Headline
CVE-2018-11516: Make free the VLC
The vlc_demux_chained_Delete function in input/demux_chained.c in VideoLAN VLC media player 3.0.1 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly have unspecified other impact via a crafted .swf file.
Few weeks ago (after some small talk about the VLC bugs I found in the past) I was asked to ‘check’ the “new version” of VLC (3.0.1). As far as I’m concern there is already version 3.0.2, so I think it’s a good time to drop few notes about the results of one month of fuzzing. Here we go…
TL;DR - few crashes for WinXP SP3 ; few crashes for Windows 7 Ultimate
After a month of ‘fuzzing VLC’ (on 2 mentioned systems) I found some about 120 crashes. I assume that there is something like ~15 different bugs/crashes. I decided to publish only few for now but feel free to let me know if you would like to check them all ;)
Let’s start from the bugs found on Windows XP (SP3).
Case #01:
Microsoft ® Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.
CommandLine: “C:\Program Files\VideoLAN\VLC\vlc.exe” C:\sf_c2dd5b1bea365246777a8b5003c16b61-374723.swf
(…)
main libvlc debug: VLC media player - 3.0.1 Vetinari
main libvlc debug: Copyright © 1996-2018 the VideoLAN team
main libvlc debug: revision 3.0.1-0-gec0f700fcc
(…)
main input debug: selecting program id=0
avcodec demux debug: adding es: audio codec = SWFa (69645)
avcodec demux debug: adding es: video codec = FLV1 (21)
avcodec demux debug: AVFormat(ffmpeg Lavf58.3.100) supported stream
avcodec demux debug: - format = swf (SWF (ShockWave Flash))
avcodec demux debug: - start time = 0
avcodec demux debug: - duration = 54034376
main demux debug: using demux module “avcodec”
(…)
(87c.e4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=b4810ad8 ebx=02342f20 ecx=00002710 edx=00000145 esi=023c77d0 edi=0234175c
eip=6a79173e esp=05b3fbf8 ebp=00000014 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
libvlccore!vlc_demux_chained_Delete+0xc82e:
6a79173e 8b4500 mov eax,dword ptr [ebp] ss:0023:00000014=???
0:012> g;r;u eip;!exploitable -v;u eip-2;u eip-1;u eip;r;dv /V;!heap -s;!analyze -v;q
(87c.e4): Access violation - code c0000005 (!!! second chance !!!)
eax=b4810ad8 ebx=02342f20 ecx=00002710 edx=00000145 esi=023c77d0 edi=0234175c
eip=6a79173e esp=05b3fbf8 ebp=00000014 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
libvlccore!vlc_demux_chained_Delete+0xc82e:
6a79173e 8b4500 mov eax,dword ptr [ebp] ss:0023:00000014=???
libvlccore!vlc_demux_chained_Delete+0xc82e:
6a79173e 8b4500 mov eax,dword ptr [ebp]
6a791741 85c0 test eax,eax
6a791743 0f8433010000 je libvlccore!vlc_demux_chained_Delete+0xc96c (6a79187c)
6a791749 89742408 mov dword ptr [esp+8],esi
6a79174d 89442404 mov dword ptr [esp+4],eax
6a791751 891c24 mov dword ptr [esp],ebx
6a791754 ff5304 call dword ptr [ebx+4]
6a791757 89c5 mov ebp,eax
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x14
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:6a79173e mov eax,dword ptr [ebp]
Basic Block:
6a79173e mov eax,dword ptr [ebp]
Tainted Input operands: ‘ebp’
6a791741 test eax,eax
Tainted Input operands: ‘eax’
6a791743 je libvlccore!vlc_demux_chained_delete+0xc96c (6a79187c)
Tainted Input operands: ‘ZeroFlag’
Exception Hash (Major/Minor): 0x9aa41bff.0x1c73a6e2
Hash Usage : Stack Trace:
Major+Minor : libvlccore!vlc_demux_chained_Delete+0xc82e
Excluded : ntdll!RtlAllocateHeap+0x117
Excluded : msvcrt!free+0x1ae
Excluded : msvcrt!free+0xc8
Major+Minor : libavcodec_plugin!vlc_entry_license__3_0_0f+0x4a72
Major+Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x81dd94
Major+Minor : libvlccore!vlc_demux_chained_Delete+0x4b2c
Instruction Address: 0x000000006a79173e
Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at libvlccore!vlc_demux_chained_Delete+0x000000000000c82e (Hash=0x9aa41bff.0x1c73a6e2)
This is a user mode read access violation near null, and is probably not exploitable.
(…)
libvlccore!vlc_demux_chained_Delete+0xc82c:
6a79173c 0000 add byte ptr [eax],al
6a79173e 8b4500 mov eax,dword ptr [ebp]
6a791741 85c0 test eax,eax
6a791743 0f8433010000 je libvlccore!vlc_demux_chained_Delete+0xc96c (6a79187c)
6a791749 89742408 mov dword ptr [esp+8],esi
6a79174d 89442404 mov dword ptr [esp+4],eax
6a791751 891c24 mov dword ptr [esp],ebx
6a791754 ff5304 call dword ptr [ebx+4]
libvlccore!vlc_demux_chained_Delete+0xc82d:
6a79173d 008b450085c0 add byte ptr [ebx-3F7AFFBBh],cl
6a791743 0f8433010000 je libvlccore!vlc_demux_chained_Delete+0xc96c (6a79187c)
6a791749 89742408 mov dword ptr [esp+8],esi
6a79174d 89442404 mov dword ptr [esp+4],eax
6a791751 891c24 mov dword ptr [esp],ebx
6a791754 ff5304 call dword ptr [ebx+4]
6a791757 89c5 mov ebp,eax
6a791759 893c24 mov dword ptr [esp],edi
libvlccore!vlc_demux_chained_Delete+0xc82e:
6a79173e 8b4500 mov eax,dword ptr [ebp]
6a791741 85c0 test eax,eax
6a791743 0f8433010000 je libvlccore!vlc_demux_chained_Delete+0xc96c (6a79187c)
6a791749 89742408 mov dword ptr [esp+8],esi
6a79174d 89442404 mov dword ptr [esp+4],eax
6a791751 891c24 mov dword ptr [esp],ebx
6a791754 ff5304 call dword ptr [ebx+4]
6a791757 89c5 mov ebp,eax
eax=b4810ad8 ebx=02342f20 ecx=00002710 edx=00000145 esi=023c77d0 edi=0234175c
eip=6a79173e esp=05b3fbf8 ebp=00000014 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
libvlccore!vlc_demux_chained_Delete+0xc82e:
6a79173e 8b4500 mov eax,dword ptr [ebp] ss:0023:00000014=???
This is a user mode read access violation near null, and is probably not exploitable.
