Comodo – Integer Overlow Leading to Heap Overflow Parsing Composite Documents

• Exploit Database
• 16 阅读

• 作者： Google Security Research
  日期： 2016-03-23
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39603/

• Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=762
  
  In COleMemFile::LoadDiFatList, values from the header are used to parse the document FAT. If header.csectDif is very high, the calculation overflows and a very small buffer is allocated.
  
  The document FAT is then memcpy'd onto the buffer directly from the input file being scanned, resulting in a nice clean heap overflow.
  
  This vulnerability is obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM, the attached test cases should reproduce the problem reliably (this issue was found using trivial fuzzing). You can see this testcase has this->m_oleDocHeader.csectDif = 0x40000001, and so this->m_oleDocHeader.csectDif * this->diFATPerSect * 4 + 436 wraps to 0x3b0.
  
  (b80.ad8): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  script!CreateInstance+0x178ac:
  00000000`0ac5a4bc 8901mov dword ptr [rcx],eax ds:00000000`0c79a1f0=????????
  0:009> u
  script!CreateInstance+0x178ac:
  00000000`0ac5a4bc 8901mov dword ptr [rcx],eax
  00000000`0ac5a4be 4d8bc8mov r9,r8
  00000000`0ac5a4c1 49c1e905shr r9,5
  00000000`0ac5a4c5 7550jne script!CreateInstance+0x17907 (00000000`0ac5a517)
  00000000`0ac5a4c7 4d8bc8mov r9,r8
  00000000`0ac5a4ca 49c1e903shr r9,3
  00000000`0ac5a4ce 7414jescript!CreateInstance+0x178d4 (00000000`0ac5a4e4)
  00000000`0ac5a4d0 4883e908sub rcx,8
  0:009> r
  rax=00000000004e8400 rbx=000000000c782120 rcx=000000000c79a1f0
  rdx=fffffffffffe99f8 rsi=000000000c7839f0 rdi=0000000000000017
  rip=000000000ac5a4bc rsp=000000000d80e4b8 rbp=0000000000000bd6
   r8=00000000000001f8r9=0000000000000000 r10=00000006ffffffff
  r11=000000000c799ff8 r12=00000000000138a1 r13=000000000aea0000
  r14=0000000000000000 r15=0000000000336b00
  iopl=0 nv up ei pl nz na pe nc
  cs=0033ss=002bds=002bes=002bfs=0053gs=002b efl=00010202
  script!CreateInstance+0x178ac:
  00000000`0ac5a4bc 8901mov dword ptr [rcx],eax ds:00000000`0c79a1f0=????????
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39603.zip