Pages - Menu

Tuesday, December 23, 2014

Gom Player Read Access Violation Vulnerability

Title : Gom Player 2.2.64.5211 Read Access Violation on Control
Discoverer: Cihat YILDIZ (@cihatix)
Web page : www.binarysniper.net 
Test: Windows XP SP3
Status: Not Fixed
Severity : High

OSVDB ID: 116462

Discovered: 24 December 2014
Reported: 24 December 2014
Published: 24 December 2014

Description : GOM Media Player contains a flaw that is triggered as user-supplied input is not properly sanitized when handling a specially crafted TIFF file. This may allow a context-dependent attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code.


Tuesday, November 25, 2014

Google Chrome caused a crash..!


Title : Google Chrome caused a crash..!
Version: 35.0.1916.114
Discoverer: Veysel HATAŞ (vhatas@gmail.com)
Web page : www.binarysniper.net
Test: Windows 8
Status: Fixed

Discovered: 24 May 2014
Reported: 25 November 2014
Published: 25 November 2014
Chromium Issue: 436382

windbg crash log


Crash report from EMET






Thursday, March 20, 2014

Immunity Debugger Stack Overflow Vulnerability – PoC

It's not always possible to find vulnerabilities or even zero days after using methods of reverse engineering or fuzzing, but this time I was super lucky. 2 months ago, I was studying Corelan’s article about heap spray exploitation which is a great one. During the study, while I was debugging Internet Explorer 7, Immunity Debugger (the last version, 1.85) has crashed and WinDBG handled the exception. I was really surprised.

OSVDB ID : 107499 
EDB-ID      : 32435
Reddit       : /r/netsec

When I looked back to determine what caused it to crash, I noticed that SE-Handler was recursively added to its SEH chain. Because SEH chain was created on stack segment and SEH chain was too long, this caused a stack overflow and Immunity Debugger crashed.



After realizing the cause of the crash, I quickly wrote a dirty PoC code to trigger the stack overflow vulnerability. The following PoC code creates try-catch blocks to overflow the stack.

It was tested on Windows 7 and Windows XP. In both of them, DEP protection was disabled.



When I look at the following !exploitable output, it is stated that this vulnerability is not exploitable. 

0:000> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at ImmunityDebugger!Addsorteddata+0x0000000000000069 (Hash=0xa84b56c5.0x36b8c4de)
This is a user mode read access violation near null, and is probably not exploitable. 

This vulnerability was reported to the Immunity to support@immunityinc.co on 06 January 2014.