698557 – mupdf 1.11 windows allows attackers to execute arbitrary code or cause a denial of service via a crafted .xps file, related to a "User Mode Write AV near NULL starting at wow64!Wow64LdrpInitialize+0x00000000000008e1".

Bug 698557 - mupdf 1.11 windows allows attackers to execute arbitrary code or cause a denial of service via a crafted .xps file, related to a "User Mode Write AV near NULL starting at wow64!Wow64LdrpInitialize+0x00000000000008e1".

Summary: mupdf 1.11 windows allows attackers to execute arbitrary code or cause a deni...

Status:	RESOLVED DUPLICATE of bug 698540

Alias:	None

Product:	MuPDF
Classification:	Unclassified
Component:	apps (show other bugs)
Version:	1.11
Hardware:	PC Windows 8

Importance:	P4 normal
Assignee:	MuPDF bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-18 22:02 UTC by WangLin
Modified:	2017-09-30 10:29 UTC (History)
CC List:	2 users (show)

See Also:
Customer:
Word Size:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description WangLin 2017-09-18 22:02:46 UTC

Created attachment 14294 [details]
Proof of concept

!exploitable -m
IDENTITY:HostMachine\HostUser
PROCESSOR:X64
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0x0
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:SECOND_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:WRITE
MAJOR_HASH:0x70591803
MINOR_HASH:0x22012e68
STACK_DEPTH:11
STACK_FRAME:wow64!Wow64LdrpInitialize+0x8e1
STACK_FRAME:wow64!Wow64LdrpInitialize+0x9eb
STACK_FRAME:wow64!Wow64LdrpInitialize+0xbbe
STACK_FRAME:wow64!Wow64EmulateAtlThunk+0x1ae7c
STACK_FRAME:wow64!Wow64SystemServiceEx+0xd7
STACK_FRAME:wow64cpu!TurboDispatchJumpAddressEnd+0xb
STACK_FRAME:wow64!Wow64SystemServiceEx+0x26a
STACK_FRAME:wow64!Wow64LdrpInitialize+0x435
STACK_FRAME:ntdll!LdrGetKnownDllSectionHandle+0x1b5
STACK_FRAME:ntdll!WinSqmCheckEscalationSetDWORD+0x12180
STACK_FRAME:ntdll!LdrInitializeThunk+0xe
INSTRUCTION_ADDRESS:0x00000000772ebda1
INVOKING_STACK_FRAME:0
DESCRIPTION:User Mode Write AV near NULL
SHORT_DESCRIPTION:WriteAV
CLASSIFICATION:PROBABLY_EXPLOITABLE
BUG_TITLE:Probably Exploitable - User Mode Write AV near NULL starting at wow64!Wow64LdrpInitialize+0x00000000000008e1 (Hash=0x70591803.0x22012e68)
EXPLANATION:User mode write access violations that are near NULL are probably exploitable.

Comment 1 Tor Andersson 2017-09-19 08:05:11 UTC


*** This bug has been marked as a duplicate of bug 698540 ***