|
|
VMware Workstation: vprintproxy.exe arbitrary memory zeroing in TrueType font checksum verification | |||
| Project Member Reported by kost...@google.com, Mar 12 2015 | Back to list | |||
Version: VMware Workstation 11.1 Host Platform: Windows 8.1 amd64 Summary: Printer virtualization under VMware Workstation involves a vprintproxy.exe process launched by vmware-vmx.exe on the Host. It will receive and process EMFSPOOL files sent by a Guest on its COM1 port, if a virtual printer has been added to the VM hardware (default). Several vulnerabilities in this component allow an unprivileged Guest user to execute code on the Host. Description: When extracting a TrueType font from the EMFSPOOL file, TPView.dll will verify the checksum of the font prior to further processing. To do so, it will walk the tables, zero out the padding at the end of a table and checksum the table. In doing so, it will trust the 'offset' field of the table record and add it to a pointer to the font buffer. While there is a check to make sure that we don’t go past the end of the font, nothing prevents us from referencing and zeroing memory prior to the font, as the 32-bit arithmetic will wrap. .text:10009069 8B 75 10 mov esi, [ebp+arg_8] .text:1000906C 33 DB xor ebx, ebx .text:1000906E 33 C9 xor ecx, ecx .text:10009070 33 D2 xor edx, edx .text:10009072 8B 46 08 mov eax, [esi+8] .text:10009075 8A 5E 09 mov bl, [esi+9] .text:10009078 8A 7E 08 mov bh, [esi+8] .text:1000907B 57 push edi .text:1000907C C1 E8 10 shr eax, 10h .text:1000907F 8A CC mov cl, ah .text:10009081 8B 7D 08 mov edi, [ebp+arg_0] .text:10009084 C1 E3 10 shl ebx, 10h .text:10009087 8A E8 mov ch, al .text:10009089 8B 46 0C mov eax, [esi+0Ch] .text:1000908C 0B D9 or ebx, ecx .text:1000908E 33 C9 xor ecx, ecx .text:10009090 8A 4E 0D mov cl, [esi+0Dh] .text:10009093 03 DF add ebx, edi ; base+offset .text:10009095 8A 6E 0C mov ch, [esi+0Ch] .text:10009098 C1 E8 10 shr eax, 10h .text:1000909B 8A D4 mov dl, ah .text:1000909D 8A F0 mov dh, al .text:1000909F 8B 45 0C mov eax, [ebp+arg_4] .text:100090A2 C1 E1 10 shl ecx, 10h .text:100090A5 0B CA or ecx, edx .text:100090A7 03 F8 add edi, eax ; base+totalsize .text:100090A9 03 CB add ecx, ebx ; base+offset+length .text:100090AB 57 push edi .text:100090AC 53 push ebx .text:100090AD 89 4D 10 mov [ebp+arg_8], ecx .text:100090B0 E8 60 FE FF FF call kk_IsArg0LowerThanArg4 ; base+offset<base+totalsize? .text:100090B5 59 pop ecx .text:100090B6 84 C0 test al, al .text:100090B8 59 pop ecx .text:100090B9 74 0F jz short loc_100090CA .text:100090BB 57 push edi .text:100090BC FF 75 10 push [ebp+arg_8] .text:100090BF E8 51 FE FF FF call kk_IsArg0LowerThanArg4 ; base+offset+length<base+totalsize? .text:100090C4 59 pop ecx .text:100090C5 84 C0 test al, al .text:100090C7 59 pop ecx .text:100090C8 75 04 jnz short loc_100090CE .text:100090CA .text:100090CA loc_100090CA: ; CODE XREF: kk_NonHeadChecksum+55j .text:100090CA 32 C0 xor al, al .text:100090CC EB 52 jmp short loc_10009120 .text:100090CE ; --------------------------------------------------------------------------- .text:100090CE .text:100090CE loc_100090CE: ; CODE XREF: kk_NonHeadChecksum+64j .text:100090CE 8B 46 0C mov eax, [esi+0Ch] .text:100090D1 33 C9 xor ecx, ecx .text:100090D3 8A 4E 0D mov cl, [esi+0Dh] .text:100090D6 33 D2 xor edx, edx .text:100090D8 8A 6E 0C mov ch, [esi+0Ch] .text:100090DB C1 E8 10 shr eax, 10h .text:100090DE 8A D4 mov dl, ah .text:100090E0 0F B6 D2 movzx edx, dl .text:100090E3 C1 E1 10 shl ecx, 10h .text:100090E6 0B CA or ecx, edx .text:100090E8 33 D2 xor edx, edx .text:100090EA 8A F0 mov dh, al .text:100090EC 0F B7 C2 movzx eax, dx .text:100090EF 0B C8 or ecx, eax .text:100090F1 51 push ecx ; length .text:100090F2 53 push ebx ; base+offset .text:100090F3 E8 39 FE FF FF call kk_MemsetAndChecksum Both checks can be bypassed with a "negative" offset, allowing to zero a portion of memory located prior to the font. This will be 1 to 3 bytes based on the length of the table entry, corresponding to the padding. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
,
Mar 19 2015
,
Jun 9 2015
,
Jun 9 2015
,
Jun 9 2015
VMware advisory VMSA-2015-0004: https://www.vmware.com/security/advisories/VMSA-2015-0004.html |
||||
| ► Sign in to add a comment | ||||
Sample dump demonstrating the issue: 0:011:x86> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: TPView!JP2_General_CheckICC+34fb7 0aee9747 8807 mov byte ptr [edi],al EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 000000000aee9747 (TPView!JP2_General_CheckICC+0x0000000000034fb7) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 000000000da0b7d6 Attempt to write to address 000000000da0b7d6 CONTEXT: 0000000000000000 -- (.cxr 0x0;r) eax=00000000 ebx=00000000 ecx=0da0b7d6 edx=00000002 esi=0da0b048 edi=0da0b7d6 eip=0aee9747 esp=0e0eefb0 ebp=0e0eefe8 iopl=0 nv up ei ng nz ac po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010293 TPView!JP2_General_CheckICC+0x34fb7: 0aee9747 8807 mov byte ptr [edi],al ds:002b:0da0b7d6=?? FAULTING_THREAD: 0000000000001748 PROCESS_NAME: vprintproxy.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 000000000da0b7d6 WRITE_ADDRESS: 000000000da0b7d6 FOLLOWUP_IP: TPView!JP2_General_CheckICC+34fb7 0aee9747 8807 mov byte ptr [edi],al NTGLOBALFLAG: 2000000 APPLICATION_VERIFIER_FLAGS: 0 APP: vprintproxy.exe ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK PRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE LAST_CONTROL_TRANSFER: from 000000000ae7904f to 000000000aee9747 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0e0eefe8 0ae7904f 0ea0ae60 000041a0 0da0b7d6 TPView!JP2_General_CheckICC+0x34fb7 0e0ef00c 0ae75f2f 0ea0af6c 00000000 0ea0ae60 TPView+0x904f 0e0ef044 0ae724dd 0ea04e60 000041a0 0e0ef0dc TPView+0x5f2f 0e0ef08c 0ae72610 0ea04e60 000041a0 00000001 TPView+0x24dd 0e0ef110 0ae71842 0ea04e60 00000000 00000001 TPView+0x2610 0e0ef14c 0ae7169e 0ea04e60 000041a0 00000000 TPView+0x1842 0e0ef164 0ae73620 00000002 0ea04e50 000041b0 TPView+0x169e 0e0ef1c0 0ae7b3e6 00000002 0ea04e50 000041b0 TPView+0x3620 0e0ef1d8 0aea02c0 00000002 0ea04e50 000041b0 TPView+0xb3e6 0e0ef250 0ae9e588 ffffffff 00031428 0e0ef270 TPView!TPRenderW+0x2622 0e0ef280 0aea0696 00989680 00000000 0de3cde0 TPView!TPRenderW+0x8ea 0e0ef5e8 0ae93404 0e8e4898 000cc764 0e0ef6a4 TPView!TPRenderW+0x29f8 0e0ef610 0ae92310 000cc76c 0e8e4890 0af56480 TPView+0x23404 0e0ef644 0ae86e76 0e8e4890 000cc76c 00000000 TPView+0x22310 0e0ef6b4 0ae86de8 0000040f 0e0ef6ec 76938e71 TPView+0x16e76 0e0ef6c0 76938e71 002d0260 0000040f 00000000 TPView+0x16de8 0e0ef6ec 769390d1 0ae86d76 002d0260 0000040f USER32!_InternalCallWinProc+0x2b 0e0ef780 7693a66f 0ae86d76 00000000 0000040f USER32!UserCallWinProcCheckWow+0x18e 0e0ef7ec 7693a6e0 f20ed976 0de36eb0 0af13e0f USER32!DispatchMessageWorker+0x208 0e0ef7f8 0af13e0f 0de36eb0 00000000 0de36e80 USER32!DispatchMessageW+0x10 0e0ef808 0af13930 086bf970 0de36e80 0e0ef888 TPView!JP2_General_CheckICC+0x5f67f 0e0ef820 0af13598 0aeeb40f 0de38f80 0de38f80 TPView!JP2_General_CheckICC+0x5f1a0 0e0ef888 0aeeb498 086bf970 0aeeb40f 0aeeb40f TPView!JP2_General_CheckICC+0x5ee08 0e0ef8c0 76437c04 0de38f80 76437be0 fccfb79c TPView!JP2_General_CheckICC+0x36d08 0e0ef8d4 7768b54f 0de38f80 fdee9c21 00000000 KERNEL32!BaseThreadInitThunk+0x24 0e0ef91c 7768b51a ffffffff 7767040d 00000000 ntdll_77630000!__RtlUserThreadStart+0x2f 0e0ef92c 00000000 0aeeb40f 0de38f80 00000000 ntdll_77630000!_RtlUserThreadStart+0x1b STACK_COMMAND: .cxr 0x0 ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: tpview!JP2_General_CheckICC+34fb7 FOLLOWUP_NAME: MachineOwner MODULE_NAME: TPView IMAGE_NAME: TPView.dll DEBUG_FLR_IMAGE_TIMESTAMP: 51dfe66e FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_TPView.dll!JP2_General_CheckICC BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_tpview!JP2_General_CheckICC+34fb7 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_tpview.dll!jp2_general_checkicc FAILURE_ID_HASH: {6e2cb73e-e8d0-8d06-df6b-b192a93d1329} Followup: MachineOwner ---------