Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do we crash systems, browsers, or otherwise bring things to a halt, and how do we protect those things? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Guard Page Violation (Firefox 3.5.3)
Posted by: p0deje
Date: September 25, 2009 03:04AM

Hello, sla.ckers!
Those who use Firefox 3.5.3 with FoxTab 1.2.1 and Shockwave Flash 10.0.32.18 may see this kind of thing. To reproduce this you need to OPEN firefox.exe from WinDbg - attaching to already running Firefox doesn't show such thing.
(618.974): Guard page violation - code 80000001 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=056c8000 ebx=00000010 ecx=0013eb28 edx=08010000 esi=08010000 edi=0013eb28
eip=051b8d2a esp=0013e900 ebp=00000003 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
NPSWF32!native_ShockwaveFlash_TCallLabel+0xdd9f4:
051b8d2a 881e            mov     byte ptr [esi],bl          ds:0023:08010000=10
0:000> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Guard Page Violation starting at NPSWF32!native_ShockwaveFlash_TCallLabel+0x00000000000dd9f4 (Hash=0x00000000.0x00000007)
I'm not quite sure about, cause I only could test it on my machine (Windows XP Pro SP2). But, as far as it is exploitable, what can you say about it?

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Guard Page Violation (Firefox 3.5.3)
Posted by: malloci
Date: September 25, 2009 08:56AM

Can you run a debug with !exploitable -v, just curious to see the stack trace. Looks like a it might be an expoliable issue to me if you were able to control the (eip or esi) registers. I am still learning how to debug such issues as well. Great post, keep us updated on your find.

malloc(i)



Edited 1 time(s). Last edit at 09/25/2009 08:57AM by malloci.

Options: ReplyQuote
Re: Guard Page Violation (Firefox 3.5.3)
Posted by: malloci
Date: September 25, 2009 09:12AM

@p0deje
Good find... I was able to reproduce the crash (Windows Vista64 Ultimate).

(1e00.21a0): Guard page violation - code 80000001 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=06893000 ebx=00000010 ecx=0039e834 edx=08810000 esi=08810000 edi=0039e834
eip=606ef27a esp=0039e60c ebp=00000003 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll -
NPSWF32!native_ShockwaveFlash_TCallLabel+0xc4f6c:
606ef27a 881e mov byte ptr [esi],bl ds:002b:08810000=00
0:000> !load C:\Program Files (x86)\Debugging Tools for Windows (x86)\winext\msec.dll
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x606ef27a
First Chance Exception Type: STATUS_GUARD_PAGE_VIOLATION (0x80000001)

Exception Hash (Major/Minor): 0x00000000.0x00000003

Stack Trace:
NPSWF32!native_ShockwaveFlash_TCallLabel+0xc4f6c
NPSWF32!native_ShockwaveFlash_TCallLabel+0xc51ff
Instruction Address: 0x00000000606ef27a

Description: Guard Page Violation
Short Description: GuardPage
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Guard Page Violation starting at NPSWF32!native_ShockwaveFlash_TCallLabel+0x00000000000c4f6c (Hash=0x00000000.0x00000003)

I don't know how you would go about exploiting this issue though?

malloc(i)

Options: ReplyQuote
Re: Guard Page Violation (Firefox 3.5.3)
Posted by: malloci
Date: September 25, 2009 09:23AM

You can reproduce the crash by attaching an already running instance of Firefox, start Firefox, attach the process in Windbg, in your borwser try to use the FoxTab addon, and crash. It seems to be an issue with FoxTab calling ShockwaveFlash:
NPSWF32!native_ShockwaveFlash_TCallLabel+0xc4f6c
NPSWF32!native_ShockwaveFlash_TCallLabel+0xc51ff
, but then again, like I said I am learning myself.

malloc(i)



Edited 1 time(s). Last edit at 09/25/2009 09:25AM by malloci.

Options: ReplyQuote


Sorry, only registered users may post in this forum.