(…)
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
(…)
FAULTING_IP:
libvlccore!vlc_demux_chained_Delete+c82e
6a79173e 8b4500 mov eax,dword ptr [ebp]
EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 6a79173e (libvlccore!vlc_demux_chained_Delete+0x0000c82e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000014
Attempt to read from address 00000014
FAULTING_THREAD: 000000e4
PROCESS_NAME: .exe
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000014
READ_ADDRESS: 00000014
FOLLOWUP_IP:
libvlccore!vlc_demux_chained_Delete+c82e
6a79173e 8b4500 mov eax,dword ptr [ebp]
DEFAULT_BUCKET_ID: HEAP_CORRUPTION
PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION
BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_READ_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 7c9101db to 6a79173e
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
05b3fc00 7c9101db 77c2c3c9 00560000 00000003 libvlccore!vlc_demux_chained_Delete+0xc82e
05b3fc04 77c2c3c9 00560000 00000003 00000000 ntdll!RtlAllocateHeap+0x117
05b3fc20 77c2c2e3 054ae6f8 00000014 02351608 msvcrt!free+0x1ae
05b3fc80 02b1fe22 02351608 00000014 023c77d0 msvcrt!free+0xc8
05b3fca0 04ce2e84 05b3fce4 0232da80 0000000c libavcodec_plugin!vlc_entry_license__3_0_0f+0x4a72
05b3fd00 6a789a3c 02329234 05b3fca8 ffffffff libqt_plugin!vlc_entry_license__3_0_0f+0x81dd94
00000000 00000000 00000000 00000000 00000000 libvlccore!vlc_demux_chained_Delete+0x4b2c
SYMBOL_NAME: heap_corruption!heap_corruption
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: heap_corruption
IMAGE_NAME: heap_corruption
STACK_COMMAND: ~12s ; kb
FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000005_heap_corruption!heap_corruption
BUCKET_ID: APPLICATION_FAULT_HEAP_CORRUPTION_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_READ_WRONG_SYMBOLS_heap_corruption!heap_corruption
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/_exe/3_0_1_0/__dee6e6/libvlccore_dll/3_0_1_0/3a653a5d/c0000005/0005173e.htm?Retriage=1
Followup: MachineOwner
---------
Case #02:
Microsoft ® Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.
CommandLine: “C:\Program Files\VideoLAN\VLC\vlc.exe” C:\sf_c2dd5b1bea365246777a8b5003c16b61-146410.swf
(…)
main libvlc debug: VLC media player - 3.0.1 Vetinari
main libvlc debug: Copyright © 1996-2018 the VideoLAN team
main libvlc debug: revision 3.0.1-0-gec0f700fcc
(…)
avcodec demux debug: CPU flags: 0x000013db
avcodec demux debug: detected format: swf
main input debug: selecting program id=0
avcodec demux debug: adding es: audio codec = SWFa (69645)
avcodec demux debug: adding es: video codec = FLV1 (21)
avcodec demux debug: AVFormat(ffmpeg Lavf58.3.100) supported stream
avcodec demux debug: - format = swf (SWF (ShockWave Flash))
avcodec demux debug: - start time = -1
avcodec demux debug: - duration = 54034376
main demux debug: using demux module “avcodec”
(…)
(b10.d1c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ef8dff78 ebx=02366428 ecx=00002710 edx=00000019 esi=07735e60 edi=02366054
eip=6a79173e esp=05b3fbf8 ebp=00050004 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
libvlccore!vlc_demux_chained_Delete+0xc82e:
6a79173e 8b4500 mov eax,dword ptr [ebp] ss:0023:00050004=???
0:012> g;r;u eip;!exploitable -v;u eip-2;u eip-1;u eip;r;dv /V;!heap -s;!analyze -v;q
(b10.d1c): Access violation - code c0000005 (!!! second chance !!!)
eax=ef8dff78 ebx=02366428 ecx=00002710 edx=00000019 esi=07735e60 edi=02366054
eip=6a79173e esp=05b3fbf8 ebp=00050004 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
libvlccore!vlc_demux_chained_Delete+0xc82e:
6a79173e 8b4500 mov eax,dword ptr [ebp] ss:0023:00050004=???
libvlccore!vlc_demux_chained_Delete+0xc82e:
6a79173e 8b4500 mov eax,dword ptr [ebp]
6a791741 85c0 test eax,eax
6a791743 0f8433010000 je libvlccore!vlc_demux_chained_Delete+0xc96c (6a79187c)
6a791749 89742408 mov dword ptr [esp+8],esi
6a79174d 89442404 mov dword ptr [esp+4],eax
6a791751 891c24 mov dword ptr [esp],ebx
6a791754 ff5304 call dword ptr [ebx+4]
6a791757 89c5 mov ebp,eax
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x50004
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:6a79173e mov eax,dword ptr [ebp]
Basic Block:
6a79173e mov eax,dword ptr [ebp]
Tainted Input operands: ‘ebp’
6a791741 test eax,eax
Tainted Input operands: ‘eax’
6a791743 je libvlccore!vlc_demux_chained_delete+0xc96c (6a79187c)
Tainted Input operands: ‘ZeroFlag’
Exception Hash (Major/Minor): 0xf46ab413.0xb209b086
Hash Usage : Stack Trace:
Major+Minor : libvlccore!vlc_demux_chained_Delete+0xc82e
Excluded : ntdll!RtlAllocateHeap+0x117
Excluded : msvcrt!free+0x1ae
Excluded : msvcrt!free+0x1b3
Excluded : msvcrt!free+0xc8
Major+Minor : libavcodec_plugin!vlc_entry_license__3_0_0f+0x4a72
Major+Minor : libvlccore!vlc_mutex_unlock+0x4c
Major+Minor : libvlccore!vlc_mutex_unlock+0x4c
Instruction Address: 0x000000006a79173e
Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at libvlccore!vlc_demux_chained_Delete+0x000000000000c82e (Hash=0xf46ab413.0xb209b086)
The data from the faulting address is later used to determine whether or not a branch is taken.
