Saturday, May 16, 2009

!exploitable vs. TKADV2009-006 vs. Static Analysis Tools

The following is the result of Microsoft's !exploitable Windbg extension while analyzing the libsndfile bug I released today (TKADV2009-006).

(3a8.62c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=0000ffff ecx=000029f1 edx=00000003 esi=02158008 edi=02166000
eip=7c34126b esp=04dbfa8c ebp=04dbfac0 iopl=0         nv up ei pl nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000207
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
C:\Programme\Winamp\NSCRT.dll - 
NSCRT!memset+0x49:
7c34126b f3ab            rep stos dword ptr es:[edi]

0:015> !load winext\msec.dll
0:015> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x2166000
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x21214e2e.0x67415f20

Stack Trace:
NSCRT!memset+0x49
libsndfile!Ordinal9+0x290c2
libsndfile!Ordinal9+0x1994f
libsndfile!Ordinal9+0x19eb9
libsndfile!sf_readf_double+0xd5f
libsndfile!sf_open+0x89
in_wave+0x1276
kernel32!GetModuleFileNameA+0x1ba
Instruction Address: 0x7c34126b

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at 
NSCRT!memset+0x49 (Hash=0x21214e2e.0x67415f20)

User mode write access violations that are not near NULL are exploitable.
Erik, the libsndfile maintainer, also published an interesting blog entry regarding the security measures he took to secure libsndfile. Amongst others he checked his code base with static analysis tools. Unfortunately the bug described in TKADV2009-006 (as well as others) were missed. What a surprise :)