Wireshark 2 Preview 数组内存越界访问 | wooyun-2014-078367| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-078367

漏洞标题：Wireshark 2 Preview 数组内存越界访问

漏洞作者： blast

提交时间：2014-10-09 12:38

修复时间：2014-10-09 12:38

公开时间：2014-10-09 12:38

漏洞类型：设计错误/逻辑缺陷

危害等级：低

自评Rank：2

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-10-09：积极联系厂商并且等待厂商认领中，细节不对外公开
2014-10-09：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

version 1.12.1 (1.12.1-0-g01b65bf from master-1.12), 64 bit
数组越界访问，可以向后访问8 * n个字节，我觉着n>1的情况也只有理论上可以了=。=
(ps。下方只是对它的崩溃做分析而已=v=)

详细说明：

崩溃情况以及崩溃栈：

(14b4.1dd8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for F:\Program Files\Wireshark\Qt5Core.dll - 
*** WARNING: Unable to verify checksum for qtshark.exe
*** ERROR: Module load completed but symbols could not be loaded for qtshark.exe
Qt5Core!QPersistentModelIndex::row:
00000000`5f2d5bd0 488b01          mov     rax,qword ptr [rcx] ds:baadf00d`baadf00d=????????????????
-------------------
0:000> kvn
 # Child-SP          RetAddr           : Args to Child                                                           : Call Site
00 00000000`001da418 00000001`3f820612 : 00000000`02d425e0 00000000`5f869c3d 00000000`02d73730 00000000`001da450 : Qt5Core!QPersistentModelIndex::row
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for F:\Program Files\Wireshark\Qt5Widgets.dll - 
01 00000000`001da420 00000000`5f8755e6 : 00000000`051cffb0 00000000`02d425e0 00000000`00000020 00000000`051cffb0 : qtshark+0x90612
02 00000000`001da480 00000000`5f33fcc7 : 00000000`5f62fbf8 00000000`00000000 00000000`02c04e18 00000000`001da6e8 : Qt5Widgets!QAbstractItemView::qt_static_metacall
+0x2b6
03 00000000`001da4e0 00000000`5f2ee95f : 00000000`02d48d60 00000000`00000003 00000000`02cf2aa0 00000000`001da630 : Qt5Core!QMetaObject::activate+0x5b7
04 00000000`001da5f0 00000000`5f2f0763 : 00000000`02d48d60 00000000`051cffc0 00000000`00000024 00000000`02d73730 : Qt5Core!QItemSelectionModel::emitSelectionChanged
+0x79f
05 00000000`001da6c0 00000000`5f8a82cd : 00000000`02d48d60 00000000`5f3dd160 00000000`00000024 00000000`02d81d70 : Qt5Core!QItemSelectionModel::select+0x353
06 00000000`001da770 00000000`5f8a8a15 : 00000000`02d3f3f0 00000000`00000235 00000000`02d3f3f0 00000000`00000024 : Qt5Widgets!QTreeViewPrivate::select+0x86d
07 00000000`001da9f0 00000000`5f8710d0 : 00000001`00000021 00000001`3f965d48 00000000`00000024 00000000`00000235 : Qt5Widgets!QTreeView::setSelection+0x325
08 00000000`001daad0 00000000`5f8aa272 : 00000000`00000024 00000000`02d3f3f0 00000000`02d3f3f0 00000000`051bd820 : Qt5Widgets!QAbstractItemView::mouseMoveEvent+0x400
09 00000000`001dab90 00000000`5f6a590b : 0000007f`00000235 00000000`5f660000 00000000`001db640 00000000`777c34d8 : Qt5Widgets!QTreeView::mouseMoveEvent+0x42
0a 00000000`001dabc0 00000000`5f7860b7 : 00000000`5f494cd8 00000000`5f4952e0 00000000`00000000 00000000`02d40020 : Qt5Widgets!QWidget::event+0xab
0b 00000000`001dad50 00000000`5f31c085 : 00000000`02d40020 00000000`00000000 00000000`00000000 00000000`5f6b86f6 : Qt5Widgets!QFrame::event+0x37
0c 00000000`001dad80 00000000`5f672242 : 00000000`00000000 00000000`0035b040 00000000`02d40020 00000000`001db640 : Qt5Core!
QCoreApplicationPrivate::sendThroughObjectEventFilters+0xe5
0d 00000000`001dade0 00000000`5f675b9e : 00000000`00000000 00000000`001daf10 00000000`001daf18 00000000`0035b040 : Qt5Widgets!QApplicationPrivate::notify_helper+0xe2
0e 00000000`001dae10 00000000`5f31a78f : 00000000`02d40000 00000000`00359710 00000000`001db640 00000000`0518f0a0 : Qt5Widgets!QApplication::notify+0x7ce
0f 00000000`001db3f0 00000000`5f6745af : 00000000`02d40020 000007fe`eb810500 00000000`00359710 00000000`02d6fb00 : Qt5Core!QCoreApplication::notifyInternal+0x6f
10 00000000`001db450 00000000`5f6bf733 : 00000000`001dbf01 00000000`001dbf90 00000000`02d40000 00000000`001db700 : Qt5Widgets!QApplicationPrivate::sendMouseEvent+0x3ef
11 00000000`001db520 00000000`5f6c0862 : 00000000`02d6fa80 00000000`02d6fa80 00000000`00000001 00000000`04000000 : Qt5Widgets!QWidgetPrivate::setGeometry_sys+0x1813
12 00000000`001db6f0 00000000`5f672256 : 00000000`00359710 00000000`0035b040 00000000`02d6fa80 00000000`001dbf60 : Qt5Widgets!QWidgetPrivate::setGeometry_sys+0x2942
13 00000000`001db750 00000000`5f676577 : 00000000`02072c80 00000000`001db880 00000000`0035b040 00000000`0035b040 : Qt5Widgets!QApplicationPrivate::notify_helper+0xf6
14 00000000`001db780 00000000`5f31a78f : 00000000`00000000 00000000`00359710 00000000`001dbf60 000007fe`ec271f46 : Qt5Widgets!QApplication::notify+0x11a7
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for F:\Program Files\Wireshark\Qt5Gui.dll - 
15 00000000`001dbd60 000007fe`eb8099d4 : 00000000`00000005 00000000`00000000 00000000`00359710 0000001d`000003d0 : Qt5Core!QCoreApplication::notifyInternal+0x6f
16 00000000`001dbdc0 000007fe`eb80e547 : ffffffff`ffffff00 00000000`00000000 00000000`00000000 000007fe`eb7fbda8 : Qt5Gui!QGuiApplicationPrivate::processMouseEvent
+0x4e4
17 00000000`001dc0e0 000007fe`eb7fbe33 : 000007fe`ebaeacc8 00000000`00000401 00000000`00000000 00000000`00000001 : Qt5Gui!
QGuiApplicationPrivate::processWindowSystemEvent+0x137
18 00000000`001dc130 000007fe`eb7fc02b : 00000000`00000024 000007fe`ebaeacc8 00000000`00000000 00000000`00000001 : Qt5Gui!
QWindowSystemInterface::sendWindowSystemEventsImplementation+0x73
19 00000000`001dc160 00000000`5f358b18 : 00000000`00000024 00000000`0035d6a0 00000000`001dc219 00000000`001dc328 : Qt5Gui!
QWindowSystemInterface::sendWindowSystemEvents+0x1b
1a 00000000`001dc190 00000000`77569bd1 : 00000000`00000000 00000000`00000038 00000000`00000001 00000000`401d0001 : Qt5Core!
QEventDispatcherWin32Private::QEventDispatcherWin32Private+0x378
1b 00000000`001dc280 00000000`775698da : 00000000`001dc408 00000000`5f358860 00000000`00000401 00000000`00a01bd0 : USER32!UserCallWinProcCheckWow+0x1ad
1c 00000000`001dc340 00000000`5f35afdd : 00000000`0035d6a0 00000000`0035d601 00000000`5f358860 00000000`0035da28 : USER32!DispatchMessageWorker+0x3b5
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for F:\Program Files\Wireshark\platforms\qwindows.dll - 
1d 00000000`001dc3c0 000007fe`ec27f09d : 00000000`0035d6a0 00000000`00000024 00000000`00000001 00000000`5f183301 : Qt5Core!QEventDispatcherWin32::processEvents+0x47d
1e 00000000`001df720 00000000`5f319cdd : 00000000`02066370 00000000`00000024 00000000`00359710 00000000`02cc73a0 : qwindows!qt_plugin_instance+0x1decd
1f 00000000`001df790 00000000`5f31dbf7 : 00000000`0035b2a0 00000000`00000000 00000000`00359710 00000000`00000003 : Qt5Core!QEventLoop::exec+0x1cd
20 00000000`001df810 00000001`3f7fd8bc : 00000000`000002a0 00000000`000002a0 00000000`00000003 00000000`00000008 : Qt5Core!QCoreApplication::exec+0x187
21 00000000`001df880 00000001`3f90aa34 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : qtshark+0x6d8bc
22 00000000`001dfd20 00000001`3f909d3b : 00000000`00384439 00000000`00000000 00000000`00000000 00000000`00000000 : qtshark+0x17aa34
23 00000000`001dfd90 00000000`776659ed : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : qtshark+0x179d3b
24 00000000`001dfe40 00000000`7779c541 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
25 00000000`001dfe70 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d

崩溃发生在Qt5Core!QPersistentModelIndex::row的第一行，函数试图将第一个参数（rcx）解引用给eax时崩溃。
0:000> .frame /c 1
01 00000000`001da420 00000000`5f8755e6 qtshark+0x90612
rax=baadf00dbaadf00d rbx=00000000001da6e8 rcx=baadf00dbaadf00d
rdx=0000000002c04e00 rsi=0000000000000014 rdi=00000000001da630
rip=000000013f820612 rsp=00000000001da420 rbp=00000000001da589
r8=0000000000008000 r9=0000000000000008 r10=0000000000350268
r11=00000000001d9d88 r12=0000000002d3f300 r13=0000000000000003
r14=0000000002d49d30 r15=0000000002d3f300
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
qtshark+0x90612:
00000001`3f820612 498b4c2448 mov rcx,qword ptr [r12+48h] ds:00000000`02d3f348=00c4a43f01000000
0:000> dd rcx
baadf00d`baadf00d ???????? ???????? ???????? ????????
baadf00d`baadf01d ???????? ???????? ???????? ????????
baadf00d`baadf02d ???????? ???????? ???????? ????????
baadf00d`baadf03d ???????? ???????? ???????? ????????
baadf00d`baadf04d ???????? ???????? ???????? ????????
baadf00d`baadf05d ???????? ???????? ???????? ????????
baadf00d`baadf06d ???????? ???????? ???????? ????????
baadf00d`baadf07d ???????? ???????? ???????? ????????
看看r12是从哪儿传来的，上方有一个mov rcx,rax，
0:000> uf .
qtshark+0x905e0:
00000001`3f8205e0 4053 push rbx
00000001`3f8205e2 4154 push r12
00000001`3f8205e4 4883ec48 sub rsp,48h
00000001`3f8205e8 488bda mov rbx,rdx
00000001`3f8205eb 4c8be1 mov r12,rcx ;here
00000001`3f8205ee ff15c4b21100 call qword ptr [qtshark+0x1ab8b8 (00000001`3f93b8b8)]
00000001`3f8205f4 49837c244800 cmp qword ptr [r12+48h],0
00000001`3f8205fa 0f84a1010000 je qtshark+0x907a1 (00000001`3f8207a1)
qtshark+0x90600:
00000001`3f820600 488bcb mov rcx,rbx
00000001`3f820603 ff158f931100 call qword ptr [qtshark+0x1a9998 (00000001`3f939998)]
00000001`3f820609 488bc8 mov rcx,rax
00000001`3f82060c ff158e931100 call qword ptr [qtshark+0x1a99a0 (00000001`3f9399a0)]
为了验证，在函数开头下断点，重新启动程序：
0:000> g
Breakpoint 0 hit
qtshark+0x905e0:
00000001`3f3d05e0 4053 push rbx
0:000> r
rax=000000013f515d48 rbx=0000000002aff6c0 rcx=0000000002aff6c0
rdx=000000000023a488 rsi=0000000000000014 rdi=000000000023a3d0
rip=000000013f3d05e0 rsp=000000000023a218 rbp=000000000023a329
r8=000000000023a490 r9=000000000023a3d0 r10=000000005fb1a340
r11=000000005fa55228 r12=000000000023a3d0 r13=0000000000000003
r14=0000000002b09fe0 r15=0000000002aff6c0
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qtshark+0x905e0:
00000001`3f3d05e0 4053 push rbx
执行期间可以发现：
0:000>
qtshark+0x90603:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for F:\Program Files\Wireshark\Qt5Core.dll -
00000001`3f3d0603 ff158f931100 call qword ptr [qtshark+0x1a9998 (00000001`3f4e9998)] ds:00000001`3f4e9998={Qt5Core!QList<QItemSelectionRange>::front
(00000000`5f962d00)}
0:000>
qtshark+0x90609:
00000001`3f3d0609 488bc8 mov rcx,rax
0:000> r rax
Last set context:
rax=baadf00dbaadf00d
看来是Qt5Core!QList<QItemSelectionRange>::front 的问题，重启bp qtshark+0x90603。
让我们看一下正常的操作是什么：
Breakpoint 0 hit
qtshark+0x90603:
00000001`3f9e0603 ff158f931100 call qword ptr [qtshark+0x1a9998 (00000001`3faf9998)] ds:00000001`3faf9998={Qt5Core!QList<QItemSelectionRange>::front
(00000000`5f462d00)}
0:000> r
rax=0000000000000000 rbx=000000000030a0d8 rcx=000000000030a0d8
rdx=0000000000000000 rsi=0000000000000014 rdi=000000000030a048
rip=000000013f9e0603 rsp=0000000000309e20 rbp=0000000000309f89
r8=0000000000008000 r9=0000000000000008 r10=00000000003e0268
r11=0000000000309788 r12=0000000002c2f440 r13=0000000000000003
r14=0000000002c39e20 r15=0000000002c2f440
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qtshark+0x90603:
00000001`3f9e0603 ff158f931100 call qword ptr [qtshark+0x1a9998 (00000001`3faf9998)] ds:00000001`3faf9998={Qt5Core!QList<QItemSelectionRange>::front
(00000000`5f462d00)}
进入之后，
0:000> t
Qt5Core!QList<QItemSelectionRange>::front:
00000000`5f462d00 488b11 mov rdx,qword ptr [rcx] ds:00000000`0030a0d8=80c6310500000000
0:000>
Qt5Core!QList<QItemSelectionRange>::front+0x3:
00000000`5f462d03 48634208 movsxd rax,dword ptr [rdx+8] ds:00000000`0531c688=00000000
0:000> t
Qt5Core!QList<QItemSelectionRange>::front+0x7:
00000000`5f462d07 488b44c210 mov rax,qword ptr [rdx+rax*8+10h] ds:00000000`0531c690=f0c52d0500000000
0:000> r
rax=0000000000000000 rbx=000000000030a0d8 rcx=000000000030a0d8
rdx=000000000531c680 rsi=0000000000000014 rdi=000000000030a048
rip=000000005f462d07 rsp=0000000000309e18 rbp=0000000000309f89
r8=0000000000008000 r9=0000000000000008 r10=00000000003e0268
r11=0000000000309788 r12=0000000002c2f440 r13=0000000000000003
r14=0000000002c39e20 r15=0000000002c2f440
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
Qt5Core!QList<QItemSelectionRange>::front+0x7:
00000000`5f462d07 488b44c210 mov rax,qword ptr [rdx+rax*8+10h] ds:00000000`0531c690=f0c52d0500000000
0:000> t
Qt5Core!QList<QItemSelectionRange>::front+0xc:
00000000`5f462d0c c3 ret
0:000> r
rax=00000000052dc5f0
这一次执行结果是返回了一个指针。
这是不正常的走向：
0:000> r
rax=0000000000000000 rbx=00000000001da648 rcx=00000000001da648
rdx=000007feebae9ff0 rsi=0000000000000014 rdi=00000000001da590
rip=000000013f860603 rsp=00000000001da380 rbp=00000000001da4e9
