo\build\src\content\app\content_main_runner.cc @ 418]
00b3f904 5495307f 06c28fe0 06e28fd8 54cd43fa chrome_child!content::ContentMainRunnerImpl::Run+0x98 [c:\b\build\slave\win-pgo\build\src\content\app\content_main_runner.cc @ 786]
00b3f910 54cd43fa 06e28fd8 06e28fe0 565dbb68 chrome_child!content::ContentMain+0x54 [c:\b\build\slave\win-pgo\build\src\content\app\content_main.cc @ 20]
00b3f950 00f2529a 00f20000 00b3f970 06e28ffc chrome_child!ChromeMain+0x6d [c:\b\build\slave\win-pgo\build\src\chrome\app\chrome_main.cc @ 91]
00b3fa0c 00f21d59 00f20000 00000000 00fd8984 chrome!MainDllLoader::Launch+0x2a1 [c:\b\build\slave\win-pgo\build\src\chrome\app\main_dll_loader_win.cc @ 182]
00b3fb44 00f85d6e 00f20000 00000000 00b77d88 chrome!wWinMain+0x179 [c:\b\build\slave\win-pgo\build\src\chrome\app\chrome_exe_main_win.cc @ 253]
00b3fb90 77718e94 009c3000 77718e70 8c76e4f6 chrome!__scrt_common_main_seh+0xfd [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 255]
00b3fba4 779be9f2 009c3000 8caeef8d 00000000 KERNEL32!BaseThreadInitThunk+0x24
00b3fbec 779be9c1 ffffffff 77a05d00 00000000 ntdll!__RtlUserThreadStart+0x2b
00b3fbfc 00000000 00f85de7 009c3000 00000000 ntdll!_RtlUserThreadStart+0x1b


FAULTING_SOURCE_CODE:  
No source found for 'c:\b\build\slave\win-pgo\build\src\pdf\out_of_process_instance.cc'


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+1e4

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: chrome_child

IMAGE_NAME:  chrome_child.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  58223287

STACK_COMMAND:  ~61s ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_EXPLOITABLE_c0000005_chrome_child.dll!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+1e4

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/chrome_exe/54_0_2840_99/58220960/chrome_child_dll/54_0_2840_99/58223287/c0000005/010cb233.htm?Retriage=1

Followup: MachineOwner
---------

Exploitable

5:061> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at chrome_child!chrome_pdf::OutOfProcessInstance::SendNextAccessibilityPage+0x00000000000001e4 (Hash=0xdefb8f78.0x98b06d2a)

User mode write access violations that are not near NULL are exploitable.

Modules Version

5:061> lmvm chrome
start    end        module name
00f20000 01005000   chrome     (private pdb symbols)  c:\symbols\chrome.exe.pdb\78490D163650454D9120581B9BD785DC1\chrome.exe.pdb
    Loaded symbol image file: C:\Program Files\Google\Chrome\Application\chrome.exe
    Image path: chrome.exe
    Image name: chrome.exe
    Timestamp:        Tue Nov 08 22:50:32 2016 (58220960)
    CheckSum:         000E3297
    ImageSize:        000E5000
    File version:     54.0.2840.99
    Product version:  54.0.2840.99
    File flags:       0 (Mask 17)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Google Inc.
    ProductName:      Google Chrome
    InternalName:     chrome_exe
    OriginalFilename: chrome.exe
    ProductVersion:   54.0.2840.99
    FileVersion:      54.0.2840.99
    FileDescription:  Google Chrome
    LegalCopyright:   Copyright 2016 Google Inc. All rights reserved.
5:061> lmvm chrome_child
start    end        module name
54530000 571c4000   chrome_child   (private pdb symbols)  c:\symbols\chrome_child.dll.pdb\38F4760F84D14E2FBAE3F72ECAEB3FD72\chrome_child.dll.pdb
    Loaded symbol image file: C:\Program Files\Google\Chrome\Application\54.0.2840.99\chrome_child.dll
    Image path: C:\Program Files\Google\Chrome\Application\54.0.2840.99\chrome_child.dll
    Image name: chrome_child.dll
    Timestamp:        Wed Nov 09 01:46:07 2016 (58223287)
    CheckSum:         02B1C93C
    ImageSize:        02C94000
    File version:     54.0.2840.99
    Product version:  54.0.2840.99
    File flags:       0 (Mask 17)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Google Inc.
    ProductName:      Google Chrome
    InternalName:     chrome_dll
    OriginalFilename: chrome.dll
    ProductVersion:   54.0.2840.99
    FileVersion:      54.0.2840.99
    FileDescription:  Google Chrome
    LegalCopyright:   Copyright 2016 Google Inc. All rights reserved.

Hypothesis

While parsing malformed PDF file, due to incorrect bound check and pointer arithmetic validation Out of Bound Write/Invalid Pointer Write occurs.

Credits

Ashfaq Ansari - Project Srishti