扫码分享
验证:
体验盒子Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=817
Fuzzing packed executables with McAfee's LiveSafe 14.0 on Windows found a signedness error parsing sections and relocations. The attached fuzzed testcase demonstrates this and causes a crash in mscan64a.dll. I verified that this crash reproduces on Linux and Windows, all version of McAfee appear to be affected including the embedded version and the SDK.
Naturally, this code runs as SYSTEM on Windows, with no sandboxing and is used to parse untrusted remote input.
0:045> .lastevent
Last event: d34.13a4: Access violation - code c0000005 (first chance)
debugger time: Tue Apr5 15:02:40.009 2016 (UTC - 7:00)
0:045> r
rax=00000000306f1000 rbx=00000000306f1000 rcx=00000000ffffffff
rdx=00000001031d114f rsi=00000000031d1150 rdi=00000000306f4000
rip=00000000711a36fa rsp=00000000064748a0 rbp=00000000031ca880
r8=00000000000005d3r9=00000000306f0fff r10=8d00008661e82404
r11=0000000000000000 r12=00000000306f4000 r13=000000000647917c
r14=000000001070c1b8 r15=00000000031ca698
iopl=0 nv up ei pl nz na pe nc
cs=0033ss=002bds=002bes=002bfs=0053gs=002b efl=00010202
mscan64a!RetrieveSingleExtensionList+0x19844a:
00000000`711a36fa 0fb64a01movzx ecx,byte ptr [rdx+1] ds:00000001`031d1150=??
Okay, what happened there?
0:007> ub
mscan64a!RetrieveSingleExtensionList+0x198437:
00000000`71fd36e7 8b45c8mov eax,dword ptr [rbp-38h]
00000000`71fd36ea 8b08mov ecx,dword ptr [rax]
00000000`71fd36ec 8d4101lea eax,[rcx+1]
00000000`71fd36ef 3bc7cmp eax,edi
00000000`71fd36f1 7332jae mscan64a!RetrieveSingleExtensionList+0x198475 (00000000`71fd3725)
00000000`71fd36f3 2bcbsub ecx,ebx
00000000`71fd36f5 8bd1mov edx,ecx
00000000`71fd36f7 4803d6add rdx,rsi
0:007> dd @rbp-38 L1
00000000`0c5290180c52d7ac
0:007> dd 0c52d7ac L1
00000000`0c52d7ac90000fff
So it looks like that calculation is used as an index into @rsi, which is obviously going to be oob.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39770.zip
体验盒子
