PAGE:85D15618 _CipImageGetImageHash@36 proc near ; CODE XREF:

......

PAGE:85D1571F mov edx, edi

PAGE:85D15721 mov ecx, [ebp+arg_4]

PAGE:85D15724 call _HashpHashBytes@12 ; HashpHashBytes(x,x,x)

PAGE:85D15729 lea edx, [esi+0A0h]

PAGE:85D1572F

PAGE:85D1572F loc_85D1572F: ; CODE XREF: CipImageGetImageHash(x,x,x,x,x,x,x,x,x)+CF↑j

PAGE:85D1572F mov edi, [ebp+arg_10]

PAGE:85D15732 mov eax, [edi+54h] ; -----> here [edi+54h] is obtained from poc.dll at offset 0x104, its value is 0x06.

PAGE:85D15735 sub eax, edx ; -----> here edx=83560150

PAGE:85D15737 add eax, [ebp+BaseAddress] ----> here [ebp+BaseAddress]=83560000

PAGE:85D1573A push eax ; ---------> So, after the above calculation, eax occurs integer subtraction overflow, result in eax=fffffeb6

PAGE:85D1573B mov ecx, [ebp+arg_4]

PAGE:85D1573E call _HashpHashBytes@12 ------> the function call chain finally results in a kernel crash

PAGE:85D15743 mov esi, [edi+54h] ;

PAGE:85D15746 mov [ebp+var_30], esi

In following function, an insufficient bounds check is performed:

.text:85D0368C @SymCryptHashAppendInternal@16 proc near

.text:85D0368C ; CODE XREF: SymCryptSha1Append(x,x,x)+10↑p

.text:85D0368C ; SymCryptMd5Append(x,x,x)+10↑p

.text:85D0368C

.text:85D0368C var_18 = dword ptr -18h

.text:85D0368C var_14 = dword ptr -14h

.text:85D0368C var_10 = dword ptr -10h

.text:85D0368C var_C = dword ptr -0Ch

.text:85D0368C var_8 = dword ptr -8

.text:85D0368C var_4 = dword ptr -4

.text:85D0368C Src = dword ptr 8

.text:85D0368C MaxCount = dword ptr 0Ch

.text:85D0368C

.text:85D0368C mov edi, edi

.text:85D0368E push ebp

.text:85D0368F mov ebp, esp .

......

85D0372D mov ecx, [ebp+var_8]

.text:85D03730 mov edx, [ebp+var_18]

.text:85D03733 jmp short loc_85D0373B

.text:85D03735 ; ---------------------------------------------------------------------------

.text:85D03735

.text:85D03735 loc_85D03735: ; CODE XREF: SymCryptHashAppendInternal(x,x,x,x)+46↑j

.text:85D03735 ; SymCryptHashAppendInternal(x,x,x,x)+52↑j

.text:85D03735 mov ecx, [ebp+Src]

.text:85D03738 mov [ebp+var_8], ecx

.text:85D0373B

.text:85D0373B loc_85D0373B: ; CODE XREF: SymCryptHashAppendInternal(x,x,x,x)+A7↑j

.text:85D0373B cmp esi, [edx+18h] ; ----> here [edx+18h] equals 40h, esi equals fffffe7a, due to unsigned integer comparison, the crafted block size is not found

.text:85D0373E jb short loc_85D03769

.text:85D03740 mov edi, [edx+1Ch]

.text:85D03743 lea eax, [ebp+var_C]

.text:85D03746 push eax

.text:85D03747 push esi

.text:85D03748 mov esi, [edx+0Ch]

.text:85D0374B add edi, ebx

.text:85D0374D mov ecx, esi

.text:85D0374F call ds:___guard_check_icall_fptr ; _guard_check_icall_nop(x)

.text:85D03755 mov edx, [ebp+var_8]

.text:85D03758 mov ecx, edi

.text:85D0375A call esi

Attachments

  • Original document
  • Permalink

Disclaimer

Fortinet Inc. published this content on 14 June 2018 and is solely responsible for the information contained herein. Distributed by Public, unedited and unaltered, on 14 June 2018 17:17:04 UTC