|
|
VMware Workstation: vprintproxy.exe integer underflows when processing custom EMR | ||||
| Project Member Reported by kost...@google.com, Mar 17 2015 | Back to list | ||||
The function CTPViewDoc::WriteEMF in TPView.dll pre-processes an EMF and rewrites it, replacing a couple of custom EMR record types. In the case of an EMR of type 0x8000 and 0x8002, the program will allocate memory based on the size specified for the record, then copy the 8 bytes of the record, subtract 8 to the size and read from the file that amount of bytes. For an EMR record size strictly lower than 8, this integer underflow will result in a heap overflow. .text:1002F3D7 loc_1002F3D7: ; CODE XREF: CTPViewDoc::WriteEMF+720j .text:1002F3D7 8B 4D AC mov ecx, [ebp+var_54] .text:1002F3DA 8D 45 B4 lea eax, [ebp+var_4C] .text:1002F3DD 6A 08 push 8 ; int .text:1002F3DF 50 push eax ; LONG .text:1002F3E0 E8 4F 24 00 00 call kk_ReadFile_0 .text:1002F3E5 83 F8 08 cmp eax, 8 .text:1002F3E8 89 45 08 mov [ebp+arg_0], eax .text:1002F3EB 0F 84 89 00 00 00 jz loc_1002F47A ... .text:1002F47A loc_1002F47A: ; CODE XREF: CTPViewDoc::WriteEMF+740j .text:1002F47A 33 DB xor ebx, ebx .text:1002F47C 81 7D B4 02 80 00+ cmp [ebp+var_4C.iType], 8002h .text:1002F483 0F 85 ED 04 00 00 jnz loc_1002F976 .text:1002F489 FF 75 B8 push [ebp+var_4C.nSize] ; size_t .text:1002F48C E8 42 AA 04 00 call _malloc .text:1002F491 8B D8 mov ebx, eax .text:1002F493 33 F6 xor esi, esi .text:1002F495 3B DE cmp ebx, esi .text:1002F497 59 pop ecx .text:1002F498 75 79 jnz short loc_1002F513 … .text:1002F513 loc_1002F513: ; CODE XREF: CTPViewDoc::WriteEMF+7EDj .text:1002F513 8D 45 B4 lea eax, [ebp+var_4C] .text:1002F516 6A 08 push 8 ; size_t .text:1002F518 50 push eax ; void * .text:1002F519 53 push ebx ; void * .text:1002F51A E8 E1 9A 04 00 call _memcpy .text:1002F51F 8B 4D B8 mov ecx, [ebp+var_4C.nSize] .text:1002F522 83 C4 0C add esp, 0Ch .text:1002F525 83 C1 F8 add ecx, -8 ; (1) .text:1002F528 8D 43 08 lea eax, [ebx+8] .text:1002F52B 51 push ecx ; int .text:1002F52C 8B 4D AC mov ecx, [ebp+var_54] .text:1002F52F 50 push eax ; LONG .text:1002F530 E8 FF 22 00 00 call kk_ReadFile_0 This snippet of code doesn't ensure that the size of the record is at least 8. The integer underflow at (1) will make the program read a large number of bytes into a small buffer, resulting in a heap overflow. A similarly vulnerable portion of code is handling custom EMR 0x8000. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
,
Mar 17 2015
,
Mar 19 2015
,
Jun 9 2015
,
Jun 9 2015
,
Jun 9 2015
VMware advisory VMSA-2015-0004: https://www.vmware.com/security/advisories/VMSA-2015-0004.html |
|||||
| ► Sign in to add a comment | |||||
Sample dump demonstrating the heap overflow for EMR 0x8000: 0:013> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: tpview!TPRenderW+13437 0abb10d5 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0abb10d5 (tpview!TPRenderW+0x00013437) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 0eb33000 Attempt to write to address 0eb33000 CONTEXT: 00000000 -- (.cxr 0x0;r) eax=c61a11bb ebx=0eb1afc0 ecx=00000007 edx=00000024 esi=0eb21094 edi=0eb33000 eip=0abb10d5 esp=0e1ee218 ebp=00000024 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 tpview!TPRenderW+0x13437: 0abb10d5 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] FAULTING_THREAD: 00001474 PROCESS_NAME: vprintproxy.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 0eb33000 WRITE_ADDRESS: 0eb33000 FOLLOWUP_IP: tpview!TPRenderW+13437 0abb10d5 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] NTGLOBALFLAG: 2000000 APPLICATION_VERIFIER_FLAGS: 0 APP: vprintproxy.exe ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) x86fre BUGCHECK_STR: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_FILL_PATTERN_NXCODE PRIMARY_PROBLEM_CLASS: STRING_DEREFERENCE_FILL_PATTERN_NXCODE DEFAULT_BUCKET_ID: STRING_DEREFERENCE_FILL_PATTERN_NXCODE LAST_CONTROL_TRANSFER: from 0abb07d9 to 0abb10d5 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0e1ee228 0abb07d9 0eb2108c 0dfc0f10 00000000 tpview!TPRenderW+0x13437 0e1ee258 0abaddea 000000c6 00000000 fffffffb tpview!TPRenderW+0x12b3b 0e1ef330 0ab9eb53 00000008 00000001 0dfbeea0 tpview!TPRenderW+0x1014c 0e1ef34c 0ab9ea90 0e1ef738 0ac2cfbc 00000000 tpview!TPRenderW+0xeb5 0e1ef744 0ab92310 000000e8 0dfe2f10 0ac56480 tpview!TPRenderW+0xdf2 0e1ef778 0ab86e76 0dfe2f10 000000e8 00000000 tpview+0x22310 0e1ef7e8 0ab86de8 0000040f 0e1ef820 76938e71 tpview+0x16e76 0e1ef8b4 7693a66f 0ab86d76 00000000 0000040f tpview+0x16de8 0e1ef910 7696f160 0d4c3712 fffffffe 0e1ef92c USER32!DispatchMessageWorker+0x208 0e1ef914 0d4c3712 fffffffe 0e1ef92c 7693a6e0 USER32!_except_handler4 0e1ef9bc 0abeb498 0837f840 0abeb40f 0abeb40f 0xd4c3712 0e1ef9f4 76437c04 0dfb8f80 76437be0 750ed336 tpview!JP2_General_CheckICC+0x36d08 0e1efa40 776c7fff 0d599d38 00000000 0e1efa60 KERNEL32!BaseThreadInitThunk+0x24 0e1efa58 776703ec 00000000 00000000 0abeb40f ntdll!wcstombs+0x8f 0e1efa5c 00000000 00000000 0abeb40f 0dfb8f80 ntdll!FinalExceptionHandlerPad29 STACK_COMMAND: .cxr 0x0 ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: tpview!TPRenderW+13437 FOLLOWUP_NAME: MachineOwner MODULE_NAME: tpview IMAGE_NAME: tpview.dll DEBUG_FLR_IMAGE_TIMESTAMP: 51dfe66e FAILURE_BUCKET_ID: STRING_DEREFERENCE_FILL_PATTERN_NXCODE_c0000005_tpview.dll!TPRenderW BUCKET_ID: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_FILL_PATTERN_NXCODE_tpview!TPRenderW+13437 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:string_dereference_fill_pattern_nxcode_c0000005_tpview.dll!tprenderw FAILURE_ID_HASH: {9f9aaae9-80f5-3d28-c0dd-b5ad24d32073} Followup: MachineOwner --------- 0:013> db @esi 0eb21094 41 41 41 41 41 41 41 41-0e 00 00 00 14 00 00 00 AAAAAAAA........ 0eb210a4 00 00 00 00 10 00 00 00-14 00 00 00 00 00 00 00 ................ 0eb210b4 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0eb210c4 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0eb210d4 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0eb210e4 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0eb210f4 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0eb21104 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0:013> db @edi 0eb33000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0eb33010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0eb33020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0eb33030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0eb33040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0eb33050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0eb33060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0eb33070 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????