Bug 698537 - GSView 6.0 MS Windows allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .pdf file, related to a "Possible Stack Corruption starting at KERNELBASE!RaiseException+0x0000000000000068".
Summary: GSView 6.0 MS Windows allows attackers to cause a denial of service or possib...
Status: RESOLVED FIXED
Alias: None
Product: Artifex GSview
Classification: Unclassified
Component: General (show other bugs)
Version: unspecified
Hardware: PC Windows 8
: P4 normal
Assignee: Michael Vrhel
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-14 22:44 UTC by WangLin
Modified: 2017-09-30 10:28 UTC (History)
1 user (show)

See Also:
Customer:
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description WangLin 2017-09-14 22:44:25 UTC
Created attachment 14259 [details]
Proof of concept

!exploitable -m
IDENTITY:HostMachine\HostUser
PROCESSOR:X64
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0x7fade387b8c
EXCEPTION_CODE:0xE0434352
EXCEPTION_LEVEL:SECOND_CHANCE
EXCEPTION_TYPE:UNKNOWN
FAULTING_INSTRUCTION:000007fa`de387b8c mov rcx,qword ptr [rsp+0c0h]
BASIC_BLOCK_INSTRUCTION_COUNT:3
BASIC_BLOCK_INSTRUCTION:000007fa`de387b8c mov rcx,qword ptr [rsp+0c0h]
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:rsp
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:rsp+0c0h
BASIC_BLOCK_INSTRUCTION:000007fa`de387b94 xor rcx,rsp
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:rcx
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:rsp
BASIC_BLOCK_INSTRUCTION:000007fa`de387b97 call kernelbase!_security_check_cookie (000007fa`de3414f0)
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:rcx
MAJOR_HASH:0x7e446973
MINOR_HASH:0x4c7d4838
STACK_DEPTH:44
STACK_FRAME:KERNELBASE!RaiseException+0x68
STACK_FRAME:clr!CopyPDBs+0x9a80
STACK_FRAME:clr!TranslateSecurityAttributes+0x1dfff
STACK_FRAME:clr!TranslateSecurityAttributes+0x78e9f
STACK_FRAME:Unknown
STACK_FRAME:Unknown
STACK_FRAME:Unknown
STACK_FRAME:WindowsBase_ni+0x12b21c
STACK_FRAME:WindowsBase_ni+0x12b0e7
STACK_FRAME:WindowsBase_ni+0x12e9f1
STACK_FRAME:mscorlib_ni+0x4a39a5
STACK_FRAME:mscorlib_ni+0x4a3719
STACK_FRAME:mscorlib_ni+0x4a36f7
STACK_FRAME:WindowsBase_ni+0x12e621
STACK_FRAME:WindowsBase_ni+0x129063
STACK_FRAME:WindowsBase_ni+0x1293c3
STACK_FRAME:WindowsBase_ni+0x12b45a
STACK_FRAME:WindowsBase_ni+0x12b2e0
STACK_FRAME:WindowsBase_ni+0x12b15a
STACK_FRAME:WindowsBase_ni+0x12b0e7
STACK_FRAME:WindowsBase_ni+0x12846c
STACK_FRAME:WindowsBase_ni+0x12a9d0
STACK_FRAME:WindowsBase_ni+0x2d59d7
STACK_FRAME:clr!GetMetaDataInternalInterface+0xcf0e
STACK_FRAME:USER32!UserCallWinProcCheckWow+0x13a
STACK_FRAME:USER32!DispatchMessageWorker+0x1a7
STACK_FRAME:WindowsBase_ni+0x155900
STACK_FRAME:WindowsBase_ni+0x127332
STACK_FRAME:PresentationFramework_ni+0x3cf2ea
STACK_FRAME:PresentationFramework_ni+0x3cebf7
STACK_FRAME:Unknown
STACK_FRAME:clr+0xa7f3
STACK_FRAME:clr+0xa6de
STACK_FRAME:clr+0xae76
STACK_FRAME:clr!CorExeMain+0x35e9
STACK_FRAME:clr!CorExeMain+0x392e
STACK_FRAME:clr!CorExeMain+0x3827
STACK_FRAME:clr!CorExeMain+0x37aa
STACK_FRAME:clr!CorExeMain+0x3702
STACK_FRAME:clr!CorExeMain+0x14
STACK_FRAME:mscoreei!CorExeMain+0x5d
STACK_FRAME:MSCOREE!CorExeMain_Exported+0x57
STACK_FRAME:KERNEL32!BaseThreadInitThunk+0x1a
STACK_FRAME:ntdll!RtlUserThreadStart+0x21
INSTRUCTION_ADDRESS:0x000007fade387b8c
INVOKING_STACK_FRAME:0
DESCRIPTION:Possible Stack Corruption
SHORT_DESCRIPTION:PossibleStackCorruption
CLASSIFICATION:UNKNOWN
BUG_TITLE:Possible Stack Corruption starting at KERNELBASE!RaiseException+0x0000000000000068 (Hash=0x7e446973.0x4c7d4838)
EXPLANATION:The stack trace contains one or more locations for which no symbol or module could be found. This may be a sign of stack corruption.
Comment 1 Michael Vrhel 2017-09-21 09:08:49 UTC
Thanks for supplying this.  Found three vulnerabilities with the file.