[+] Credits: HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MS-WINDBG-LOGVIEWER-BUFFER-OVERFLOW.txt [+] ISR: ApparitionSec Vendor: ================= www.microsoft.com Product: ==================== WinDbg logviewer.exe LogViewer (logviewer.exe), a tool that displays the logs created, part of WinDbg application. Vulnerability Type: =================== Buffer Overflow DOS Vulnerability Details: ===================== Buffer overflow in WinDbg "logviewer.exe" when opening corrupted .lgv files. App crash then Overwrite of MMX registers etc... this utility belongs to Windows Kits/8.1/Debuggers/x86 Read Access Violation / Memory Corruption Win32 API Log Viewer 6.3.9600.17298 Windbg x86 logviewer.exe Log Viewer 3.01 for x86 (5fb8.32fc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\msvcrt.dll - eax=013dad30 ebx=005d0000 ecx=00000041 edx=00000000 esi=005d2000 edi=013dcd30 eip=754fa048 esp=0009f840 ebp=0009f848 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 msvcrt!memmove+0x1ee: 754fa048 660f6f06 movdqa xmm0,xmmword ptr [esi] ds:002b:005d2000=???????????????????????????????? gs 2b fs 53 es 2b ds 2b edi 136cd30 esi 7d2000 ebx 7d0000 edx 0 ecx 41 eax 136ad30 ebp df750 eip 754fa048 cs 23 efl 210206 esp df748 ss 2b dr0 0 dr1 0 dr2 0 dr3 0 dr6 0 dr7 0 di cd30 si 2000 bx 0 dx 0 cx 41 ax ad30 bp f750 ip a048 fl 206 sp f748 bl 0 dl 0 cl 41 al 30 bh 0 dh 0 ch 0 ah ad fpcw 27f fpsw 4020 fptw ffff fopcode 0 fpip 76454c1e fpipsel 23 fpdp 6aec2c fpdpsel 2b st0 -1.00000000000000e+000 st1 -1.00000000000000e+000 st2 -1.00000000000000e+000 st3 9.60000000000000e+001 st4 1.08506945252884e-004 st5 -1.00000000000000e+000 st6 0.00000000000000e+000 st7 0.00000000000000e+000 mm0 0:2:2:2 mm1 0:0:2:202 mm2 0:1:1:1 mm3 c000:0:0:0 mm4 e38e:3900:0:0 mm5 0:0:0:0 mm6 0:0:0:0 mm7 0:0:0:0 mxcsr 1fa0 xmm0 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm1 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm2 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm3 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm4 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm5 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm6 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm7 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 iopl 0 of 0 df 0 if 1 tf 0 sf 0 zf 0 af 0 pf 1 cf 0 vip 0 vif 0 xmm0l 4141:4141:4141:4141 xmm1l 4141:4141:4141:4141 xmm2l 4141:4141:4141:4141 xmm3l 4141:4141:4141:4141 xmm4l 4141:4141:4141:4141 xmm5l 4141:4141:4141:4141 xmm6l 4141:4141:4141:4141 xmm7l 4141:4141:4141:4141 xmm0h 4141:4141:4141:4141 xmm1h 4141:4141:4141:4141 xmm2h 4141:4141:4141:4141 xmm3h 4141:4141:4141:4141 xmm4h 4141:4141:4141:4141 xmm5h 4141:4141:4141:4141 xmm6h 4141:4141:4141:4141 xmm7h 4141:4141:4141:4141 xmm0/0 41414141 xmm0/1 41414141 xmm0/2 41414141 xmm0/3 41414141 xmm1/0 41414141 xmm1/1 41414141 xmm1/2 41414141 xmm1/3 41414141 xmm2/0 41414141 xmm2/1 41414141 xmm2/2 41414141 xmm2/3 41414141 xmm3/0 41414141 xmm3/1 41414141 xmm3/2 41414141 xmm3/3 41414141 xmm4/0 41414141 xmm4/1 41414141 xmm4/2 41414141 xmm4/3 41414141 xmm5/0 41414141 xmm5/1 41414141 xmm5/2 41414141 xmm5/3 41414141 xmm6/0 41414141 xmm6/1 41414141 xmm6/2 41414141 xmm6/3 41414141 xmm7/0 41414141 xmm7/1 41414141 xmm7/2 41414141 xmm7/3 41414141 Exploit code(s): =============== 1) create .lgv file with bunch of 'A's length of 4096 overwrites XXM registers, ECX etc 2) run from command line pipe the file to it to watch it crash and burn. /////////////////////////////////////////////////////////////////////// Disclosure Timeline: =============================== Vendor Notification: June 23, 2016 Vendor acknowledged: July 1, 2016 Vendor reply: Will not fix (stability issue) July 8, 2016 : Public Disclosure Severity Level: ================ Low [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX