Headline
CVE-2022-32441: Night fuzzing session - IdaPro 6.6 - part 2
A memory corruption in Hex Rays Ida Pro v6.6 allows attackers to cause a Denial of Service (DoS) via a crafted file. Related to Data from Faulting Address controls subsequent Write Address starting at msvcrt!memcpy+0x0000000000000056.
Last time during one of the “Night Fuzzing Sessions” I found few bugs in IdaPro 6.6. I decided to continue this adventure but with a 'new approach’. So I changed my input files. ;) Below you will find the details about it. Here we go…
This time we’ll start here:
Just like during the previous part - I used similar environment (and settings for the FOE2 fuzzer) as I did before. Only thing I changed here was:
- run Kali VM and
- prepare ‘payload/input file’ using msfvenom.
If you’re not familiar with msfvenom I will always recommend you to read the fantastic manual:
My goal was to prepare a “reverse shell” for various “platforms” (linux/bsd/macos and so on…) and run it in the same way I did before with IdaPro:
TL;DR:
After a while we should be somewhere here:
For example:
Case #01:
—<cut>—
(…)
Microsoft ® Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.
CommandLine: “C:\Program Files\IDA 6.6\idaq.exe” -B -A -a- -c C:\FOE2\fuzzdir\campaign_ijatnp\iteration_m_yrvq\foe-crash-l0mnvu\sf_0d75862d5d90166274cc61a363c74828-576.exe
(…)
Executable search path is:
ModLoad: 00090000 003a3000 idaq.exe
(…)
(12a0.1334): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=07de0ba8 ecx=00000007 edx=00000000 esi=02532fe8 edi=005bc114
eip=77559966 esp=005bbdf4 ebp=005bbdfc iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297
msvcrt!memcpy+0x56:
77559966 8b448efc mov eax,dword ptr [esi+ecx*4-4] ds:0023:02533000=???
0:000> r;r;!exploitable -v;kb;r;q
eax=00000000 ebx=07de0ba8 ecx=00000007 edx=00000000 esi=02532fe8 edi=005bc114
eip=77559966 esp=005bbdf4 ebp=005bbdfc iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297
msvcrt!memcpy+0x56:
77559966 8b448efc mov eax,dword ptr [esi+ecx*4-4] ds:0023:02533000=???
eax=00000000 ebx=07de0ba8 ecx=00000007 edx=00000000 esi=02532fe8 edi=005bc114
eip=77559966 esp=005bbdf4 ebp=005bbdfc iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297
msvcrt!memcpy+0x56:
77559966 8b448efc mov eax,dword ptr [esi+ecx*4-4] ds:0023:02533000=???
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x2533000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:77559966 mov eax,dword ptr [esi+ecx*4-4]
Basic Block:
77559966 mov eax,dword ptr [esi+ecx*4-4]
Tainted Input operands: ‘ecx’,’esi’
7755996a mov dword ptr [edi+ecx*4-4],eax
Tainted Input operands: ‘eax’,’ecx’
7755996e lea eax,[ecx*4]
Tainted Input operands: ‘ecx’
77559975 add esi,eax
Tainted Input operands: ‘eax’,’esi’
77559977 add edi,eax
Tainted Input operands: ‘eax’
77559979 jmp dword ptr msvcrt!memcpy+0xa8 (775599b8)[edx*4]
Exception Hash (Major/Minor): 0x17cc121f.0x62867b4b
Hash Usage : Stack Trace:
Major+Minor : msvcrt!memcpy+0x56
Major+Minor : dbghelp!StackWalk64+0x1bba
Major+Minor : dbghelp!SymGetModuleInfoW64+0x549
Major+Minor : dbghelp!FindExecutableImage+0x80e
Major+Minor : dbghelp!StackWalk64+0x2a85
Minor : dbghelp!StackWalk64+0x2cff
Minor : dbghelp!SymLoadModuleEx+0x44
Minor : dbghelp!SymLoadModule64+0x23
Minor : pdb+0x1a8d7
Minor : IDA!run_plugin+0x3a
Minor : dbg+0x8277
Minor : dbg+0x9f2f
Minor : SYSFER+0x45b1b
Minor : SYSFER+0x45b1b
Minor : SYSFER+0x45a1c
Minor : idaq+0x70000
Minor : idaq+0x70000
Minor : idaq+0x70000
Minor : dbg+0xa175
Instruction Address: 0x0000000077559966
Description: Data from Faulting Address controls subsequent Write Address
Short Description: TaintedDataControlsWriteAddress
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls subsequent Write Address starting at msvcrt!memcpy+0x0000000000000056 (Hash=0x17cc121f.0x62867b4b)
The data from the faulting address is later used as the target for a later write.
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
005bbdfc 66345b61 005bc114 02532fe8 0000001c msvcrt!memcpy+0x56
005bbe10 66341059 07de0ba8 00000000 02520000 dbghelp!StackWalk64+0x1bba
005bc1bc 66368036 07de0ba8 00000002 00000000 dbghelp!SymGetModuleInfoW64+0x549
005bc1d4 66346a2c 07de0ba8 3be9e1ee 00000000 dbghelp!FindExecutableImage+0x80e
005bc664 66346ca6 beeffeed 07ddb518 00400000 dbghelp!StackWalk64+0x2a85
005bcac8 66363a0e beeffeed 07ddb430 00000000 dbghelp!StackWalk64+0x2cff
005bcb28 66363aa4 beeffeed 00000000 07ddb430 dbghelp!SymLoadModuleEx+0x44
005bcb54 70cea8d7 beeffeed 00000000 02f74320 dbghelp!SymLoadModule64+0x23
005bcc28 66ad515a 00000001 00000010 03108d70 pdb+0x1a8d7
005bceb0 726a8277 03108d70 0000004a 00000001 IDA!run_plugin+0x3a
005bcee0 726a9f2f 66bff840 00000000 3bf980a6 dbg+0x8277
005bcf04 753d5b1b 00000006 753d5b1b 0000077f dbg+0x9f2f
005bcf0c 753d5b1b 0000077f 031596a0 3fe84430 SYSFER+0x45b1b
005bcf44 753d5a1c 00000006 3fe844c4 0000000f SYSFER+0x45b1b
005bcfc0 00100000 00001000 00000000 00000010 SYSFER+0x45a1c
005bd0b0 00100000 00001000 00100000 00001000 idaq+0x70000
005bd0b8 00100000 00001000 00000000 00000010 idaq+0x70000
005bd174 726aa175 66bff840 000000e8 031597c0 idaq+0x70000
00000000 00000000 00000000 00000000 00000000 dbg+0xa175
eax=00000000 ebx=07de0ba8 ecx=00000007 edx=00000000 esi=02532fe8 edi=005bc114
eip=77559966 esp=005bbdf4 ebp=005bbdfc iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297
msvcrt!memcpy+0x56:
77559966 8b448efc mov eax,dword ptr [esi+ecx*4-4] ds:0023:02533000=???
—<cut>—
Next case below.
Case #02:
—<cut>—
(…)
Microsoft ® Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.
CommandLine: “C:\Program Files\IDA 6.6\idaq.exe” -B -A -a- -c C:\FOE2\fuzzdir\campaign_ijatnp\iteration_uw_mli\foe-crash-reinn3\sf_0d75862d5d90166274cc61a363c74828-492.exe
(…)
Executable search path is:
ModLoad: 013c0000 016d3000 idaq.exe
(…)
(15a8.12b8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=06bac1fc ebx=08250ba8 ecx=00000007 edx=00000000 esi=06bac1e0 edi=0025be54
eip=77559dbd esp=0025bb34 ebp=0025bb3c iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297
msvcrt!malloc+0xcf:
77559dbd 8b448ee4 mov eax,dword ptr [esi+ecx*4-1Ch] ds:0023:06bac1e0=???
0:000> r;r;!exploitable -v;kb;r;q
eax=06bac1fc ebx=08250ba8 ecx=00000007 edx=00000000 esi=06bac1e0 edi=0025be54
eip=77559dbd esp=0025bb34 ebp=0025bb3c iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297
msvcrt!malloc+0xcf:
77559dbd 8b448ee4 mov eax,dword ptr [esi+ecx*4-1Ch] ds:0023:06bac1e0=???
eax=06bac1fc ebx=08250ba8 ecx=00000007 edx=00000000 esi=06bac1e0 edi=0025be54
eip=77559dbd esp=0025bb34 ebp=0025bb3c iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297
msvcrt!malloc+0xcf:
77559dbd 8b448ee4 mov eax,dword ptr [esi+ecx*4-1Ch] ds:0023:06bac1e0=???
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x6bac1e0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:77559dbd mov eax,dword ptr [esi+ecx*4-1ch]
Basic Block:
77559dbd mov eax,dword ptr [esi+ecx*4-1ch]
Tainted Input operands: ‘ecx’,’esi’
77559dc1 mov dword ptr [edi+ecx*4-1ch],eax
Tainted Input operands: ‘eax’,’ecx’
77559dc5 jmp msvcrt!memset+0x8a (7755981a)
Exception Hash (Major/Minor): 0xa95bda97.0x1ca78871
Hash Usage : Stack Trace:
Excluded : msvcrt!malloc+0xcf
Major+Minor : dbghelp!StackWalk64+0x1bba
Major+Minor : dbghelp!SymGetModuleInfoW64+0x549
Major+Minor : dbghelp!FindExecutableImage+0x80e
Major+Minor : dbghelp!StackWalk64+0x2a85
Major+Minor : dbghelp!StackWalk64+0x2cff
Minor : dbghelp!SymLoadModuleEx+0x44
Minor : dbghelp!SymLoadModule64+0x23
Minor : pdb+0x1a8d7
Minor : IDA!run_plugin+0x3a
Minor : dbg+0x8277
Minor : dbg+0x9f2f
Minor : SYSFER+0x45b1b
Minor : SYSFER+0x45b1b
Minor : SYSFER+0x45a1c
Instruction Address: 0x0000000077559dbd
Description: Data from Faulting Address controls subsequent Write Address
Short Description: TaintedDataControlsWriteAddress
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls subsequent Write Address starting at msvcrt!malloc+0x00000000000000cf called from dbghelp!StackWalk64+0x0000000000001bba (Hash=0xa95bda97.0x1ca78871)
The data from the faulting address is later used as the target for a later write.
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0025bb3c 679a5b61 0025be54 06bac1e0 0000001c msvcrt!malloc+0xcf
0025bb50 679a1059 08250ba8 00000000 06790000 dbghelp!StackWalk64+0x1bba
0025befc 679c8036 08250ba8 00000002 00000000 dbghelp!SymGetModuleInfoW64+0x549
0025bf14 679a6a2c 08250ba8 4794d435 00000000 dbghelp!FindExecutableImage+0x80e
0025c3a4 679a6ca6 beeffeed 0824b518 00400000 dbghelp!StackWalk64+0x2a85
0025c808 679c3a0e beeffeed 0824b430 00000000 dbghelp!StackWalk64+0x2cff
0025c868 679c3aa4 beeffeed 00000000 0824b430 dbghelp!SymLoadModuleEx+0x44
0025c894 6a26a8d7 beeffeed 00000000 033aa130 dbghelp!SymLoadModule64+0x23
0025c968 6677515a 00000001 00000010 03359768 pdb+0x1a8d7
0025cbf0 70ce8277 03359768 0000004a 00000001 IDA!run_plugin+0x3a
0025cc20 70ce9f2f 6689f840 00000000 4795787b dbg+0x8277
0025cc44 753d5b1b 00000006 753d5b1b fffffffe dbg+0x9f2f
0025cc4c 753d5b1b fffffffe 0333aa21 47653451 SYSFER+0x45b1b
0025cc84 753d5a1c 00000006 47653425 0000000f SYSFER+0x45b1b
0025ccfc 00000000 00100000 00001000 00000000 SYSFER+0x45a1c
eax=06bac1fc ebx=08250ba8 ecx=00000007 edx=00000000 esi=06bac1e0 edi=0025be54
eip=77559dbd esp=0025bb34 ebp=0025bb3c iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297
msvcrt!malloc+0xcf:
77559dbd 8b448ee4 mov eax,dword ptr [esi+ecx*4-1Ch] ds:0023:06bac1e0=???
—<cut>—
Another variant below.
Case #03:
—<cut>—
(…)
Microsoft ® Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.
CommandLine: “C:\Program Files\IDA 6.6\idaq.exe” -B -A -a- -c C:\FOE2\fuzzdir\campaign_egm_o8\iteration_j1fril\foe-crash-oxqtdm\sf_76ffd62a1f8250f56b56d8aa211b31a9-252
(…)
Executable search path is:
ModLoad: 000f0000 00403000 idaq.exe
(…)
ModLoad: 69020000 6904c000 C:\Program Files\IDA 6.6\loaders\macho.ldw
(1594.1f2c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03b8bba0 ebx=0a00001c ecx=02800007 edx=00000000 esi=f9b8bb84 edi=086a0020
eip=68ee1ed7 esp=0050d234 ebp=0050d23c iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
MSVCR100!memcpy+0x57:
68ee1ed7 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:000> r;r;!exploitable -v;kb;r;q
eax=03b8bba0 ebx=0a00001c ecx=02800007 edx=00000000 esi=f9b8bb84 edi=086a0020
eip=68ee1ed7 esp=0050d234 ebp=0050d23c iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
MSVCR100!memcpy+0x57:
68ee1ed7 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
eax=03b8bba0 ebx=0a00001c ecx=02800007 edx=00000000 esi=f9b8bb84 edi=086a0020
eip=68ee1ed7 esp=0050d234 ebp=0050d23c iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
MSVCR100!memcpy+0x57:
68ee1ed7 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xfffffffff9b8bb84
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:68ee1ed7 rep movs dword ptr es:[edi],dword ptr [esi]
Exception Hash (Major/Minor): 0x37d7dcd9.0xba787c31
Hash Usage : Stack Trace:
Major+Minor : MSVCR100!memcpy+0x57
Major+Minor : macho+0xd468
Major+Minor : macho+0x106e9
Instruction Address: 0x0000000068ee1ed7
Description: Read Access Violation on Block Data Move
Short Description: ReadAVonBlockMove
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at MSVCR100!memcpy+0x0000000000000057 (Hash=0x37d7dcd9.0xba787c31)
This is a read access violation in a block data move, and is therefore classified as probably exploitable.
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0050d23c 6902d468 086a0020 f9b8bb84 0a00001c MSVCR100!memcpy+0x57
0050d26c 690306e9 f9b8bb84 0a00001c 6dc29131 macho+0xd468
00000000 00000000 00000000 00000000 00000000 macho+0x106e9
eax=03b8bba0 ebx=0a00001c ecx=02800007 edx=00000000 esi=f9b8bb84 edi=086a0020
eip=68ee1ed7 esp=0050d234 ebp=0050d23c iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
MSVCR100!memcpy+0x57:
68ee1ed7 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
—<cut>—
I think it should be enough to start your own ‘Night Fuzzing Session’ ;)
“Probably” nihil novi here… ;>
… “but” maybe you’ll find it useful. ;)
If you’ll have any questions or comments - feel free to ping me.
Have a nice weekend!
Cheers