Skip to content
This repository has been archived by the owner on Jan 4, 2019. It is now read-only.

An UAF bug exists in muon #652

Open
l0kihardt opened this issue Oct 25, 2018 · 2 comments
Open

An UAF bug exists in muon #652

l0kihardt opened this issue Oct 25, 2018 · 2 comments

Comments

@l0kihardt
Copy link

if you want to get to the function before 0x3799940, you can use the gdb script I uploaded.

  • Basic info
[----------------------------------registers-----------------------------------]
RAX: 0x53582a30d8 --> 0x662f6567616d6912 
RBX: 0x7fffffffd058 --> 0x0 
RCX: 0x29 (')')
RDX: 0x140 
RSI: 0x0 
RDI: 0x7fffffffd058 --> 0x0 
RBP: 0x7fffffffd040 --> 0x7fffffffd070 --> 0x7fffffffd090 --> 0x7fffffffd0d0 --> 0x7fffffffd130 --> 0x7fffffffd1c0 (--> ...)
RSP: 0x7fffffffd030 --> 0x3799940 (push   rbp)
RIP: 0x2d41301 (mov    rdx,QWORD PTR [rsi])
R8 : 0x0 
R9 : 0x535730d570 --> 0x10000001e 
R10: 0x53572a6cc0 --> 0x535730d570 --> 0x10000001e 
R11: 0x0 
R12: 0x6fc0430 --> 0x0 
R13: 0x53570f3d30 --> 0x0 
R14: 0x5357778960 --> 0x0 
R15: 0x7fffffffd0e8 --> 0x4847dc ("PluginsLoaded")
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x2d412f8:   add    rax,0x38
   0x2d412fc:   test   cl,0x1
   0x2d412ff:   je     0x2d41309
=> 0x2d41301:   mov    rdx,QWORD PTR [rsi]
   0x2d41304:   mov    rcx,QWORD PTR [rdx+rcx*1-0x1]
   0x2d41309:   mov    rdi,rbx
   0x2d4130c:   mov    rdx,rax
   0x2d4130f:   call   rcx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd030 --> 0x3799940 (push   rbp)
0008| 0x7fffffffd038 --> 0x7fffffffd080 --> 0x0 
0016| 0x7fffffffd040 --> 0x7fffffffd070 --> 0x7fffffffd090 --> 0x7fffffffd0d0 --> 0x7fffffffd130 --> 0x7fffffffd1c0 (--> ...)
0024| 0x7fffffffd048 --> 0x3799963 (lea    rdi,[rbp-0x20])
0032| 0x7fffffffd050 --> 0x53582a30a0 --> 0xffffffff00000001 
0040| 0x7fffffffd058 --> 0x0 
0048| 0x7fffffffd060 --> 0x7fffffffd080 --> 0x0 
0056| 0x7fffffffd068 --> 0x3ba29a0 (push   rbp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000002d41301 in ?? ()

So the bug actually happens at the base::internal::Invoker<base::internal::BindState<void (*)>
when it tries to bind a callback function, which is the 0x2D412E0

_int64 __fastcall vuln(__int64 a1, struct_a2 *a2)
{
  char *v3; // rcx
  _QWORD *v4; // rsi
  struct_a2 *v5; // rax

  v3 = a2->pchar20;
  v4 = (_QWORD *)(a2->qword28 + a2->qword30);
  v5 = a2 + 1;
  if ( (unsigned __int8)v3 & 1 )
    v3 = *(char **)&v3[*v4 - 1];
  ((void (__fastcall *)(__int64, _QWORD *, struct_a2 *))v3)(a1, v4, v5);
  return a1;
}

the obj it passed to this function has been freed before Invoker has been called, so that a2->qword28 + a2->qword30 is NULL. which caused a NULL pointer dereference eventually.

@l0kihardt
Copy link
Author

fuzz-1.zip
attached the poc html for the convenience of you

@diracdeltas
Copy link
Member

Thanks for reporting this. This repo was unofficially deprecated on Oct 5 when we started switching to /~https://github.com/brave/brave-browser/ and we are now actively migrating users off of it

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants