|
|
VMware Workstation: vprintproxy.exe multiple vulnerabilities when processing custom EMR 0x8002 | ||||
| Project Member Reported by kost...@google.com, Mar 11 2015 | Back to list | ||||
Version: VMware Workstation 11.1 Host Platform: Windows 8.1 amd64 Summary: Printer virtualization under VMware Workstation involves a vprintproxy.exe process launched by vmware-vmx.exe on the Host. It will receive and process EMFSPOOL files sent by a Guest on its COM1 port, if a virtual printer has been added to the VM hardware (default). Several vulnerabilities in this component allow an unprivileged Guest user to execute code on the Host. Description: The function CTPViewDoc::WriteEMF in TPView.dll pre-processes an EMF and rewrites it, replacing a couple of custom EMR record types. In the case of custom EMR record 0x8002, TPView.dll blindly trusts sizes and offsets provided in the relevant structures and perform unsafe memcpy() operations: .text:1002F909 loc_1002F909: ; CODE XREF: CTPViewDoc::WriteEMF+C50j .text:1002F909 8B 75 B0 mov esi, [ebp+var_50] .text:1002F90C FF 73 34 push dword ptr [ebx+34h] ; size_t .text:1002F90F 8B 46 30 mov eax, [esi+30h] .text:1002F912 03 C6 add eax, esi .text:1002F914 50 push eax ; void * .text:1002F915 8B 43 30 mov eax, [ebx+30h] .text:1002F918 03 C3 add eax, ebx .text:1002F91A 50 push eax ; void * .text:1002F91B E8 E0 96 04 00 call _memcpy ; (1) .text:1002F920 8B 46 38 mov eax, [esi+38h] .text:1002F923 FF 73 3C push dword ptr [ebx+3Ch] ; size_t .text:1002F926 03 C6 add eax, esi .text:1002F928 50 push eax ; void * .text:1002F929 8B 43 38 mov eax, [ebx+38h] .text:1002F92C 03 C3 add eax, ebx .text:1002F92E 50 push eax ; void * .text:1002F92F E8 CC 96 04 00 call _memcpy ; (2) .text:1002F934 8B 45 B8 mov eax, [ebp+var_4C+4] .text:1002F937 6A 50 push 50h ; size_t .text:1002F939 89 45 A8 mov [ebp+var_58], eax .text:1002F93C 8B 43 30 mov eax, [ebx+30h] .text:1002F93F 89 46 30 mov [esi+30h], eax .text:1002F942 8B 43 38 mov eax, [ebx+38h] .text:1002F945 56 push esi ; void * .text:1002F946 53 push ebx ; void * .text:1002F947 89 46 38 mov [esi+38h], eax .text:1002F94A E8 B1 96 04 00 call _memcpy ; (3) Here, both the contents of esi and ebx are under user’s control, and correspond to the contents of a custom 0x8002 EMR structure. The size of the memory allocated for ebx is not even checked to be at least 0x50 bytes. This results in some heap overflow conditions (1)(3), as well a relative memory overwrite (2). This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
,
Jun 2 2015
,
Jun 2 2015
,
Jun 9 2015
,
Jun 9 2015
,
Jun 9 2015
VMware advisory VMSA-2015-0004: https://www.vmware.com/security/advisories/VMSA-2015-0004.html |
|||||
| ► Sign in to add a comment | |||||
Dump sample, attempting to write 0x1000 bytes at relative offset 0xfffff000: 0:013> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: tpview!JP2_General_CheckICC+348a3 0b139033 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0b139033 (tpview!JP2_General_CheckICC+0x000348a3) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 0ef89f80 Attempt to write to address 0ef89f80 CONTEXT: 00000000 -- (.cxr 0x0;r) eax=0efb0000 ebx=0ef8af80 ecx=00000400 edx=00000000 esi=0efaf000 edi=0ef89f80 eip=0b139033 esp=0e63f004 ebp=0e63f00c iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212 tpview!JP2_General_CheckICC+0x348a3: 0b139033 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] FAULTING_THREAD: 000011cc PROCESS_NAME: vprintproxy.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 0ef89f80 WRITE_ADDRESS: 0ef89f80 FOLLOWUP_IP: tpview!JP2_General_CheckICC+348a3 0b139033 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] NTGLOBALFLAG: 2000000 APPLICATION_VERIFIER_FLAGS: 0 APP: vprintproxy.exe ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) x86fre BUGCHECK_STR: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_FILL_PATTERN PRIMARY_PROBLEM_CLASS: STRING_DEREFERENCE_FILL_PATTERN DEFAULT_BUCKET_ID: STRING_DEREFERENCE_FILL_PATTERN LAST_CONTROL_TRANSFER: from 0b0ef934 to 0b139033 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0e63f00c 0b0ef934 0ef89f80 0efaf000 00001000 tpview!JP2_General_CheckICC+0x348a3 0e63f464 0b0eeb53 00000080 00000001 0e40eea0 tpview!TPRenderW+0x1c96 0e63f494 0b0d7dad 00000001 0e40efb0 7693f1c0 tpview!TPRenderW+0xeb5 00000000 00000000 00000000 00000000 00000000 tpview+0x17dad STACK_COMMAND: .cxr 0x0 ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: tpview!JP2_General_CheckICC+348a3 FOLLOWUP_NAME: MachineOwner MODULE_NAME: tpview IMAGE_NAME: tpview.dll DEBUG_FLR_IMAGE_TIMESTAMP: 51dfe66e FAILURE_BUCKET_ID: STRING_DEREFERENCE_FILL_PATTERN_c0000005_tpview.dll!JP2_General_CheckICC BUCKET_ID: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_FILL_PATTERN_tpview!JP2_General_CheckICC+348a3 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:string_dereference_fill_pattern_c0000005_tpview.dll!jp2_general_checkicc FAILURE_ID_HASH: {83dfe6e6-ed7d-2127-3bf8-f6458c355255} Followup: MachineOwner --------- 0:013> db esi 0efaf000 4a 4a 4a 4a 4a 4a 4a 4a-4a 4a 4a 4a 4a 4a 4a 4a JJJJJJJJJJJJJJJJ 0efaf010 4a 4a 4a 4a 4a 4a 4a 4a-4a 4a 4a 4a 4a 4a 4a 4a JJJJJJJJJJJJJJJJ 0efaf020 4a 4a 4a 4a 4a 4a 4a 4a-4a 4a 4a 4a 4a 4a 4a 4a JJJJJJJJJJJJJJJJ 0efaf030 4a 4a 4a 4a 4a 4a 4a 4a-4a 4a 4a 4a 4a 4a 4a 4a JJJJJJJJJJJJJJJJ 0efaf040 4a 4a 4a 4a 4a 4a 4a 4a-4a 4a 4a 4a 4a 4a 4a 4a JJJJJJJJJJJJJJJJ 0efaf050 4a 4a 4a 4a 4a 4a 4a 4a-4a 4a 4a 4a 4a 4a 4a 4a JJJJJJJJJJJJJJJJ 0efaf060 4a 4a 4a 4a 4a 4a 4a 4a-4a 4a 4a 4a 4a 4a 4a 4a JJJJJJJJJJJJJJJJ 0efaf070 4a 4a 4a 4a 4a 4a 4a 4a-4a 4a 4a 4a 4a 4a 4a 4a JJJJJJJJJJJJJJJJ 0:013> db edi 0ef89f80 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0ef89f90 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0ef89fa0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0ef89fb0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0ef89fc0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0ef89fd0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0ef89fe0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0ef89ff0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????