!exploitable vs. TKADV2009-006 vs. Static Analysis Tools
The following is the result of Microsoft's !exploitable Windbg extension while analyzing the libsndfile bug I released today (TKADV2009-006).
(3a8.62c): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=0000ffff ecx=000029f1 edx=00000003 esi=02158008 edi=02166000 eip=7c34126b esp=04dbfa8c ebp=04dbfac0 iopl=0 nv up ei pl nz na pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000207 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Programme\Winamp\NSCRT.dll - NSCRT!memset+0x49: 7c34126b f3ab rep stos dword ptr es:[edi] 0:015> !load winext\msec.dll 0:015> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x2166000 Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation Exception Hash (Major/Minor): 0x21214e2e.0x67415f20 Stack Trace: NSCRT!memset+0x49 libsndfile!Ordinal9+0x290c2 libsndfile!Ordinal9+0x1994f libsndfile!Ordinal9+0x19eb9 libsndfile!sf_readf_double+0xd5f libsndfile!sf_open+0x89 in_wave+0x1276 kernel32!GetModuleFileNameA+0x1ba Instruction Address: 0x7c34126b Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at NSCRT!memset+0x49 (Hash=0x21214e2e.0x67415f20) User mode write access violations that are not near NULL are exploitable.Erik, the libsndfile maintainer, also published an interesting blog entry regarding the security measures he took to secure libsndfile. Amongst others he checked his code base with static analysis tools. Unfortunately the bug described in TKADV2009-006 (as well as others) were missed. What a surprise :)