libvlccore!vlc_demux_chained_Delete+0xc82c:
6a79173c 0000 add byte ptr [eax],al
6a79173e 8b4500 mov eax,dword ptr [ebp]
6a791741 85c0 test eax,eax
6a791743 0f8433010000 je libvlccore!vlc_demux_chained_Delete+0xc96c (6a79187c)
6a791749 89742408 mov dword ptr [esp+8],esi
6a79174d 89442404 mov dword ptr [esp+4],eax
6a791751 891c24 mov dword ptr [esp],ebx
6a791754 ff5304 call dword ptr [ebx+4]
libvlccore!vlc_demux_chained_Delete+0xc82d:
6a79173d 008b450085c0 add byte ptr [ebx-3F7AFFBBh],cl
6a791743 0f8433010000 je libvlccore!vlc_demux_chained_Delete+0xc96c (6a79187c)
6a791749 89742408 mov dword ptr [esp+8],esi
6a79174d 89442404 mov dword ptr [esp+4],eax
6a791751 891c24 mov dword ptr [esp],ebx
6a791754 ff5304 call dword ptr [ebx+4]
6a791757 89c5 mov ebp,eax
6a791759 893c24 mov dword ptr [esp],edi
libvlccore!vlc_demux_chained_Delete+0xc82e:
6a79173e 8b4500 mov eax,dword ptr [ebp]
6a791741 85c0 test eax,eax
6a791743 0f8433010000 je libvlccore!vlc_demux_chained_Delete+0xc96c (6a79187c)
6a791749 89742408 mov dword ptr [esp+8],esi
6a79174d 89442404 mov dword ptr [esp+4],eax
6a791751 891c24 mov dword ptr [esp],ebx
6a791754 ff5304 call dword ptr [ebx+4]
6a791757 89c5 mov ebp,eax
eax=ef8dff78 ebx=02366428 ecx=00002710 edx=00000019 esi=07735e60 edi=02366054
eip=6a79173e esp=05b3fbf8 ebp=00050004 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
libvlccore!vlc_demux_chained_Delete+0xc82e:
6a79173e 8b4500 mov eax,dword ptr [ebp] ss:0023:00050004=???
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
(…)
FAULTING_IP:
libvlccore!vlc_demux_chained_Delete+c82e
6a79173e 8b4500 mov eax,dword ptr [ebp]
EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 6a79173e (libvlccore!vlc_demux_chained_Delete+0x0000c82e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00050004
Attempt to read from address 00050004
FAULTING_THREAD: 00000d1c
PROCESS_NAME: .exe
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00050004
READ_ADDRESS: 00050004
FOLLOWUP_IP:
libvlccore!vlc_demux_chained_Delete+c82e
6a79173e 8b4500 mov eax,dword ptr [ebp]
DEFAULT_BUCKET_ID: HEAP_CORRUPTION
PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION
BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 7c9101db to 6a79173e
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
05b3fc00 7c9101db 77c2c3c9 00560000 00000003 libvlccore!vlc_demux_chained_Delete+0xc82e
05b3fc04 77c2c3c9 00560000 00000003 77c2c3ce ntdll!RtlAllocateHeap+0x117
05b3fc10 77c2c3ce ef8dff78 02369940 00000008 msvcrt!free+0x1ae
05b3fc20 77c2c2e3 00000000 02375fe8 02369940 msvcrt!free+0x1b3
05b3fc80 02b1fe22 02369940 00050004 07735e60 msvcrt!free+0xc8
05b3fca0 6a7f513c 0116715c 011bed20 01176624 libavcodec_plugin!vlc_entry_license__3_0_0f+0x4a72
05b3fce0 6a7f513c 011760b8 00000000 00000010 libvlccore!vlc_mutex_unlock+0x4c
00000000 00000000 00000000 00000000 00000000 libvlccore!vlc_mutex_unlock+0x4c
SYMBOL_NAME: heap_corruption!heap_corruption
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: heap_corruption
IMAGE_NAME: heap_corruption
STACK_COMMAND: ~12s ; kb
FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000005_heap_corruption!heap_corruption
BUCKET_ID: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_WRONG_SYMBOLS_heap_corruption!heap_corruption
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/_exe/3_0_1_0/__dee6e6/libvlccore_dll/3_0_1_0/3a653a5d/c0000005/0005173e.htm?Retriage=1
---------
Case #03:
Microsoft ® Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.
CommandLine: “C:\Program Files\VideoLAN\VLC\vlc.exe” C:\sf_c2dd5b1bea365246777a8b5003c16b61-k6ka7b.swf
(…)
main libvlc debug: VLC media player - 3.0.1 Vetinari
main libvlc debug: Copyright © 1996-2018 the VideoLAN team
main libvlc debug: revision 3.0.1-0-gec0f700fcc
(…)
avcodec demux debug: detected format: swf
main input debug: selecting program id=0
avcodec demux debug: adding es: audio codec = SWFa (69645)
avcodec demux debug: adding es: video codec = FLV1 (21)
avcodec demux debug: adding es: video codec = MJPG (7)
avcodec demux debug: AVFormat(ffmpeg Lavf58.3.100) supported stream
avcodec demux debug: - format = swf (SWF (ShockWave Flash))
(…)
(cbc.fc8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01f11218 ebx=00560000 ecx=803a3a3a edx=803a3a3a esi=01f11210 edi=01f72000
eip=7c911980 esp=0227c828 ebp=0227c834 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlInitializeCriticalSection+0x32b:
7c911980 8b09 mov ecx,dword ptr [ecx] ds:0023:803a3a3a=???
0:009> r;u eip;!exploitable -v;u eip-2;u eip-1;u eip;r;dv /V;!heap -s;!analyze -v;q
eax=01f11218 ebx=00560000 ecx=803a3a3a edx=803a3a3a esi=01f11210 edi=01f72000
eip=7c911980 esp=0227c828 ebp=0227c834 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlInitializeCriticalSection+0x32b:
7c911980 8b09 mov ecx,dword ptr [ecx] ds:0023:803a3a3a=???
ntdll!RtlInitializeCriticalSection+0x32b:
7c911980 8b09 mov ecx,dword ptr [ecx]
7c911982 3b4a04 cmp ecx,dword ptr [edx+4]
7c911985 89550c mov dword ptr [ebp+0Ch],edx
7c911988 0f859d000000 jne ntdll!RtlInitializeCriticalSection+0x3d6 (7c911a2b)
7c91198e 3bc8 cmp ecx,eax
7c911990 0f8595000000 jne ntdll!RtlInitializeCriticalSection+0x3d6 (7c911a2b)
7c911996 56 push esi
7c911997 53 push ebx
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xffffffff803a3a3a
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:7c911980 mov ecx,dword ptr [ecx]
Basic Block:
7c911980 mov ecx,dword ptr [ecx]
Tainted Input operands: ‘ecx’
7c911982 cmp ecx,dword ptr [edx+4]
Tainted Input operands: ‘ecx’
7c911985 mov dword ptr [ebp+0ch],edx
7c911988 jne ntdll!rtlinitializecriticalsection+0x3d6 (7c911a2b)
Tainted Input operands: ‘ZeroFlag’
Exception Hash (Major/Minor): 0x15a111e7.0xb7a9fae5
Hash Usage : Stack Trace:
Major+Minor : ntdll!RtlInitializeCriticalSection+0x32b
Excluded : ntdll!RtlReAllocateHeap+0x852
Major+Minor : ntdll!RtlInitializeCriticalSection+0x149
Excluded : msvcrt!free+0x1ae
Excluded : msvcrt!free+0x1cc
Excluded : msvcrt!malloc+0x27
Major+Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x94699a
Major+Minor : libqt_plugin!vlc_entry_license__3_0_0f+0xb2ac46
Major+Minor : libqt_plugin!vlc_entry_license__3_0_0f+0xb2adee
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x50c1fc
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x1989e2
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x19ca2b
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x19ca2b
Excluded : msvcrt!malloc+0x27
Excluded : msvcrt!free+0x1cc
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0xb2af27
Excluded : ntdll!RtlFreeHeap+0x130
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x18f0b0
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x61c176
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x495d
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x5175
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x541b
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x5691
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x11eb1
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x26c22
Instruction Address: 0x000000007c911980
Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at ntdll!RtlInitializeCriticalSection+0x000000000000032b (Hash=0x15a111e7.0xb7a9fae5)
The data from the faulting address is later used to determine whether or not a branch is taken.
ntdll!RtlInitializeCriticalSection+0x329:
7c91197e 4d dec ebp
7c91197f 088b093b4a04 or byte ptr libavcodec_plugin!vlc_entry_license__3_0_0f+0x1988759 (044a3b09)[ebx],cl
7c911985 89550c mov dword ptr [ebp+0Ch],edx
7c911988 0f859d000000 jne ntdll!RtlInitializeCriticalSection+0x3d6 (7c911a2b)
7c91198e 3bc8 cmp ecx,eax
7c911990 0f8595000000 jne ntdll!RtlInitializeCriticalSection+0x3d6 (7c911a2b)
7c911996 56 push esi
7c911997 53 push ebx
ntdll!RtlInitializeCriticalSection+0x32a:
7c91197f 088b093b4a04 or byte ptr libavcodec_plugin!vlc_entry_license__3_0_0f+0x1988759 (044a3b09)[ebx],cl
7c911985 89550c mov dword ptr [ebp+0Ch],edx
7c911988 0f859d000000 jne ntdll!RtlInitializeCriticalSection+0x3d6 (7c911a2b)
7c91198e 3bc8 cmp ecx,eax
7c911990 0f8595000000 jne ntdll!RtlInitializeCriticalSection+0x3d6 (7c911a2b)
7c911996 56 push esi
7c911997 53 push ebx
7c911998 e841edffff call ntdll!wcsncpy+0x105 (7c9106de)
ntdll!RtlInitializeCriticalSection+0x32b:
7c911980 8b09 mov ecx,dword ptr [ecx]
7c911982 3b4a04 cmp ecx,dword ptr [edx+4]
7c911985 89550c mov dword ptr [ebp+0Ch],edx
7c911988 0f859d000000 jne ntdll!RtlInitializeCriticalSection+0x3d6 (7c911a2b)
7c91198e 3bc8 cmp ecx,eax
7c911990 0f8595000000 jne ntdll!RtlInitializeCriticalSection+0x3d6 (7c911a2b)
7c911996 56 push esi
7c911997 53 push ebx
eax=01f11218 ebx=00560000 ecx=803a3a3a edx=803a3a3a esi=01f11210 edi=01f72000
eip=7c911980 esp=0227c828 ebp=0227c834 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlInitializeCriticalSection+0x32b:
7c911980 8b09 mov ecx,dword ptr [ecx] ds:0023:803a3a3a=???
*************************************************************************
FAULTING_IP:
ntdll!RtlInitializeCriticalSection+32b
7c911980 8b09 mov ecx,dword ptr [ecx]
EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 7c911980 (ntdll!RtlInitializeCriticalSection+0x0000032b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 803a3a3a
Attempt to read from address 803a3a3a
FAULTING_THREAD: 00000fc8
PROCESS_NAME: .exe
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 803a3a3a
READ_ADDRESS: 803a3a3a
FOLLOWUP_IP:
ntdll!RtlInitializeCriticalSection+32b
7c911980 8b09 mov ecx,dword ptr [ecx]
DEFAULT_BUCKET_ID: HEAP_CORRUPTION
PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION
BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 7c919085 to 7c911980
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0227c834 7c919085 803a3a3a 01f72000 0227c860 ntdll!RtlInitializeCriticalSection+0x32b
0227c86c 7c91179e 02560000 00000ff8 00000008 ntdll!RtlReAllocateHeap+0x852
0227ca9c 77c2c3c9 00560000 00000000 00000fec ntdll!RtlInitializeCriticalSection+0x149
0227cadc 77c2c3e7 00000fec 0227caf8 77c2c42e msvcrt!free+0x1ae
0227cae8 77c2c42e 00000fec 00000000 00000014 msvcrt!free+0x1cc
0227caf8 04e0ba8a 00000fec 00000014 00000034 msvcrt!malloc+0x27
0227cb28 04fefd36 00000018 00000008 00000055 libqt_plugin!vlc_entry_license__3_0_0f+0x94699a
0227cb58 04fefede 00000054 00000055 00000008 libqt_plugin!vlc_entry_license__3_0_0f+0xb2ac46
0227cb98 049d12ec 0227cc28 00000058 ffffffff libqt_plugin!vlc_entry_license__3_0_0f+0xb2adee
0227cc58 0465dad2 0000001a 00000a7f 0227cd20 libqt_plugin!vlc_entry_license__3_0_0f+0x50c1fc
0227cd68 04661b1b 01fc8558 01fc8558 00000020 libqt_plugin!vlc_entry_license__3_0_0f+0x1989e2
0227cd78 04661b1b 3cf2cf95 407a2fb8 8adab9f4 libqt_plugin!vlc_entry_license__3_0_0f+0x19ca2b
0227cda8 77c2c42e 3cf2cf95 407a2fb8 8adab9f4 libqt_plugin!vlc_entry_license__3_0_0f+0x19ca2b
0227cdfc 77c2c3e7 00000058 0227ce18 01f68ad8 msvcrt!malloc+0x27
0227ce18 04ff0017 fe08aefb 4079f337 d70a3d71 msvcrt!free+0x1cc
0227d0ac 7c91005d 0227d0a0 0227d160 01f42588 libqt_plugin!vlc_entry_license__3_0_0f+0xb2af27
0227d0c8 046541a0 0227d158 050f7890 05105108 ntdll!RtlFreeHeap+0x130
0227d218 04ae1266 0227d2cc 0227d238 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x18f0b0
0227d248 044c9a4d 0227d2cc 00000015 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x61c176
0227d2ac 044ca265 0227d250 050fdc92 0227d2f0 libqt_plugin!vlc_entry_license__3_0_0f+0x495d
0227d2f8 044ca50b 01f34498 0118d3e8 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x5175
0227d35c 044ca781 0227d300 00000004 04daa734 libqt_plugin!vlc_entry_license__3_0_0f+0x541b
0227d398 044d6fa1 0118cba8 0118d3e8 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x5691
0227d5e8 044ebd12 00000001 0511933f 00000030 libqt_plugin!vlc_entry_license__3_0_0f+0x11eb1
00000000 00000000 00000000 00000000 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x26c22
SYMBOL_NAME: heap_corruption!heap_corruption
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: heap_corruption
IMAGE_NAME: heap_corruption
STACK_COMMAND: ~9s ; kb
FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000005_heap_corruption!heap_corruption
BUCKET_ID: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_WRONG_SYMBOLS_heap_corruption!heap_corruption
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/_exe/3_0_1_0/__dee6e6/ntdll_dll/5_1_2600_6055/4d00f29d/c0000005/00011980.htm?Retriage=1
---------
Yep. :)
To be honest I was a little bit surprised when I saw ‘similar results’ on Windows 7. Below few cases as well:
Case #04: (Windows 7 Ultimate)
Microsoft ® Windows Debugger Version 6.12.0002.633 X86
Copyright © Microsoft Corporation. All rights reserved.
