|
|
VMware Workstation: vprintproxy.exe multiple vulnerabilities when processing custom EMR 0x8000 | ||||
| Project Member Reported by kost...@google.com, Mar 11 2015 | Back to list | ||||
Version: VMware Workstation 11.1 Host Platform: Windows 8.1 amd64 Summary: Printer virtualization under VMware Workstation involves a vprintproxy.exe process launched by vmware-vmx.exe on the Host. It will receive and process EMFSPOOL files sent by a Guest on its COM1 port, if a virtual printer has been added to the VM hardware (default). Several vulnerabilities in this component allow an unprivileged Guest user to execute code on the Host. Description: The custom EMR 0x8000 appears to hold a structure describing a JPEG2000 compressed image. There are several integer overflows when computing the size of a dynamically allocated chunk of memory, that can result in heap overflow conditions. .text:100225DC 8B 41 04 mov eax, [ecx+4] .text:100225DF 33 FF xor edi, edi .text:100225E1 89 65 F0 mov [ebp+var_10], esp .text:100225E4 89 7D EC mov [ebp+var_14], edi .text:100225E7 8D 04 40 lea eax, [eax+eax*2] ; (1) .text:100225EA 89 7D FC mov [ebp+var_4], edi .text:100225ED 8B D0 mov edx, eax .text:100225EF 83 E2 03 and edx, 3 .text:100225F2 76 07 jbe short loc_100225FB .text:100225F4 6A 04 push 4 .text:100225F6 5E pop esi .text:100225F7 2B F2 sub esi, edx .text:100225F9 03 C6 add eax, esi .text:100225FB .text:100225FB loc_100225FB: ; CODE XREF: kk_JpegDecompress+29j .text:100225FB 8B 59 08 mov ebx, [ecx+8] .text:100225FE 0F AF D8 imul ebx, eax ; (2) .text:10022601 8D 43 28 lea eax, [ebx+28h] ; (3) .text:10022604 39 45 18 cmp [ebp+arg_10], eax .text:10022607 0F 82 72 01 00 00 jb loc_1002277F .text:1002260D 8B 75 14 mov esi, [ebp+arg_C] .text:10022610 6A 28 push 28h ; size_t .text:10022612 51 push ecx ; void * .text:10022613 56 push esi ; void * .text:10022614 E8 E7 69 05 00 call _memcpy The program performs unsafe 32-bit arithmetic (1)(2)(3), leading to an invalid size check prior to a memcpy() operation, leading to a heap overflow. The size allocated for that memory check is itself prone to a wrap due to the previous arithmetic operations, as well as the following addition that also might wrap the 32-bit integer (4): .text:1002FA3C E8 88 2B FF FF call kk_JpegDecompress .text:1002FA41 83 C4 14 add esp, 14h .text:1002FA44 89 85 70 FF FF FF mov [ebp+Type], eax .text:1002FA4A 83 C0 50 add eax, 50h ; (4) .text:1002FA4D 50 push eax ; size_t .text:1002FA4E 89 45 B0 mov [ebp+var_50], eax .text:1002FA51 E8 7D A4 04 00 call _malloc This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
,
Jun 2 2015
,
Jun 2 2015
,
Jun 9 2015
,
Jun 9 2015
,
Jun 9 2015
VMware advisory VMSA-2015-0004: https://www.vmware.com/security/advisories/VMSA-2015-0004.html |
|||||
| ► Sign in to add a comment | |||||
Sample dump, allocating 0x1555554c*3*4+0x28+0x50=8 bytes and copying 0x28 in it: 0:013:x86> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: TPView!JP2_General_CheckICC+348a3 0ad09033 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 000000000ad09033 (TPView!JP2_General_CheckICC+0x00000000000348a3) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 000000000eaf5000 Attempt to write to address 000000000eaf5000 CONTEXT: 0000000000000000 -- (.cxr 0x0;r) eax=0eaf2ef0 ebx=0eaf2ea0 ecx=00000010 edx=00000000 esi=0eaf2eb0 edi=0eaf5000 eip=0ad09033 esp=0e1af1ec ebp=0e1af1f4 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 TPView!JP2_General_CheckICC+0x348a3: 0ad09033 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] FAULTING_THREAD: 0000000000000920 PROCESS_NAME: vprintproxy.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 000000000eaf5000 WRITE_ADDRESS: 000000000eaf5000 FOLLOWUP_IP: TPView!JP2_General_CheckICC+348a3 0ad09033 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] NTGLOBALFLAG: 2000000 APPLICATION_VERIFIER_FLAGS: 0 APP: vprintproxy.exe ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK PRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE LAST_CONTROL_TRANSFER: from 000000000acbfaf0 to 000000000ad09033 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0e1af1f4 0acbfaf0 0eaf4ff0 0eaf2ea0 00000050 TPView!JP2_General_CheckICC+0x348a3 0e1af640 0acbeb53 00000160 00000001 0df7eea0 TPView!TPRenderW+0x1e52 0e1af670 0aca7dad 00000001 0df7efb0 7693f1c0 TPView!TPRenderW+0xeb5 00000000 00000000 00000000 00000000 00000000 TPView+0x17dad STACK_COMMAND: .cxr 0x0 ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: tpview!JP2_General_CheckICC+348a3 FOLLOWUP_NAME: MachineOwner MODULE_NAME: TPView IMAGE_NAME: TPView.dll DEBUG_FLR_IMAGE_TIMESTAMP: 51dfe66e FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_TPView.dll!JP2_General_CheckICC BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_tpview!JP2_General_CheckICC+348a3 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_tpview.dll!jp2_general_checkicc FAILURE_ID_HASH: {6e2cb73e-e8d0-8d06-df6b-b192a93d1329} Followup: MachineOwner --------- 0:013:x86> db esi 0eaf2eb0 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0eaf2ec0 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0eaf2ed0 50 00 00 00 42 42 42 42-42 42 42 42 42 42 42 42 P...BBBBBBBBBBBB 0eaf2ee0 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 0eaf2ef0 43 43 43 43 4c 55 55 15-04 00 00 00 44 44 44 44 CCCCLUU.....DDDD 0eaf2f00 45 45 45 45 45 45 45 45-45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE 0eaf2f10 45 45 45 45 45 45 45 45-45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE 0eaf2f20 45 45 45 45 45 45 45 45-45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE 0:013:x86> db edi 0eaf5000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0eaf5010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0eaf5020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0eaf5030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0eaf5040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0eaf5050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0eaf5060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0eaf5070 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????