search

SkyLined / BugId

Detect, analyze and uniquely identify crashes in Windows applications
https://bugid.skylined.nl
Other
499 stars 90 forks source link

An error in the beggining/before of fuzzing IE - An Access Violation exception happend #93

Closed aninax closed 4 years ago

aninax commented 4 years ago

Hi,

I am fuzzing IE following tutorial from "Fuzz in sixty seconds", with new BugId and domato, and every time IE before opening and running index template it is crashing and I am getting error "An Access Violation exception happend". 

* Command line: C:\Program Files\Internet Explorer\iexplore.exe file://C:\Fuzzing\Tests\index.html
+ Main process 14316/0x37EC (iexplore.exe): Attached; command line = "C:\Program Files\Internet Explorer\iexplore.exe" file://C:\Fuzzing\Tests\index.html.
- You are debugging an x86 process running IEXPLORE.EXE with a x64 cdb.exe.
  This appears to be due to the application running both x86 and x64 processes.
  Unfortunately, this means use-after-free bugs in this process may be reported
  as attempts to access reserved memory regions, which is tecnically true but
  not as accurate as you might expect.

+ Sub process 9592/0x2578 (IEXPLORE.EXE): Attached; command line = "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:14316 CREDAT:17410 /prefetch:2.
* T+1.6 The application is suspended (First chance exception 0xC0000005)...

"Security impact: Unlikely to be an exploitable security issue unless the address can be controlled". Could you please help? Thanks

SkyLined commented 4 years ago

Hey,

You seem to have removed the part of the BugId output that provides details about the crash, so I cannot help you figure out what the problem is. Also, BugId should produce a html report; attaching that might help me pinpoint the issue.

If you run MSIE without BugId does it work? Can you visit websites without crashes?

Cheers,

BJ

aninax commented 4 years ago

Hi,

Here is output:

* Command line: C:\Program Files\Internet Explorer\iexplore.exe file://C:\Fuzzing\Tests\index.html
+ Main process 16860/0x41DC (iexplore.exe): Attached; command line = "C:\Program Files\Internet Explorer\iexplore.exe" file://C:\Fuzzing\Tests\index.html.
- You are debugging an x86 process running IEXPLORE.EXE with a x64 cdb.exe.
  This appears to be due to the application running both x86 and x64 processes.
  Unfortunately, this means use-after-free bugs in this process may be reported
  as attempts to access reserved memory regions, which is tecnically true but
  not as accurate as you might expect.

+ Sub process 4116/0x1014 (IEXPLORE.EXE): Attached; command line = "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:16860 CREDAT:17410 /prefetch:2.
┌─ A bug was detected ─────────────────────────────────────────────────────────────────────────────────────────────────
│ Id @ Location:    AVW:Exec/Read[0x1000]@0x410 c09.72c @ iexplore.exe!ntdll.dll!NtProtectVirtualMemory
│ Description:      An Access Violation exception happend at 0x2F15410 while attempting to write 1040/0x410 bytes into a 4096/0x1000 bytes read- and executable memory block at 0x2F15000.
│ Security impact:  Unlikely to be an exploitable security issue unless the address can be controlled.
│ Version:          iexplore.exe 11.0.18362.1 (x86)
│                   ntdll.dll 10.0.18362.387 (x86)
│ Bug report:       AVW.Exec Read[0x1000]@0x410 c09.72c @ iexplore.exe!ntdll.dll!NtProtectVirtualMemory.html (645143 bytes)
└──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Crash detected!
Copying report and repro to C:\Fuzzing\Results\msie\AVW.Exec Read[0x1000]@0x410 c09.72c @ iexplore.exe!ntdll.dll!NtProtectVirtualMemory folder...

It is not crashing during fuzzing, it is crashing before. I can open fuzz files in IE without no problem, and they not crash IE. I can send you my report file, could you pls give me email? Thanks

aninax commented 4 years ago

also, yes I can open websites with IE without no problem.

SkyLined commented 4 years ago

Please send the report along with your index.html file to bugid93_github.com@skylined.nl. I will have a look. If you could also add the output of BugId --version that would allow me to check with the same version of Windows/MSIE/Python/BugId.

Thanks!

aninax commented 4 years ago

It is sent. Thank you

SkyLined commented 4 years ago

Unfortunately I cannot reproduce the crash you are seeing. I've tested with:

BugId 2020-01-09 11:00
Windows 10 Pro release 1909, build 18363 x64.
Python 2.7.17 x64

Looking at the crash report, I see the crash happening during new thread initialization by ntdll, before the actual application (MSIE) is doing anything useful. This suggests that it is not a problem in MSIE but in your Windows installation. Unfortunately I do not know why this happens on your machine but reinstalling Windows will most likely resolve the issue.

Please try reinstalling Windows and running your test again. If you are not running BugId in a Virtual Machine, this can be quite time-consuming and inconvenient. I would suggest you use Hyper-V or some other VM to create a clean Windows installation for fuzzing that can be easily reinstalled when it becomes corrupted.

aninax commented 4 years ago

Thank you for your help. IE fuzzing is working on clean Windows 10 installation.