CommandLine: “c:\Program Files\VideoLAN\VLC\vlc.exe” C:\sf_85c44bc363745e8efaa612bdffb985bb-7028.swf
(…)
main libvlc debug: VLC media player - 3.0.1 Vetinari
main libvlc debug: Copyright © 1996-2018 the VideoLAN team
main libvlc debug: revision 3.0.1-0-gec0f700fcc
(…)
(e68c.e384): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=158bc9f8 ebx=03598b90 ecx=00002710 edx=0000000b esi=046db0a8 edi=034fd01c
eip=6a89173e esp=04f6fbc0 ebp=07a77a84 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
libvlccore!vlc_demux_chained_Delete+0xc82e:
6a89173e 8b4500 mov eax,dword ptr [ebp] ss:0023:07a77a84=???
0:015> r;u eip;kv;!analyze -v;!exploitable -v;kb;q
eax=158bc9f8 ebx=03598b90 ecx=00002710 edx=0000000b esi=046db0a8 edi=034fd01c
eip=6a89173e esp=04f6fbc0 ebp=07a77a84 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
libvlccore!vlc_demux_chained_Delete+0xc82e:
6a89173e 8b4500 mov eax,dword ptr [ebp] ss:0023:07a77a84=???
libvlccore!vlc_demux_chained_Delete+0xc82e:
6a89173e 8b4500 mov eax,dword ptr [ebp]
6a891741 85c0 test eax,eax
6a891743 0f8433010000 je libvlccore!vlc_demux_chained_Delete+0xc96c (6a89187c)
6a891749 89742408 mov dword ptr [esp+8],esi
6a89174d 89442404 mov dword ptr [esp+4],eax
6a891751 891c24 mov dword ptr [esp],ebx
6a891754 ff5304 call dword ptr [ebx+4]
6a891757 89c5 mov ebp,eax
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
04f6fbc8 65d84cf3 00000000 04f6fbb4 00000000 libvlccore!vlc_demux_chained_Delete+0xc82e
04f6fbe8 754a98da 754c6502 03508dd8 00000002 libavcodec_plugin!vlc_entry_license__3_0_0f+0x179943
04f6fbec 754c6502 03508dd8 00000002 00000001 msvcrt!free+0x46
04f6fc48 65c0fe22 03599770 07a77a84 046db0a8 msvcrt!CIacos+0x65
04f6fc68 69c82e84 04f6fcac 018f2118 018c7a14 libavcodec_plugin!vlc_entry_license__3_0_0f+0x4a72
00000000 00000000 00000000 00000000 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x81dd94
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
libvlccore!vlc_demux_chained_Delete+c82e
6a89173e 8b4500 mov eax,dword ptr [ebp]
EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 6a89173e (libvlccore!vlc_demux_chained_Delete+0x0000c82e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 07a77a84
Attempt to read from address 07a77a84
FAULTING_THREAD: 0000e384
FAULTING_MODULE: 76f60000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 3a653a5d
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 07a77a84
READ_ADDRESS: 07a77a84
FOLLOWUP_IP:
libvlccore!vlc_demux_chained_Delete+c82e
6a89173e 8b4500 mov eax,dword ptr [ebp]
MOD_LIST: <ANALYSIS/>
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
LAST_CONTROL_TRANSFER: from 65d84cf3 to 6a89173e
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
04f6fbc8 65d84cf3 00000000 04f6fbb4 00000000 libvlccore!vlc_demux_chained_Delete+0xc82e
04f6fbe8 754a98da 754c6502 03508dd8 00000002 libavcodec_plugin!vlc_entry_license__3_0_0f+0x179943
04f6fbec 754c6502 03508dd8 00000002 00000001 msvcrt!free+0x46
04f6fc48 65c0fe22 03599770 07a77a84 046db0a8 msvcrt!CIacos+0x65
04f6fc68 69c82e84 04f6fcac 018f2118 018c7a14 libavcodec_plugin!vlc_entry_license__3_0_0f+0x4a72
00000000 00000000 00000000 00000000 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x81dd94
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: libvlccore!vlc_demux_chained_Delete+c82e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: libvlccore
IMAGE_NAME: libvlccore.dll
STACK_COMMAND: ~15s ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_libvlccore.dll!vlc_demux_chained_Delete
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/_exe/3_0_1_0/__dee6e6/libvlccore_dll/3_0_1_0/3a653a5d/c0000005/0005173e.htm?Retriage=1
Followup: MachineOwner
---------
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x7a77a84
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:6a89173e mov eax,dword ptr [ebp]
Basic Block:
6a89173e mov eax,dword ptr [ebp]
Tainted Input operands: ‘ebp’
6a891741 test eax,eax
Tainted Input operands: ‘eax’
6a891743 je libvlccore!vlc_demux_chained_delete+0xc96c (6a89187c)
Tainted Input operands: ‘ZeroFlag’
Exception Hash (Major/Minor): 0xac85483e.0x0fc76c11
Hash Usage : Stack Trace:
Major+Minor : libvlccore!vlc_demux_chained_Delete+0xc82e
Major+Minor : libavcodec_plugin!vlc_entry_license__3_0_0f+0x179943
Excluded : msvcrt!free+0x46
Major+Minor : msvcrt!CIacos+0x65
Major+Minor : libavcodec_plugin!vlc_entry_license__3_0_0f+0x4a72
Major+Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x81dd94
Instruction Address: 0x000000006a89173e
Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at libvlccore!vlc_demux_chained_Delete+0x000000000000c82e (Hash=0xac85483e.0x0fc76c11)
The data from the faulting address is later used to determine whether or not a branch is taken.
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
04f6fbc8 65d84cf3 00000000 04f6fbb4 00000000 libvlccore!vlc_demux_chained_Delete+0xc82e
04f6fbe8 754a98da 754c6502 03508dd8 00000002 libavcodec_plugin!vlc_entry_license__3_0_0f+0x179943
04f6fbec 754c6502 03508dd8 00000002 00000001 msvcrt!free+0x46
04f6fc48 65c0fe22 03599770 07a77a84 046db0a8 msvcrt!CIacos+0x65
04f6fc68 69c82e84 04f6fcac 018f2118 018c7a14 libavcodec_plugin!vlc_entry_license__3_0_0f+0x4a72
00000000 00000000 00000000 00000000 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x81dd94
---------
Case #05: (Windows 7 Ultimate)
Microsoft ® Windows Debugger Version 6.12.0002.633 X86
Copyright © Microsoft Corporation. All rights reserved.
