当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0100786

漏洞标题:Amazon Kindle(Windows) 打开一次畸形azw后再也无法启动

相关厂商:亚马逊

漏洞作者: blast

提交时间:2015-03-12 10:47

修复时间:2015-06-10 14:24

公开时间:2015-06-10 14:24

漏洞类型:拒绝服务

危害等级:低

自评Rank:2

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-12: 细节已通知厂商并且等待厂商处理中
2015-03-12: 厂商已经确认,细节仅向厂商公开
2015-03-15: 细节向第三方安全合作伙伴开放
2015-05-06: 细节向核心白帽子及相关领域专家公开
2015-05-16: 细节向普通白帽子公开
2015-05-26: 细节向实习白帽子公开
2015-06-10: 细节向公众公开

简要描述:

总归影响用户体验嘛。卸载重装也一样打不开,除非用户真的手动找到出问题那文件然后给删掉……1.10.8版本

详细说明:

(1) 复现
比如找一本免费公版书,随便找个地方,比如作者处:
“Robert Louis Stevenson”
删掉一个字符,例如o即可导致后面全部错乱,Kindle解析也会出问题。
(2)其他
双击打开azw后,Kindle会自动把它复制到用户目录下。且Kindle初始化的时候会自动解析这下面的文件,读取封面、作者等信息。
Kindle卸载后并不会删除用户已下载文件,所以需要用户手动删除:
HKEY_CURRENT_USER\Software\Amazon\Kindle\User Settings\CONTENT_PATH
这个目录里面有问题的文件,否则Kindle永远无法启动

漏洞证明:

文件下载:
http://pan.baidu.com/s/1jG3RaGA
直接双击打开即可

(460.cd8): Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for F:\Program Files (x86)\Amazon\Kindle\Kindle.exe -
eax=000000dd ebx=000004e4 ecx=00000000 edx=0022ed44 esi=0022ed68 edi=000000dd
eip=0197383f esp=0022ed14 ebp=05920448 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
Kindle!std::_Init_locks::operator=+0x137353:
0197383f 0fb65103 movzx edx,byte ptr [ecx+3] ds:002b:00000003=??


启动时:

No digital signature check in this build... 
QString::arg: Argument missing: <b>?????δ?????????????????????????壬?????????ó???????????????ó??????</b><br /><span style="font-size: 11pt;"> ?н???????????, .</span>
Using Qt version 4.8.6


(11d0.1574): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for MazamaReader.exe -
eax=000000dd ebx=000004e4 ecx=00000000 edx=0271e63c esi=0271e660 edi=000000dd
eip=008f383f esp=0271e60c ebp=05760448 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
MazamaReader!std::_Init_locks::operator=+0x137353:
008f383f 0fb65103 movzx edx,byte ptr [ecx+3] ds:002b:00000003=??
0:000> kvn
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0271e60c 008f6539 0271e648 0271e63c 86d91ccb MazamaReader!std::_Init_locks::operator=+0x137353
01 00000000 00000000 00000000 00000000 00000000 MazamaReader!std::_Init_locks::operator=+0x13a04d


引起崩溃的是:

0:000> ub 008f6539 
MazamaReader!std::_Init_locks::operator=+0x13a039:
008f6525 54 push esp
008f6526 2420 and al,20h
008f6528 52 push edx
008f6529 8d442430 lea eax,[esp+30h]
008f652d 50 push eax
008f652e 8d74244c lea esi,[esp+4Ch]
008f6532 8bcf mov ecx,edi
008f6534 e8f7d2ffff call MazamaReader!std::_Init_locks::operator=+0x137344 (008f3830)


可见edi是罪魁祸首,edi是
008f6520 8b7c2440 mov edi,dword ptr [esp+40h]
修改,[esp+40h]的内容因此需要验证,但是之前的代码并不明确,因此还是动态跟踪一下比较好。重启,
Executable search path is:
ModLoad: 013d0000 036ee000 MazamaReader.exe
基址 0x013d0000, MazamaReader!std::_Init_locks::operator=+0x137353(01a2383f),得到MazamaReader!std::_Init_locks::operator=地址实际是0x018EC4EC,偏移 = 0x51C4EC
重新跑一遍,
Executable search path is:
ModLoad: 013d0000 036ee000 MazamaReader.exe
居然还是这个数(事实上这个程序是开启了地址随机化的),那么上一层的地址是:
MazamaReader!std::_Init_locks::operator=+0x13a04d
0x018EC4EC + 0x13a04d = 0x01A26539
这个地址距离函数开头0x000001c9,可得函数地址0x1A26370,下断点。
0:000> bp 0x1A26370
*** ERROR: Symbol file could not be found. Defaulted to export symbols for MazamaReader.exe -
0:000> g
Breakpoint 0 hit
eax=002ce9a4 ebx=00000000 ecx=050d1b38 edx=002cea58 esi=ffffffff edi=05145968
eip=01a26370 esp=002ce8a0 ebp=002cecfc iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200286
MazamaReader!std::_Init_locks::operator=+0x139e84:
01a26370 6aff push 0FFFFFFFFh
可以看到栈信息几乎是没有参考价值的……
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
002cecfc 01a616b2 MazamaReader!std::_Init_locks::operator=+0x139ea1
002ced30 01a62692 MazamaReader!std::_Init_locks::operator=+0x1751c6
002ced80 016dea4e MazamaReader!std::_Init_locks::operator=+0x1761a6
00000000 00000000 MazamaReader!xmlXIncludeProcessNode+0xacb8e
跟踪发现是:
0:000>
eax=0035e600 ebx=000004e4 ecx=010d0440 edx=0035e5f4 esi=0035e618 edi=010d0440
eip=01a26534 esp=0035e5cc ebp=010d0448 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
MazamaReader!std::_Init_locks::operator=+0x13a048:
01a26534 e8f7d2ffff call MazamaReader!std::_Init_locks::operator=+0x137344 (01a23830)
0:000>
eax=00000000 ebx=000004e4 ecx=010d046b edx=0035e5f4 esi=0035e618 edi=010d0440
eip=01a26539 esp=0035e5cc ebp=010d0448 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
MazamaReader!std::_Init_locks::operator=+0x13a04d:
01a26539 83c408 add esp,8
0:000>
eax=00000000 ebx=000004e4 ecx=010d046b edx=0035e5f4 esi=0035e618 edi=010d0440
eip=01a2653c esp=0035e5d4 ebp=010d0448 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200216
MazamaReader!std::_Init_locks::operator=+0x13a050:
01a2653c 89442440 mov dword ptr [esp+40h],eax ss:002b:0035e614=40040d01
0:000>
这里将esp+40置为0。
具体原因在这里:

eax=00002541 ebx=0000002b ecx=0137046b edx=003cea04 esi=003cea28 edi=01370548
eip=01a238eb esp=003ce9d0 ebp=01370448 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
MazamaReader!std::_Init_locks::operator=+0x1373ff:
01a238eb 8902 mov dword ptr [edx],eax ds:002b:003cea04=23000000
0:000>
eax=00002541 ebx=0000002b ecx=0137046b edx=003cea04 esi=003cea28 edi=01370548
eip=01a238ed esp=003ce9d0 ebp=01370448 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
MazamaReader!std::_Init_locks::operator=+0x137401:
01a238ed 3906 cmp dword ptr [esi],eax ds:002b:003cea28=dd000000
0:000>
eax=00002541 ebx=0000002b ecx=0137046b edx=003cea04 esi=003cea28 edi=01370548
eip=01a238ef esp=003ce9d0 ebp=01370448 iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200287
MazamaReader!std::_Init_locks::operator=+0x137403:
01a238ef 5b pop ebx
0:000>
eax=00002541 ebx=000004e4 ecx=0137046b edx=003cea04 esi=003cea28 edi=01370548
eip=01a238f0 esp=003ce9d4 ebp=01370448 iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200287
MazamaReader!std::_Init_locks::operator=+0x137404:
01a238f0 1bc0 sbb eax,eax
0:000>
eax=ffffffff ebx=000004e4 ecx=0137046b edx=003cea04 esi=003cea28 edi=01370548
eip=01a238f2 esp=003ce9d4 ebp=01370448 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
MazamaReader!std::_Init_locks::operator=+0x137406:
01a238f2 f7d0 not eax
0:000>
eax=00000000 ebx=000004e4 ecx=0137046b edx=003cea04 esi=003cea28 edi=01370548
eip=01a238f4 esp=003ce9d4 ebp=01370448 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
MazamaReader!std::_Init_locks::operator=+0x137408:
01a238f4 23c1 and eax,ecx
0:000>


解析数据时借位减法减去CF的时候导致eax变成了0xffffffff,取反后跟ecx进行逻辑和……然后就返回了空指针
这是正常的走向:

0:000> 
eax=0000002b ebx=00000a28 ecx=053c0440 edx=003aeb84 esi=003aeba8 edi=053c0548
eip=01a238f0 esp=003aeb54 ebp=053c043c iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200216
MazamaReader!std::_Init_locks::operator=+0x137404:
01a238f0 1bc0 sbb eax,eax
0:000>
eax=00000000 ebx=00000a28 ecx=053c0440 edx=003aeb84 esi=003aeba8 edi=053c0548
eip=01a238f2 esp=003aeb54 ebp=053c043c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
MazamaReader!std::_Init_locks::operator=+0x137406:
01a238f2 f7d0 not eax
0:000>
eax=ffffffff ebx=00000a28 ecx=053c0440 edx=003aeb84 esi=003aeba8 edi=053c0548
eip=01a238f4 esp=003aeb54 ebp=053c043c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
MazamaReader!std::_Init_locks::operator=+0x137408:
01a238f4 23c1 and eax,ecx
0:000>
eax=053c0440 ebx=00000a28 ecx=053c0440 edx=003aeb84 esi=003aeba8 edi=053c0548
eip=01a238f6 esp=003aeb54 ebp=053c043c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
MazamaReader!std::_Init_locks::operator=+0x13740a:
01a238f6 5f pop edi
0:000>
eax=053c0440 ebx=00000a28 ecx=053c0440 edx=003aeb84 esi=003aeba8 edi=053c0434
eip=01a238f7 esp=003aeb58 ebp=053c043c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
MazamaReader!std::_Init_locks::operator=+0x13740b:
01a238f7 c3 ret

修复方案:

判空指针,还有如果文件出错了,是不是应该不每次都读它……

版权声明:转载请注明来源 blast@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2015-03-12 14:23

厂商回复:

感谢洞主对亚马逊信息安全的支持,经过测试确实存在此问题,已经通知相应开发人员处理。

最新状态:

暂无