[CNNVD]Microsoft Windows Media Player ‘winmm.dll’ MIDI文件解析远程代码执行漏洞(CNNVD-201201-110)
Microsoft Windows是微软发布的非常流行的操作系统。Windows Media Player是系统的多媒体播放组件。
WMP在处理畸形结构的MIDI数据时存在内存破坏漏洞。远程攻击者可利用该漏洞通过诱使用户访问恶意网页控制用户系统。
注意这个漏洞是ie进程在调用多媒体的dll时触发的,也就是要去挂载ie进程。加载poc后数秒内ie进程crash,异常信息如下:
(aa0.aa4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=002261c4 ebx=00000000 ecx=0c0c0c0c edx=0000003d esi=00225dc8 edi=0039d910 eip=7e390581 esp=0012e198 ebp=0012e1a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CAttrValue::GetIntoVariant+0x4d: 7e390581 ff5104 call dword ptr [ecx+4] ds:0023:0c0c0c10=????????
由于是ie的漏洞我们对这种call [ecx+4]的形式比较敏感(因为ie存在大量的对象虚表访问),来具体看一下,ub mshtml!CAttrValue::GetIntoVariant+0x4d,如下
0:000> ub mshtml!CAttrValue::GetIntoVariant+0x4d mshtml!CAttrValue::GetIntoVariant+0x3a: 7e39056e e8f93ef0ff call mshtml!VariantCopy (7e29446c) 7e390573 8bd8 mov ebx,eax 7e390575 eb35 jmp mshtml!CAttrValue::GetIntoVariant+0x78 (7e3905ac) 7e390577 8b460c mov eax,dword ptr [esi+0Ch] 7e39057a 3bc3 cmp eax,ebx 7e39057c 7406 je mshtml!CAttrValue::GetIntoVariant+0x50 (7e390584) 7e39057e 8b08 mov ecx,dword ptr [eax] 7e390580 50 push eax
我们一看就知道这个就是虚表访问,这个套路在ie里真是见过太多了,eax是对象指针,ecx是虚表指针,那么call [ecx+4]就是调用虚函数了。我们继续看下这个对象中的内容
0:000> dc eax 002261c4 0c0c0c0c 0c0c0c0c 0c0c0c0c 00000000 ................ 002261d4 00000000 00000000 00000000 00050081 ................ 002261e4 00080187 00008103 80000000 00000000 ................ 002261f4 06f72ed0 00000802 002dc72b 00000000 ........+.-..... 00226204 002265f4 00000902 002dc72c 00000000 .e".....,.-..... 00226214 06f59bb0 00000902 002dc72d 00000000 ........-.-..... 00226224 09318a68 00000b02 002dc72e 00000000 h.1.......-..... 00226234 0000ffff 00000302 002dc72f 00000000 ......../.-.....
喜闻乐见的堆喷,看来作者的思路就是伪造一个对象的虚表为0c0c0c0c,然后堆喷到0c0c0c0c伪造虚函数布置shellcode,这也是很常规的做法,那为啥会crash呢?我们来看一下,
0:000> dd 0c0c0c0c 0c0c0c0c ???????? ???????? ???????? ???????? 0c0c0c1c ???????? ???????? ???????? ???????? 0c0c0c2c ???????? ???????? ???????? ???????? 0c0c0c3c ???????? ???????? ???????? ???????? 0c0c0c4c ???????? ???????? ???????? ???????? 0c0c0c5c ???????? ???????? ???????? ???????? 0c0c0c6c ???????? ???????? ???????? ???????? 0c0c0c7c ???????? ???????? ???????? ???????? 0:000> !address 0c0c0c0c 0ac0c000 : 0ac0c000 - 053f4000 Type 00000000 Protect 00000001 PAGE_NOACCESS State 00010000 MEM_FREE Usage RegionUsageFree
显示这块内存未分配,看来并没能喷到0c0c0c0c,估计作者是翻车了,或者是我的环境有问题。那么我们再去找找作者用哪里的漏洞搞的大新闻。
首先要开hpa了,因为我们已知是堆漏洞了。断在如下位置
(eec.b40): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000419 ebx=0000007d ecx=007db29f edx=00000000 esi=126ef019 edi=126b6f60 eip=76b2d224 esp=12dffe80 ebp=12dffea0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 WINMM!midiOutPlayNextPolyEvent+0x1ec: 76b2d224 8a06 mov al,byte ptr [esi] ds:0023:126ef019=??
我们不知道esi是什么地址,但是我们可以猜一下,!heap -p -a esi ,结果如下果真是页堆的导致的异常。我们计算一下:126eec00+0x400=126EF000 ,而126ef019>126ef000。又我们可以知道堆只有分配的记录并没有释放的记录说明肯定不是UAF漏洞了,那么肯定是堆溢出或是基于堆的数组访问越界了。
v0:028> !heap -p -a esi address 126ef019 found in _DPH_HEAP_ROOT @ 141000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 11fc4058: 126eec00 400 - 126ee000 2000 7c938f01 ntdll!RtlAllocateHeap+0x00000e64 76b2b2b3 WINMM!winmmAlloc+0x00000016 76b2cdee WINMM!mseOpen+0x00000044 76b2d97e WINMM!mseMessage+0x00000029 76b2a17f WINMM!midiStreamOpen+0x00000207 77ba1f7c midimap!modOpen+0x000000f8 77ba29f3 midimap!modMessage+0x0000005e 76b2a15e WINMM!midiStreamOpen+0x000001e6 7d03567d quartz!CMidiOutDevice::DoOpen+0x00000026 7d035727 quartz!CMidiOutDevice::amsndOutOpen+0x00000059 7cfabc7a quartz!CWaveOutFilter::amsndOutOpen+0x0000002e 7cfabc05 quartz!CWaveOutFilter::DoOpenWaveDevice+0x0000007a 7cfabe12 quartz!CWaveOutFilter::OpenWaveDevice+0x00000019 7cfabcda quartz!CWaveOutFilter::Pause+0x00000049 7cf8cf61 quartz!CFilterGraph::Pause+0x00000107
重新运行程序,对WINMM!midiOutPlayNextPolyEvent+0x1ec下断,看下回溯
0:028> kp ChildEBP RetAddr 1243fea0 76b2d2e5 WINMM!midiOutPlayNextPolyEvent+0x1ec 1243feb4 76b154e3 WINMM!midiOutTimerTick+0x4f 1243fedc 76b2adfe WINMM!DriverCallback+0x5c 1243ff18 76b2af02 WINMM!TimerCompletion+0xf4 1243ffb4 7c80b729 WINMM!timeThread+0x53 1243ffec 00000000 kernel32!BaseThreadStart+0x37
看下在哪个模块中,如下,抓出来用IDA打开
0:028> lmm winmm v start end module name 76b10000 76b3a000 WINMM (pdb symbols) C:symbolswinmm.pdb90FC96D5AD8440A2B14855895BD92ED62winmm.pdb Loaded symbol image file: C:WINDOWSsystem32WINMM.dll Image path: C:WINDOWSsystem32WINMM.dll Image name: WINMM.dll Timestamp: Mon Apr 14 10:13:53 2008 (4802BDE1) CheckSum: 0002C65D ImageSize: 0002A000 File version: 5.1.2600.5512 Product version: 5.1.2600.5512 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0804.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft(R) Windows(R) Operating System InternalName: winmm.dll OriginalFilename: WINMM.DLL ProductVersion: 5.1.2600.5512 FileVersion: 5.1.2600.5512 (xpsp.080413-0845) FileDescription: MCI API DLL LegalCopyright: (C) Microsoft Corporation. All rights reserved.