CommandLine: “c:\Program Files\VideoLAN\VLC\vlc.exe” C:\sf_85c44bc363745e8efaa612bdffb985bb-osz_xh.swf
(…)
main libvlc debug: VLC media player - 3.0.1 Vetinari
main libvlc debug: Copyright © 1996-2018 the VideoLAN team
main libvlc debug: revision 3.0.1-0-gec0f700fcc
(…)
(ef8c.e860): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=036569f8 ecx=00950000 edx=036569f8 esi=1e0ad242 edi=036569f0
eip=76fb2d37 esp=0354cb10 ebp=0354cb44 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
ntdll!RtlFreeHeap+0xcd:
76fb2d37 8b4604 mov eax,dword ptr [esi+4] ds:0023:1e0ad246=???
0:009> r;u eip;kv;!analyze -v;!exploitable -v;kb;q
eax=00000001 ebx=036569f8 ecx=00950000 edx=036569f8 esi=1e0ad242 edi=036569f0
eip=76fb2d37 esp=0354cb10 ebp=0354cb44 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
ntdll!RtlFreeHeap+0xcd:
76fb2d37 8b4604 mov eax,dword ptr [esi+4] ds:0023:1e0ad246=???
ntdll!RtlFreeHeap+0xcd:
76fb2d37 8b4604 mov eax,dword ptr [esi+4]
76fb2d3a 8945f4 mov dword ptr [ebp-0Ch],eax
76fb2d3d c6470780 mov byte ptr [edi+7],80h
76fb2d41 c6470600 mov byte ptr [edi+6],0
76fb2d45 8b5e08 mov ebx,dword ptr [esi+8]
76fb2d48 8b4e0c mov ecx,dword ptr [esi+0Ch]
76fb2d4b 895de0 mov dword ptr [ebp-20h],ebx
76fb2d4e 83c301 add ebx,1
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0354cb44 76fb2ce8 036569f8 00832800 0354cc28 ntdll!RtlFreeHeap+0xcd
0354cb5c 754a98cd 00950000 00000000 036569f8 ntdll!RtlFreeHeap+0x7e
0354cba8 69607a5a 036569f8 00000002 00000004 msvcrt!free+0x39
0354cde8 6960a8a3 0354ce4c 0354ce3c 0354ce3c libqt_plugin!vlc_entry_license__3_0_0f+0x1a296a
0354cfe0 76fb2fe7 0354d090 036f2dc0 0354d090 libqt_plugin!vlc_entry_license__3_0_0f+0x1a57b3
0354cff8 695f41a0 0354d088 6a097890 6a0a5108 ntdll!RtlAllocateHeap+0x211
0354d128 69d4a5c1 0354d14c 6a0b3ef8 00000014 libqt_plugin!vlc_entry_license__3_0_0f+0x18f0b0
0354d148 69a81266 0354d200 0354d168 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x8e54d1
0354d228 6946a5a4 0365ccb8 0354d2b8 6a0b3ef8 libqt_plugin!vlc_entry_license__3_0_0f+0x61c176
0354d2c8 69476ccf 0084cbe8 00811fa8 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x54b4
0354d338 695d5874 0354d568 0000e860 0000e860 libqt_plugin!vlc_entry_license__3_0_0f+0x11bdf
0354d3e8 69c5e247 0084cbe8 00000000 00000025 libqt_plugin!vlc_entry_license__3_0_0f+0x170784
0354d4d8 695d6fbe 0084eca8 00000003 00000004 libqt_plugin!vlc_entry_license__3_0_0f+0x7f9157
0354d598 6948bd24 00000001 6a0b933f 00000030 libqt_plugin!vlc_entry_license__3_0_0f+0x171ece
0354d648 6948c4a1 047800a8 00000002 0354d678 libqt_plugin!vlc_entry_license__3_0_0f+0x26c34
0354d828 695d78c6 0082ad48 00000003 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x273b1
0354d948 6984e7bd 03666dc8 03666dc8 03668380 libqt_plugin!vlc_entry_license__3_0_0f+0x1727d6
0354d95c 754a98cd 00020021 00000af8 0354fe90 libqt_plugin!vlc_entry_license__3_0_0f+0x3e96cd
0354d9a8 754a98da 84c38f79 03668380 6a46f334 msvcrt!free+0x39
00000000 00000000 00000000 00000000 00000000 msvcrt!free+0x46
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
ntdll!RtlFreeHeap+cd
76fb2d37 8b4604 mov eax,dword ptr [esi+4]
EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 76fb2d37 (ntdll!RtlFreeHeap+0x000000cd)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 1e0ad246
Attempt to read from address 1e0ad246
FAULTING_THREAD: 0000e860
PROCESS_NAME: .exe
ADDITIONAL_DEBUG_TEXT:
Use ‘!findthebuild’ command to search for the target build information.
If the build information is available, run ‘!findthebuild -s ; .reload’ to set symbol path and load symbols.
FAULTING_MODULE: 76f60000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 39203903
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 1e0ad246
READ_ADDRESS: 1e0ad246
FOLLOWUP_IP:
libqt_plugin!vlc_entry_license__3_0_0f+1a296a
69607a5a e915feffff jmp libqt_plugin!vlc_entry_license__3_0_0f+0x1a2784 (69607874)
MOD_LIST: <ANALYSIS/>
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
LAST_CONTROL_TRANSFER: from 76fb2ce8 to 76fb2d37
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0354cb44 76fb2ce8 036569f8 00832800 0354cc28 ntdll!RtlFreeHeap+0xcd
0354cb5c 754a98cd 00950000 00000000 036569f8 ntdll!RtlFreeHeap+0x7e
0354cba8 69607a5a 036569f8 00000002 00000004 msvcrt!free+0x39
0354cde8 6960a8a3 0354ce4c 0354ce3c 0354ce3c libqt_plugin!vlc_entry_license__3_0_0f+0x1a296a
0354cfe0 76fb2fe7 0354d090 036f2dc0 0354d090 libqt_plugin!vlc_entry_license__3_0_0f+0x1a57b3
0354cff8 695f41a0 0354d088 6a097890 6a0a5108 ntdll!RtlAllocateHeap+0x211
0354d128 69d4a5c1 0354d14c 6a0b3ef8 00000014 libqt_plugin!vlc_entry_license__3_0_0f+0x18f0b0
0354d148 69a81266 0354d200 0354d168 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x8e54d1
0354d228 6946a5a4 0365ccb8 0354d2b8 6a0b3ef8 libqt_plugin!vlc_entry_license__3_0_0f+0x61c176
0354d2c8 69476ccf 0084cbe8 00811fa8 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x54b4
0354d338 695d5874 0354d568 0000e860 0000e860 libqt_plugin!vlc_entry_license__3_0_0f+0x11bdf
0354d3e8 69c5e247 0084cbe8 00000000 00000025 libqt_plugin!vlc_entry_license__3_0_0f+0x170784
0354d4d8 695d6fbe 0084eca8 00000003 00000004 libqt_plugin!vlc_entry_license__3_0_0f+0x7f9157
0354d598 6948bd24 00000001 6a0b933f 00000030 libqt_plugin!vlc_entry_license__3_0_0f+0x171ece
0354d648 6948c4a1 047800a8 00000002 0354d678 libqt_plugin!vlc_entry_license__3_0_0f+0x26c34
0354d828 695d78c6 0082ad48 00000003 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x273b1
0354d948 6984e7bd 03666dc8 03666dc8 03668380 libqt_plugin!vlc_entry_license__3_0_0f+0x1727d6
0354d95c 754a98cd 00020021 00000af8 0354fe90 libqt_plugin!vlc_entry_license__3_0_0f+0x3e96cd
0354d9a8 754a98da 84c38f79 03668380 6a46f334 msvcrt!free+0x39
00000000 00000000 00000000 00000000 00000000 msvcrt!free+0x46
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: libqt_plugin!vlc_entry_license__3_0_0f+1a296a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: libqt_plugin
IMAGE_NAME: libqt_plugin.dll
STACK_COMMAND: ~9s ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_libqt_plugin.dll!vlc_entry_license__3_0_0f
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/_exe/3_0_1_0/__dee6e6/ntdll_dll/6_1_7601_17514/4ce7b96e/c0000005/00052d37.htm?Retriage=1
Followup: MachineOwner
---------
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x1e0ad246
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:76fb2d37 mov eax,dword ptr [esi+4]
Basic Block:
76fb2d37 mov eax,dword ptr [esi+4]
Tainted Input operands: ‘esi’
76fb2d3a mov dword ptr [ebp-0ch],eax
Tainted Input operands: ‘eax’
76fb2d3d mov byte ptr [edi+7],80h
76fb2d41 mov byte ptr [edi+6],0
76fb2d45 mov ebx,dword ptr [esi+8]
Tainted Input operands: ‘esi’
76fb2d48 mov ecx,dword ptr [esi+0ch]
Tainted Input operands: ‘esi’
76fb2d4b mov dword ptr [ebp-20h],ebx
Tainted Input operands: ‘ebx’
76fb2d4e add ebx,1
Tainted Input operands: ‘ebx’
76fb2d51 mov dword ptr [ebp-1ch],ecx
Tainted Input operands: ‘ecx’
76fb2d54 adc ecx,1
Tainted Input operands: ‘ecx’,’CarryFlag’
76fb2d57 and ebx,7fffh
Tainted Input operands: ‘ebx’
76fb2d5d cmp bx,word ptr [esi+14h]
Tainted Input operands: ‘bx’,’esi’
76fb2d61 je ntdll!rtlrunonceinitialize+0xf (76fb9990)
Tainted Input operands: ‘ZeroFlag’
Exception Hash (Major/Minor): 0xa9797124.0xa69e70b9
Hash Usage : Stack Trace:
Excluded : ntdll!RtlFreeHeap+0xcd
Excluded : ntdll!RtlFreeHeap+0x7e
Excluded : msvcrt!free+0x39
Major+Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x1a296a
Major+Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x1a57b3
Excluded : ntdll!RtlAllocateHeap+0x211
Major+Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x18f0b0
Major+Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x8e54d1
Major+Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x61c176
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x54b4
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x11bdf
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x170784
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x7f9157
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x171ece
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x26c34
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x273b1
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x1727d6
Minor : libqt_plugin!vlc_entry_license__3_0_0f+0x3e96cd
Excluded : msvcrt!free+0x39
Excluded : msvcrt!free+0x46
Instruction Address: 0x0000000076fb2d37
Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at ntdll!RtlFreeHeap+0x00000000000000cd called from libqt_plugin!vlc_entry_license__3_0_0f+0x00000000001a296a (Hash=0xa9797124.0xa69e70b9)
The data from the faulting address is later used to determine whether or not a branch is taken.
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0354cb44 76fb2ce8 036569f8 00832800 0354cc28 ntdll!RtlFreeHeap+0xcd
0354cb5c 754a98cd 00950000 00000000 036569f8 ntdll!RtlFreeHeap+0x7e
0354cba8 69607a5a 036569f8 00000002 00000004 msvcrt!free+0x39
0354cde8 6960a8a3 0354ce4c 0354ce3c 0354ce3c libqt_plugin!vlc_entry_license__3_0_0f+0x1a296a
0354cfe0 76fb2fe7 0354d090 036f2dc0 0354d090 libqt_plugin!vlc_entry_license__3_0_0f+0x1a57b3
0354cff8 695f41a0 0354d088 6a097890 6a0a5108 ntdll!RtlAllocateHeap+0x211
0354d128 69d4a5c1 0354d14c 6a0b3ef8 00000014 libqt_plugin!vlc_entry_license__3_0_0f+0x18f0b0
0354d148 69a81266 0354d200 0354d168 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x8e54d1
0354d228 6946a5a4 0365ccb8 0354d2b8 6a0b3ef8 libqt_plugin!vlc_entry_license__3_0_0f+0x61c176
0354d2c8 69476ccf 0084cbe8 00811fa8 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x54b4
0354d338 695d5874 0354d568 0000e860 0000e860 libqt_plugin!vlc_entry_license__3_0_0f+0x11bdf
0354d3e8 69c5e247 0084cbe8 00000000 00000025 libqt_plugin!vlc_entry_license__3_0_0f+0x170784
0354d4d8 695d6fbe 0084eca8 00000003 00000004 libqt_plugin!vlc_entry_license__3_0_0f+0x7f9157
0354d598 6948bd24 00000001 6a0b933f 00000030 libqt_plugin!vlc_entry_license__3_0_0f+0x171ece
0354d648 6948c4a1 047800a8 00000002 0354d678 libqt_plugin!vlc_entry_license__3_0_0f+0x26c34
0354d828 695d78c6 0082ad48 00000003 00000000 libqt_plugin!vlc_entry_license__3_0_0f+0x273b1
0354d948 6984e7bd 03666dc8 03666dc8 03668380 libqt_plugin!vlc_entry_license__3_0_0f+0x1727d6
0354d95c 754a98cd 00020021 00000af8 0354fe90 libqt_plugin!vlc_entry_license__3_0_0f+0x3e96cd
0354d9a8 754a98da 84c38f79 03668380 6a46f334 msvcrt!free+0x39
00000000 00000000 00000000 00000000 00000000 msvcrt!free+0x46
---------
Case #06: (Windows 7 Ultimate)
Microsoft ® Windows Debugger Version 6.12.0002.633 X86
Copyright © Microsoft Corporation. All rights reserved.
CommandLine: “c:\Program Files\VideoLAN\VLC\vlc.exe” C:\sf_23c981af3f36e849c1653982d92ea28c-7054.swf
(…)
(10118.ff74): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=4e635548 ebx=035ff970 ecx=00002710 edx=0000000b esi=018a8890 edi=03569dac
eip=6a89173e esp=04defbc0 ebp=4384fced iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
libvlccore!vlc_demux_chained_Delete+0xc82e:
6a89173e 8b4500 mov eax,dword ptr [ebp] ss:0023:4384fced=???
0:014> r;u eip;kv;!analyze -v;!exploitable -v;kb;q
eax=4e635548 ebx=035ff970 ecx=00002710 edx=0000000b esi=018a8890 edi=03569dac
eip=6a89173e esp=04defbc0 ebp=4384fced iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
libvlccore!vlc_demux_chained_Delete+0xc82e:
6a89173e 8b4500 mov eax,dword ptr [ebp] ss:0023:4384fced=???
libvlccore!vlc_demux_chained_Delete+0xc82e:
6a89173e 8b4500 mov eax,dword ptr [ebp]
6a891741 85c0 test eax,eax
6a891743 0f8433010000 je libvlccore!vlc_demux_chained_Delete+0xc96c (6a89187c)
6a891749 89742408 mov dword ptr [esp+8],esi
6a89174d 89442404 mov dword ptr [esp+4],eax
6a891751 891c24 mov dword ptr [esp],ebx
6a891754 ff5304 call dword ptr [ebx+4]
6a891757 89c5 mov ebp,eax
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
04defbc8 65d84cf3 00280138 76fb6570 00000003 libvlccore!vlc_demux_chained_Delete+0xc82e
04defbd0 76fb6570 00000003 00000000 4e635548 libavcodec_plugin!vlc_entry_license__3_0_0f+0x179943
04defc48 65c0fe22 035ffcd0 4384fced 018a8890 ntdll!wcsnicmp+0xc74
04defc78 7536b19e 00000000 00520000 01887488 libavcodec_plugin!vlc_entry_license__3_0_0f+0x4a72
04defcb4 76fb2ce8 018abc38 01892968 018735b0 KERNELBASE!AddAccessAllowedAceEx+0x28a
00000000 00000000 00000000 00000000 00000000 ntdll!RtlFreeHeap+0x7e
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
libvlccore!vlc_demux_chained_Delete+c82e
6a89173e 8b4500 mov eax,dword ptr [ebp]
EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 6a89173e (libvlccore!vlc_demux_chained_Delete+0x0000c82e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 4384fced
Attempt to read from address 4384fced
FAULTING_THREAD: 0000ff74
PROCESS_NAME: .exe
ADDITIONAL_DEBUG_TEXT:
Use ‘!findthebuild’ command to search for the target build information.
If the build information is available, run ‘!findthebuild -s ; .reload’ to set symbol path and load symbols.
FAULTING_MODULE: 76f60000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 3a653a5d
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 4384fced
READ_ADDRESS: 4384fced
FOLLOWUP_IP:
libvlccore!vlc_demux_chained_Delete+c82e
6a89173e 8b4500 mov eax,dword ptr [ebp]
MOD_LIST: <ANALYSIS/>
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
LAST_CONTROL_TRANSFER: from 65d84cf3 to 6a89173e
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
04defbc8 65d84cf3 00280138 76fb6570 00000003 libvlccore!vlc_demux_chained_Delete+0xc82e
04defbd0 76fb6570 00000003 00000000 4e635548 libavcodec_plugin!vlc_entry_license__3_0_0f+0x179943
04defc48 65c0fe22 035ffcd0 4384fced 018a8890 ntdll!wcsnicmp+0xc74
04defc78 7536b19e 00000000 00520000 01887488 libavcodec_plugin!vlc_entry_license__3_0_0f+0x4a72
04defcb4 76fb2ce8 018abc38 01892968 018735b0 KERNELBASE!AddAccessAllowedAceEx+0x28a
00000000 00000000 00000000 00000000 00000000 ntdll!RtlFreeHeap+0x7e
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: libvlccore!vlc_demux_chained_Delete+c82e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: libvlccore
IMAGE_NAME: libvlccore.dll
STACK_COMMAND: ~14s ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_libvlccore.dll!vlc_demux_chained_Delete
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/_exe/3_0_1_0/__dee6e6/libvlccore_dll/3_0_1_0/3a653a5d/c0000005/0005173e.htm?Retriage=1
Followup: MachineOwner
---------
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x4384fced
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:6a89173e mov eax,dword ptr [ebp]
Basic Block:
6a89173e mov eax,dword ptr [ebp]
Tainted Input operands: ‘ebp’
6a891741 test eax,eax
Tainted Input operands: ‘eax’
6a891743 je libvlccore!vlc_demux_chained_delete+0xc96c (6a89187c)
Tainted Input operands: ‘ZeroFlag’
Exception Hash (Major/Minor): 0x3de8cf67.0x4dc82bde
Hash Usage : Stack Trace:
Major+Minor : libvlccore!vlc_demux_chained_Delete+0xc82e
Major+Minor : libavcodec_plugin!vlc_entry_license__3_0_0f+0x179943
Major+Minor : ntdll!wcsnicmp+0xc74
Major+Minor : libavcodec_plugin!vlc_entry_license__3_0_0f+0x4a72
Major+Minor : KERNELBASE!AddAccessAllowedAceEx+0x28a
Excluded : ntdll!RtlFreeHeap+0x7e
Instruction Address: 0x000000006a89173e
Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at libvlccore!vlc_demux_chained_Delete+0x000000000000c82e (Hash=0x3de8cf67.0x4dc82bde)
The data from the faulting address is later used to determine whether or not a branch is taken.
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
04defbc8 65d84cf3 00280138 76fb6570 00000003 libvlccore!vlc_demux_chained_Delete+0xc82e
04defbd0 76fb6570 00000003 00000000 4e635548 libavcodec_plugin!vlc_entry_license__3_0_0f+0x179943
04defc48 65c0fe22 035ffcd0 4384fced 018a8890 ntdll!wcsnicmp+0xc74
04defc78 7536b19e 00000000 00520000 01887488 libavcodec_plugin!vlc_entry_license__3_0_0f+0x4a72
04defcb4 76fb2ce8 018abc38 01892968 018735b0 KERNELBASE!AddAccessAllowedAceEx+0x28a
00000000 00000000 00000000 00000000 00000000 ntdll!RtlFreeHeap+0x7e
That’s it. 6 cases for you. ;]
…and as I promissed you will find them all here and here.
Cheers,
Cody
o/