Issue metadata
Sign in to add a comment
|
Security: Chrome Memory Corruption Vulnerability due to Out-of-bounds Write
Reported by
kushal89...@gmail.com,
Jan 10 2017
|
||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Note: The attached testcase crashes the latest chrome asan-coverage-win32-release and asan-coverage build # 441524, due to Out-Of-Bounds Write. The crash info in windbg is as shown below: - Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. *** wait with pending attach Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ModLoad: 010c0000 018d5000 C:\Users\kshah\Desktop\win32-release%2Fasan-win32-release-441524\asan-win32-release-441524\chrome.exe ModLoad: 76ea0000 7704a000 C:\Windows\SYSTEM32\ntdll.dll ModLoad: 77080000 77200000 ntdll.dll ModLoad: 01000000 0106e000 C:\Windows\system32\verifier.dll ModLoad: 746c0000 746ff000 C:\Windows\SYSTEM32\wow64.dll ModLoad: 74660000 746bc000 C:\Windows\SYSTEM32\wow64win.dll ModLoad: 74650000 74658000 C:\Windows\SYSTEM32\wow64cpu.dll (1388.18f0): Access violation - code c0000005 (!!! second chance !!!) *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - ntdll_77080000!memcpy+0xbc36: 770adf76 53 push ebx 0:000:x86> g (1388.18f0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. ntdll_77080000!memcpy+0xbc36: 770adf76 53 push ebx 0:000:x86> g (1388.18f0): Access violation - code c0000005 (!!! second chance !!!) ntdll_77080000!memcpy+0xbc36: 770adf76 53 push ebx 0:000:x86> r eax=000000ac ebx=00000000 ecx=46a90000 edx=0023e008 esi=00000000 edi=0024110c eip=770adf76 esp=00240f8c ebp=00241048 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212 ntdll_77080000!memcpy+0xbc36: 770adf76 53 push ebx 0:000:x86> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00241048 011e4455 00000002 00000000 00000000 ntdll_77080000!memcpy+0xbc36 0024106c 0121a0bc 00000000 76eebca6 00000000 chrome!IsSandboxedProcess+0x16d0f 00241090 77128613 00ffe710 000007b8 ffffffff chrome!IsSandboxedProcess+0x4c976 00241134 771287dd 002412d8 00241328 00000002 ntdll_77080000!RtlAcquireReleaseSRWLockExclusive+0x138 0024118c 77120e69 002412d8 00241328 00000002 ntdll_77080000!RtlReportException+0x86 002411a4 77101125 002411d8 0033f750 770f5ac4 ntdll_77080000!LdrVerifyImageMatchesChecksum+0xeb4 0033f770 770b9889 0033f794 77080000 00000000 ntdll_77080000!RtlUlonglongByteSwap+0x4375 0033f780 00000000 0033f794 77080000 00000000 ntdll_77080000!LdrInitializeThunk+0x10 0:000:x86> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll - ***** OS symbols are WRONG. Please fix symbols to do analysis. ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: ntdll!_PEB *** *** *** ************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\verifier.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\wow64cpu.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\wow64win.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\wow64.dll - ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: IMAGE_NT_HEADERS32 *** *** *** ************************************************************************* ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* FAULTING_IP: ntdll_77080000!memcpy+bc36 770adf76 53 push ebx EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00000000770adf76 (ntdll_77080000!memcpy+0x000000000000bc36) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 0000000000240f88 Attempt to write to address 0000000000240f88 FAULTING_THREAD: 00000000000018f0 PROCESS_NAME: chrome.exe ADDITIONAL_DEBUG_TEXT: Use '!findthebuild' command to search for the target build information. If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols. FAULTING_MODULE: 0000000076ea0000 ntdll DEBUG_FLR_IMAGE_TIMESTAMP: 57fd02d3 ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 0000000000240f88 WRITE_ADDRESS: 0000000000240f88 FOLLOWUP_IP: ntdll_77080000!memcpy+bc36 770adf76 53 push ebx BUGCHECK_STR: APPLICATION_FAULT_INVALID_STACK_ACCESS_INVALID_POINTER_WRITE_WRONG_SYMBOLS PRIMARY_PROBLEM_CLASS: INVALID_STACK_ACCESS DEFAULT_BUCKET_ID: INVALID_STACK_ACCESS LAST_CONTROL_TRANSFER: from 00000000011e4455 to 00000000770adf76 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 00241048 011e4455 00000002 00000000 00000000 ntdll_77080000!memcpy+0xbc36 0024106c 0121a0bc 00000000 76eebca6 00000000 chrome!IsSandboxedProcess+0x16d0f 00241090 77128613 00ffe710 000007b8 ffffffff chrome!IsSandboxedProcess+0x4c976 00241134 771287dd 002412d8 00241328 00000002 ntdll_77080000!RtlAcquireReleaseSRWLockExclusive+0x138 0024118c 77120e69 002412d8 00241328 00000002 ntdll_77080000!RtlReportException+0x86 002411a4 77101125 002411d8 0033f750 770f5ac4 ntdll_77080000!LdrVerifyImageMatchesChecksum+0xeb4 0033f770 770b9889 0033f794 77080000 00000000 ntdll_77080000!RtlUlonglongByteSwap+0x4375 0033f780 00000000 0033f794 77080000 00000000 ntdll_77080000!LdrInitializeThunk+0x10 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ntdll!memcpy+bc36 FOLLOWUP_NAME: MachineOwner MODULE_NAME: ntdll_77080000 IMAGE_NAME: ntdll.dll STACK_COMMAND: ~0s ; kb BUCKET_ID: WRONG_SYMBOLS FAILURE_BUCKET_ID: INVALID_STACK_ACCESS_c0000005_ntdll.dll!memcpy WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/chrome_exe/57_0_2972_0/586ddfdf/ntdll_dll/6_1_7601_23572/57fd02d3/c0000005/0002df76.htm?Retriage=1 Followup: MachineOwner --------- 0:000:x86> .load msec.dll 0:000:x86> !exploitable -v !exploitable 1.6.0.0 HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x240f88 Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation Faulting Instruction:770adf76 push ebx Exception Hash (Major/Minor): 0xb40b402c.0xf36bdfaa Hash Usage : Stack Trace: Major+Minor : ntdll_77080000!memcpy+0xbc36 Major+Minor : chrome!IsSandboxedProcess+0x16d0f Major+Minor : chrome!IsSandboxedProcess+0x4c976 Major+Minor : ntdll_77080000!RtlAcquireReleaseSRWLockExclusive+0x138 Excluded : ntdll_77080000!RtlReportException+0x86 Major+Minor : ntdll_77080000!LdrVerifyImageMatchesChecksum+0xeb4 Minor : ntdll_77080000!RtlUlonglongByteSwap+0x4375 Minor : ntdll_77080000!LdrInitializeThunk+0x10 Instruction Address: 0x00000000770adf76 Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll_77080000!memcpy+0x000000000000bc36 (Hash=0xb40b402c.0xf36bdfaa) User mode write access violations that are not near NULL are exploitable. Disassembly View: - 770adf49 3f aas 770adf4a 0a7796 or dh,byte ptr [edi-6Ah] 770adf4d 009800a03e0a add byte ptr [eax+0A3EA000h],bl 770adf53 7786 ja ntdll_77080000!memcpy+0xbb9b (770adedb) 770adf55 008800a29e0a add byte ptr [eax+0A9EA200h],cl 770adf5b 7768 ja ntdll_77080000!memset+0x5 (770adfc5) 770adf5d c5580f lds ebx,fword ptr [eax+0Fh] 770adf60 7764 ja ntdll_77080000!memset+0x6 (770adfc6) 770adf62 ff3500000000 push dword ptr ds:[0] 770adf68 8b442410 mov eax,dword ptr [esp+10h] 770adf6c 896c2410 mov dword ptr [esp+10h],ebp 770adf70 8d6c2410 lea ebp,[esp+10h] 770adf74 2be0 sub esp,eax 770adf76 53 push ebx 770adf77 56 push esi 770adf78 57 push edi 770adf79 a188201877 mov eax,dword ptr [ntdll_77080000!NlsAnsiCodePage+0x2078 (77182088)] 770adf7e 3145fc xor dword ptr [ebp-4],eax 770adf81 33c5 xor eax,ebp 770adf83 50 push eax 770adf84 8965e8 mov dword ptr [ebp-18h],esp 770adf87 ff75f8 push dword ptr [ebp-8] 770adf8a 8b45fc mov eax,dword ptr [ebp-4] 770adf8d c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh 770adf94 8945f8 mov dword ptr [ebp-8],eax 770adf97 8d45f0 lea eax,[ebp-10h] VERSION Chrome Version: [57.0.2972.0] Operating System: Windows 7 SP1 REPRODUCTION CASE Steps to reproduce the issue is as follows: - 1) Enable Windbg as the default post-mortem debugger using the command "windbg -I" in an elevated command prompt. 2) Enable full page heap on the chrome binary using the command "gflags /p /enable chrome.exe /full" without the double quotes in the same or new elevated command prompt. 3) Open the PoC.pdf with the chrome.exe binary using the command "C:\[path]\chrome.exe C:\[path]\PoC.pdf". 4) Check the crash details.
,
Jan 17 2017
Chrome's sandbox doesn't work with page heap enabled. You seem to be hitting a crash related to that. We use AddressSanitizer for heap instrumentation. You can find prebuilt windows binaries using it at https://commondatastorage.googleapis.com/chromium-browser-asan/index.html?prefix=win32-release/. More information is available at https://dev.chromium.org/developers/testing/addresssanitizer Thanks for the report either way. If you want to keep looking for bugs, I'd highly recommend giving the ASan builds a try.
,
Jan 17 2017
@mbarbella, Google Security Team, I believe the issue still exists. I will provide you further details tomorrow when I have access to my PoC and my machine. In the meanwhile I would like to request if you could kindly keep this report private. Eagerly awaiting your reply in earnest. Thanks & Regards, ~ Kushal.
,
Jan 17 2017
Firstly, if you were to look at the "FIRST LINE" of the original report, it mentioned that I was using the asan builds already! Secondly, The vulnerability still exists "without page heap enabled" in the asan build #441524 and also in the latest build #443977. https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/win32-release%2Fasan-coverage-win32-release-443977.zip?generation=1484634434798911&alt=media IS AFFECTED. After a patient wait since last 5 days in order for clusterfuzz to finish its analysis and thereafter receiving no prior notification before making the report public, I feel disheartened at the process in which this report was handled. I hope someone can atleast make this report private, till the researcher can provide additional evidence of the vulnerability.
,
Jan 17 2017
Please find attached the windbg output for version 441524 "WITHOUT PAGE HEAP ENABLED" Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. *** wait with pending attach Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ModLoad: 01390000 01cc7000 C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-441524\asan-coverage-win32-release-441524\chrome.exe ModLoad: 76ea0000 7704a000 C:\Windows\SYSTEM32\ntdll.dll ModLoad: 77080000 77200000 ntdll.dll ModLoad: 00000000`746c0000 00000000`746ff000 C:\Windows\SYSTEM32\wow64.dll ModLoad: 00000000`74660000 00000000`746bc000 C:\Windows\SYSTEM32\wow64win.dll ModLoad: 00000000`74650000 00000000`74658000 C:\Windows\SYSTEM32\wow64cpu.dll ModLoad: 00000000`76900000 00000000`76a10000 KERNEL32.dll ModLoad: 00000000`761f0000 00000000`76237000 KERNELBASE.dll ModLoad: 00000000`6ea80000 00000000`6ecbd000 chrome_elf.dll ModLoad: 00000000`74200000 00000000`74209000 VERSION.dll ModLoad: 00000000`74c60000 00000000`74d0c000 msvcrt.dll ModLoad: 00000000`767c0000 00000000`76861000 ADVAPI32.dll ModLoad: 00000000`74ba0000 00000000`74bb9000 SECHOST.dll ModLoad: 00000000`75200000 00000000`752f0000 RPCRT4.dll ModLoad: 00000000`74970000 00000000`749d0000 SspiCli.dll ModLoad: 00000000`74960000 00000000`7496c000 CRYPTBASE.dll ModLoad: 00000000`75fb0000 00000000`75fb5000 PSAPI.DLL ModLoad: 00000000`752f0000 00000000`75f3c000 SHELL32.dll ModLoad: 00000000`75f40000 00000000`75f97000 SHLWAPI.dll ModLoad: 00000000`76280000 00000000`76310000 GDI32.dll ModLoad: 00000000`74dd0000 00000000`74ed0000 USER32.dll ModLoad: 00000000`77050000 00000000`7705a000 LPK.dll ModLoad: 00000000`74bc0000 00000000`74c5d000 USP10.dll ModLoad: 00000000`72100000 00000000`72132000 WINMM.dll ModLoad: 00000000`721f0000 00000000`72248000 WINHTTP.dll ModLoad: 00000000`721a0000 00000000`721f0000 webio.dll ModLoad: 00000000`6d6f0000 00000000`6d6f3000 api-ms-win-core-synch-l1-2-0.dll ModLoad: 00000000`74d10000 00000000`74d70000 IMM32.dll ModLoad: 00000000`74ac0000 00000000`74b8d000 MSCTF.dll ModLoad: 00000000`16d00000 00000000`2de19000 chrome_child.dll ModLoad: 00000000`76a20000 00000000`76b7d000 ole32.dll ModLoad: 00000000`76b80000 00000000`76c11000 OLEAUT32.dll ModLoad: 00000000`74a70000 00000000`74aa5000 WS2_32.dll ModLoad: 00000000`76a10000 00000000`76a16000 NSI.dll ModLoad: 00000000`76880000 00000000`768fb000 COMDLG32.dll ModLoad: 00000000`72870000 00000000`72a0e000 COMCTL32.dll ModLoad: 00000000`72620000 00000000`7270b000 dbghelp.dll ModLoad: 00000000`6d630000 00000000`6d681000 WINSPOOL.DRV ModLoad: 00000000`74620000 00000000`7463c000 IPHLPAPI.DLL ModLoad: 00000000`74610000 00000000`74617000 WINNSI.DLL ModLoad: 00000000`72860000 00000000`72868000 Secur32.dll ModLoad: 00000000`57710000 00000000`57846000 DWrite.dll ModLoad: 00000000`6efc0000 00000000`6efd4000 FONTSUB.dll ModLoad: 00000000`74a30000 00000000`74a5f000 WINTRUST.dll ModLoad: 00000000`74ed0000 00000000`74ff1000 CRYPT32.dll ModLoad: 00000000`74b90000 00000000`74b9c000 MSASN1.dll ModLoad: 00000000`70fc0000 00000000`71001000 tv_w32.dll ModLoad: 00000000`71a00000 00000000`71a80000 UxTheme.dll ModLoad: 00000000`6d470000 00000000`6d601000 gdiplus.dll (2b84.2e98): Access violation - code c0000005 (!!! second chance !!!) *** ERROR: Symbol file could not be found. Defaulted to export symbols for dbghelp.dll - dbghelp!ImagehlpApiVersionEx+0x383: 7262e490 53 push ebx 0:000:x86> r eax=00000464 ebx=00000000 ecx=00002e00 edx=01390000 esi=2e1bb430 edi=2e1a07d0 eip=7262e490 esp=002e0f80 ebp=002e13f4 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210200 dbghelp!ImagehlpApiVersionEx+0x383: 7262e490 53 push ebx 0:000:x86> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 002e13f4 726303f4 ffffffff 2e1bb430 2e1bb430 dbghelp!ImagehlpApiVersionEx+0x383 002e1408 72633955 ffffffff 2e1bb430 00000000 dbghelp!SymUnloadModule64+0xcba 002e1450 7262f95a ffffffff 0164a655 00000000 dbghelp!SymFunctionTableAccess64+0x4a 002e1468 72630507 0164a655 00000000 002e17bc dbghelp!SymUnloadModule64+0x220 002e149c 726314e5 002e15d0 002e2600 002e22b0 dbghelp!SymUnloadModule64+0xdcd 002e14b0 72634158 002e2600 00000005 50abf030 dbghelp!SymGetModuleInfoW64+0x9d5 002e15ac 7263406f 002e15d0 002e2250 002e2600 dbghelp!StackWalk64+0x1b1 *** WARNING: Unable to verify checksum for chrome_child.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for chrome_child.dll - 002e2274 1b36e3a1 0000014c ffffffff fffffffe dbghelp!StackWalk64+0xc8 002e27d4 1b36cf99 002e2b9c 41b58ab3 28b6e8c4 chrome_child!GetHandleVerifier+0x20df11 *** ERROR: Symbol file could not be found. Defaulted to export symbols for KERNEL32.dll - 002e2994 769503bb 002e2a4c 43992703 00000000 chrome_child!GetHandleVerifier+0x20cb09 *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - 002e2a1c 770f5be7 002e2a4c 770f5ac4 00000000 KERNEL32!GetProfileStringW+0x12ddf 003df7f8 770b98d5 01658afb fffde000 00000000 ntdll_77080000!RtlKnownExceptionFilter+0xb7 003df810 00000000 01658afb fffde000 00000000 ntdll_77080000!RtlInitializeExceptionChain+0x36 0:000:x86> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll - ***** OS symbols are WRONG. Please fix symbols to do analysis. ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: ntdll!_PEB *** *** *** ************************************************************************* ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for USER32.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for gdiplus.dll - ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* FAULTING_IP: dbghelp!ImagehlpApiVersionEx+383 7262e490 53 push ebx EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 000000007262e490 (dbghelp!ImagehlpApiVersionEx+0x0000000000000383) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 00000000002e0f7c Attempt to write to address 00000000002e0f7c FAULTING_THREAD: 0000000000002e98 PROCESS_NAME: chrome.exe ADDITIONAL_DEBUG_TEXT: Use '!findthebuild' command to search for the target build information. If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols. MODULE_NAME: dbghelp FAULTING_MODULE: 0000000076ea0000 ntdll DEBUG_FLR_IMAGE_TIMESTAMP: 4ce7b7bc ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 00000000002e0f7c WRITE_ADDRESS: 00000000002e0f7c FOLLOWUP_IP: dbghelp!ImagehlpApiVersionEx+383 7262e490 53 push ebx BUGCHECK_STR: APPLICATION_FAULT_INVALID_STACK_ACCESS_INVALID_POINTER_WRITE_WRONG_SYMBOLS PRIMARY_PROBLEM_CLASS: INVALID_STACK_ACCESS DEFAULT_BUCKET_ID: INVALID_STACK_ACCESS LAST_CONTROL_TRANSFER: from 00000000726303f4 to 000000007262e490 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 002e13f4 726303f4 ffffffff 2e1bb430 2e1bb430 dbghelp!ImagehlpApiVersionEx+0x383 002e1408 72633955 ffffffff 2e1bb430 00000000 dbghelp!SymUnloadModule64+0xcba 002e1450 7262f95a ffffffff 0164a655 00000000 dbghelp!SymFunctionTableAccess64+0x4a 002e1468 72630507 0164a655 00000000 002e17bc dbghelp!SymUnloadModule64+0x220 002e149c 726314e5 002e15d0 002e2600 002e22b0 dbghelp!SymUnloadModule64+0xdcd 002e14b0 72634158 002e2600 00000005 50abf030 dbghelp!SymGetModuleInfoW64+0x9d5 002e15ac 7263406f 002e15d0 002e2250 002e2600 dbghelp!StackWalk64+0x1b1 002e2274 1b36e3a1 0000014c ffffffff fffffffe dbghelp!StackWalk64+0xc8 002e27d4 1b36cf99 002e2b9c 41b58ab3 28b6e8c4 chrome_child!GetHandleVerifier+0x20df11 002e2994 769503bb 002e2a4c 43992703 00000000 chrome_child!GetHandleVerifier+0x20cb09 002e2a1c 770f5be7 002e2a4c 770f5ac4 00000000 KERNEL32!GetProfileStringW+0x12ddf 003df7f8 770b98d5 01658afb fffde000 00000000 ntdll_77080000!RtlKnownExceptionFilter+0xb7 003df810 00000000 01658afb fffde000 00000000 ntdll_77080000!RtlInitializeExceptionChain+0x36 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: dbghelp!ImagehlpApiVersionEx+383 FOLLOWUP_NAME: MachineOwner IMAGE_NAME: dbghelp.dll STACK_COMMAND: ~0s ; kb BUCKET_ID: WRONG_SYMBOLS FAILURE_BUCKET_ID: INVALID_STACK_ACCESS_c0000005_dbghelp.dll!ImagehlpApiVersionEx WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/chrome_exe/57_0_2972_0/586dd416/dbghelp_dll/6_1_7601_17514/4ce7b7bc/c0000005/0000e490.htm?Retriage=1 Followup: MachineOwner --------- 0:000:x86> .load msec.dll 0:000:x86> !exploitable -v !exploitable 1.6.0.0 HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x2e0f7c Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation Faulting Instruction:7262e490 push ebx Exception Hash (Major/Minor): 0x0ce1a874.0x82b9d997 Hash Usage : Stack Trace: Major+Minor : dbghelp!ImagehlpApiVersionEx+0x383 Major+Minor : dbghelp!SymUnloadModule64+0xcba Major+Minor : dbghelp!SymFunctionTableAccess64+0x4a Major+Minor : dbghelp!SymUnloadModule64+0x220 Major+Minor : dbghelp!SymUnloadModule64+0xdcd Minor : dbghelp!SymGetModuleInfoW64+0x9d5 Minor : dbghelp!StackWalk64+0x1b1 Minor : dbghelp!StackWalk64+0xc8 Minor : chrome_child!GetHandleVerifier+0x20df11 Minor : chrome_child!GetHandleVerifier+0x20cb09 Minor : KERNEL32!GetProfileStringW+0x12ddf Excluded : ntdll_77080000!RtlKnownExceptionFilter+0xb7 Excluded : ntdll_77080000!RtlInitializeExceptionChain+0x36 Instruction Address: 0x000000007262e490 Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at dbghelp!ImagehlpApiVersionEx+0x0000000000000383 (Hash=0x0ce1a874.0x82b9d997) User mode write access violations that are not near NULL are exploitable.
,
Jan 17 2017
Please find attached the windbg output for version 443977 "WITHOUT PAGE HEAP ENABLED" Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. *** wait with pending attach Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ModLoad: 010b0000 019e8000 C:\Users\Research\Downloads\win32-release%2Fasan-coverage-win32-release-443977\asan-coverage-win32-release-443977\chrome.exe ModLoad: 77b20000 77cca000 C:\Windows\SYSTEM32\ntdll.dll ModLoad: 77d00000 77e80000 ntdll.dll ModLoad: 00000000`750a0000 00000000`750df000 C:\Windows\SYSTEM32\wow64.dll ModLoad: 00000000`75040000 00000000`7509c000 C:\Windows\SYSTEM32\wow64win.dll ModLoad: 00000000`75030000 00000000`75038000 C:\Windows\SYSTEM32\wow64cpu.dll ModLoad: 00000000`76b20000 00000000`76c30000 KERNEL32.dll ModLoad: 00000000`76570000 00000000`765b7000 KERNELBASE.dll ModLoad: 00000000`736b0000 00000000`738ed000 chrome_elf.dll ModLoad: 00000000`74be0000 00000000`74be9000 VERSION.dll ModLoad: 00000000`769e0000 00000000`76a8c000 msvcrt.dll ModLoad: 00000000`77830000 00000000`778d1000 ADVAPI32.dll ModLoad: 00000000`76540000 00000000`76559000 SECHOST.dll ModLoad: 00000000`77260000 00000000`77350000 RPCRT4.dll ModLoad: 00000000`755f0000 00000000`75650000 SspiCli.dll ModLoad: 00000000`755e0000 00000000`755ec000 CRYPTBASE.dll ModLoad: 00000000`77350000 00000000`77355000 PSAPI.DLL ModLoad: 00000000`75750000 00000000`7639c000 SHELL32.dll ModLoad: 00000000`76e80000 00000000`76ed7000 SHLWAPI.dll ModLoad: 00000000`766a0000 00000000`76730000 GDI32.dll ModLoad: 00000000`773e0000 00000000`774e0000 USER32.dll ModLoad: 00000000`773c0000 00000000`773ca000 LPK.dll ModLoad: 00000000`77790000 00000000`7782d000 USP10.dll ModLoad: 00000000`72c10000 00000000`72c42000 WINMM.dll ModLoad: 00000000`72fc0000 00000000`73018000 WINHTTP.dll ModLoad: 00000000`72f70000 00000000`72fc0000 webio.dll ModLoad: 00000000`73500000 00000000`73503000 api-ms-win-core-synch-l1-2-0.dll ModLoad: 00000000`77360000 00000000`773c0000 IMM32.dll ModLoad: 00000000`77190000 00000000`7725d000 MSCTF.dll ModLoad: 00000000`16c00000 00000000`2e046000 chrome_child.dll ModLoad: 00000000`76f70000 00000000`770cd000 ole32.dll ModLoad: 00000000`770d0000 00000000`77161000 OLEAUT32.dll ModLoad: 00000000`75710000 00000000`75745000 WS2_32.dll ModLoad: 00000000`76f00000 00000000`76f06000 NSI.dll ModLoad: 00000000`75690000 00000000`7570b000 COMDLG32.dll ModLoad: 00000000`73230000 00000000`733ce000 COMCTL32.dll ModLoad: 00000000`72e80000 00000000`72f6b000 dbghelp.dll ModLoad: 00000000`71a80000 00000000`71ad1000 WINSPOOL.DRV ModLoad: 00000000`75000000 00000000`7501c000 IPHLPAPI.DLL ModLoad: 00000000`74ff0000 00000000`74ff7000 WINNSI.DLL ModLoad: 00000000`73220000 00000000`73228000 Secur32.dll ModLoad: 00000000`74a80000 00000000`74bb6000 DWrite.dll ModLoad: 00000000`74c60000 00000000`74c74000 FONTSUB.dll ModLoad: 00000000`774e0000 00000000`7750f000 WINTRUST.dll ModLoad: 00000000`77510000 00000000`77631000 CRYPT32.dll ModLoad: 00000000`76ee0000 00000000`76eec000 MSASN1.dll ModLoad: 00000000`740f0000 00000000`74131000 tv_w32.dll ModLoad: 00000000`726b0000 00000000`72730000 UxTheme.dll ModLoad: 00000000`74270000 00000000`74401000 gdiplus.dll (ef4.7e0): Access violation - code c0000005 (!!! second chance !!!) *** ERROR: Symbol file could not be found. Defaulted to export symbols for dbghelp.dll - dbghelp!ImagehlpApiVersionEx+0x383: 72e8e490 53 push ebx 0:000:x86> r eax=00000464 ebx=00000000 ecx=00000700 edx=010b0000 esi=2e3bb430 edi=2e3a07d0 eip=72e8e490 esp=00210f80 ebp=002113f4 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210200 dbghelp!ImagehlpApiVersionEx+0x383: 72e8e490 53 push ebx 0:000:x86> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 002113f4 72e903f4 ffffffff 2e3bb430 2e3bb430 dbghelp!ImagehlpApiVersionEx+0x383 00211408 72e93955 ffffffff 2e3bb430 00000000 dbghelp!SymUnloadModule64+0xcba 00211450 72e8f95a ffffffff 0135f273 00000000 dbghelp!SymFunctionTableAccess64+0x4a 00211468 72e90507 0135f273 00000000 002117bc dbghelp!SymUnloadModule64+0x220 0021149c 72e914e5 002115d0 00212600 002122b0 dbghelp!SymUnloadModule64+0xdcd 002114b0 72e94158 00212600 00000005 50bef088 dbghelp!SymGetModuleInfoW64+0x9d5 002115ac 72e9406f 002115d0 00212250 00212600 dbghelp!StackWalk64+0x1b1 *** WARNING: Unable to verify checksum for chrome_child.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for chrome_child.dll - 00212274 1b30af31 0000014c ffffffff fffffffe dbghelp!StackWalk64+0xc8 002127d4 1b309b29 00212b9c 41b58ab3 28d44124 chrome_child!GetHandleVerifier+0x216db1 *** ERROR: Symbol file could not be found. Defaulted to export symbols for KERNEL32.dll - 00212994 76b703bb 00212a4c b50afdbb 00000000 chrome_child!GetHandleVerifier+0x2159a9 *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - 00212a1c 77d75be7 00212a4c 77d75ac4 00000000 KERNEL32!GetProfileStringW+0x12ddf 0030f810 77d398d5 013733e4 fffde000 00000000 ntdll_77d00000!RtlKnownExceptionFilter+0xb7 0030f828 00000000 013733e4 fffde000 00000000 ntdll_77d00000!RtlInitializeExceptionChain+0x36 0:000:x86> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll - ***** OS symbols are WRONG. Please fix symbols to do analysis. ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: ntdll!_PEB *** *** *** ************************************************************************* ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for USER32.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for gdiplus.dll - ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* FAULTING_IP: dbghelp!ImagehlpApiVersionEx+383 72e8e490 53 push ebx EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0000000072e8e490 (dbghelp!ImagehlpApiVersionEx+0x0000000000000383) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 0000000000210f7c Attempt to write to address 0000000000210f7c FAULTING_THREAD: 00000000000007e0 PROCESS_NAME: chrome.exe ADDITIONAL_DEBUG_TEXT: Use '!findthebuild' command to search for the target build information. If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols. MODULE_NAME: dbghelp FAULTING_MODULE: 0000000077b20000 ntdll DEBUG_FLR_IMAGE_TIMESTAMP: 4ce7b7bc ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 0000000000210f7c WRITE_ADDRESS: 0000000000210f7c FOLLOWUP_IP: dbghelp!ImagehlpApiVersionEx+383 72e8e490 53 push ebx BUGCHECK_STR: APPLICATION_FAULT_INVALID_STACK_ACCESS_INVALID_POINTER_WRITE_WRONG_SYMBOLS PRIMARY_PROBLEM_CLASS: INVALID_STACK_ACCESS DEFAULT_BUCKET_ID: INVALID_STACK_ACCESS LAST_CONTROL_TRANSFER: from 0000000072e903f4 to 0000000072e8e490 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 002113f4 72e903f4 ffffffff 2e3bb430 2e3bb430 dbghelp!ImagehlpApiVersionEx+0x383 00211408 72e93955 ffffffff 2e3bb430 00000000 dbghelp!SymUnloadModule64+0xcba 00211450 72e8f95a ffffffff 0135f273 00000000 dbghelp!SymFunctionTableAccess64+0x4a 00211468 72e90507 0135f273 00000000 002117bc dbghelp!SymUnloadModule64+0x220 0021149c 72e914e5 002115d0 00212600 002122b0 dbghelp!SymUnloadModule64+0xdcd 002114b0 72e94158 00212600 00000005 50bef088 dbghelp!SymGetModuleInfoW64+0x9d5 002115ac 72e9406f 002115d0 00212250 00212600 dbghelp!StackWalk64+0x1b1 00212274 1b30af31 0000014c ffffffff fffffffe dbghelp!StackWalk64+0xc8 002127d4 1b309b29 00212b9c 41b58ab3 28d44124 chrome_child!GetHandleVerifier+0x216db1 00212994 76b703bb 00212a4c b50afdbb 00000000 chrome_child!GetHandleVerifier+0x2159a9 00212a1c 77d75be7 00212a4c 77d75ac4 00000000 KERNEL32!GetProfileStringW+0x12ddf 0030f810 77d398d5 013733e4 fffde000 00000000 ntdll_77d00000!RtlKnownExceptionFilter+0xb7 0030f828 00000000 013733e4 fffde000 00000000 ntdll_77d00000!RtlInitializeExceptionChain+0x36 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: dbghelp!ImagehlpApiVersionEx+383 FOLLOWUP_NAME: MachineOwner IMAGE_NAME: dbghelp.dll STACK_COMMAND: ~0s ; kb BUCKET_ID: WRONG_SYMBOLS FAILURE_BUCKET_ID: INVALID_STACK_ACCESS_c0000005_dbghelp.dll!ImagehlpApiVersionEx WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/chrome_exe/57_0_2984_0/587db87b/dbghelp_dll/6_1_7601_17514/4ce7b7bc/c0000005/0000e490.htm?Retriage=1 Followup: MachineOwner --------- 0:000:x86> .load msec.dll 0:000:x86> !exploitable -v !exploitable 1.6.0.0 HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x210f7c Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation Faulting Instruction:72e8e490 push ebx Exception Hash (Major/Minor): 0x0ce1a874.0x69cf8bbf Hash Usage : Stack Trace: Major+Minor : dbghelp!ImagehlpApiVersionEx+0x383 Major+Minor : dbghelp!SymUnloadModule64+0xcba Major+Minor : dbghelp!SymFunctionTableAccess64+0x4a Major+Minor : dbghelp!SymUnloadModule64+0x220 Major+Minor : dbghelp!SymUnloadModule64+0xdcd Minor : dbghelp!SymGetModuleInfoW64+0x9d5 Minor : dbghelp!StackWalk64+0x1b1 Minor : dbghelp!StackWalk64+0xc8 Minor : chrome_child!GetHandleVerifier+0x216db1 Minor : chrome_child!GetHandleVerifier+0x2159a9 Minor : KERNEL32!GetProfileStringW+0x12ddf Excluded : ntdll_77d00000!RtlKnownExceptionFilter+0xb7 Excluded : ntdll_77d00000!RtlInitializeExceptionChain+0x36 Instruction Address: 0x0000000072e8e490 Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at dbghelp!ImagehlpApiVersionEx+0x0000000000000383 (Hash=0x0ce1a874.0x69cf8bbf) User mode write access violations that are not near NULL are exploitable.
,
Jan 18 2017
Deleted PoC attachment from original report to uphold responsible disclosure from researcher end. |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by ClusterFuzz
, Jan 11 2017