r8=0000000000000005 r9=0000000000000069 r10=0000000000000000
r11=0000000000000002 r12=00000000027bf3f0 r13=0000000000000003
r14=00000000027c9e30 r15=00000000027bf3f0
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qtshark+0x90603:
00000001`3f860603 ff158f931100 call qword ptr [qtshark+0x1a9998 (00000001`3f979998)] ds:00000001`3f979998={Qt5Core!QList<QItemSelectionRange>::front
(00000000`5f962d00)}
0:000> t
Qt5Core!QList<QItemSelectionRange>::front:
00000000`5f962d00 488b11 mov rdx,qword ptr [rcx] ds:00000000`001da648=10cf6b0200000000
0:000>
Qt5Core!QList<QItemSelectionRange>::front+0x3:
00000000`5f962d03 48634208 movsxd rax,dword ptr [rdx+8] ds:00000000`026bcf18=01000000
0:000>
Qt5Core!QList<QItemSelectionRange>::front+0x7:
00000000`5f962d07 488b44c210 mov rax,qword ptr [rdx+rax*8+10h] ds:00000000`026bcf28=0df0adba0df0adba
0:000>
Qt5Core!QList<QItemSelectionRange>::front+0xc:
00000000`5f962d0c c3 ret
由于每次操作会产生2个selection change事件，所以有问题的是第二个操作。
Qt5Core!QList<QItemSelectionRange>::front:
mov rdx,qword ptr [rcx]
movsxd rax,dword ptr [rdx+8]
mov rax,qword ptr [rdx+rax*8+10h]
ret
而这个函数的整个操作就这4行。
rdx = *rcx;
rax = *(rdx+8);
return *(rdx+rax*8+0x10);
综合一下就是：
return *(*rcx+(*(rdx+8))*8+0x10);
实际执行起来是：
return *(*arg1+0x10);
或者
return *(*arg1+0x18);
//取决于选的数量
由于我们没有符号，不知道具体代表什么，但是再出问题的部分，如果执行：
0:000> r
rax=0000000000000001 rbx=000000000015a6c8 rcx=000000000015a6c8
rdx=0000000005143d90 rsi=0000000000000014 rdi=000000000015a610
rip=000000005f462d07 rsp=000000000015a3f8 rbp=000000000015a569
r8=0000000000008000 r9=0000000000000008 r10=0000000001f30268
r11=0000000000159d68 r12=0000000002d3f220 r13=0000000000000003
r14=0000000002d49bb0 r15=0000000002d3f220
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
Qt5Core!QList<QItemSelectionRange>::front+0x7:
00000000`5f462d07 488b44c210 mov rax,qword ptr [rdx+rax*8+10h] ds:00000000`05143da8=0df0adba0df0adba
0:000> dd rdx+10
00000000`05143da0 02d678b0 00000000 baadf00d baadf00d
00000000`05143db0 abababab abababab abababab abababab
看到好玩的了吧，这纯粹是越界访问了。那么既然选一个就是+0x8，如果可以选上更多的数据，是否就可以读到后面的0x00000040 00000000呢？我猜应该是可以的吧=v=
0:000> .cxr
Resetting default scope
0:000> dd rdx+10
00000000`05143da0 02d678b0 00000000 baadf00d baadf00d
00000000`05143db0 abababab abababab abababab abababab
00000000`05143dc0 00000000 00000000 00000000 00000000
00000000`05143dd0 00000040 00000000

漏洞证明：

截获窗口中按住Ctrl 选择 n列，会导致程序向后越界读取到n * 8字节的数据。

修复方案：

检查选择列的数量和可使用的内存的大小的值

版权声明：转载请注明来源 blast@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：10 (WooYun评价)