Java Deployment Toolkit Insufficient Validation of Parameters Vulnerability Patch Analysis

I spent some time to figure out what Oracle did to fix the @taviso’s 0-day. I digged into javasw.exe and java.exe and javaw.exe for the patched parts in vain. The binaries are all identical except the version numbers. And finally I got that they were in the deploytk and deployJava1 files. They changed the file name of COM control for the CLSID “{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}”. Originally it was deploytk and it became deployJava1. That’s why I didn’t try to diff them at first.

So here’s what I got after I crack diffed two files.

You see, the left side is the unpatched function and right side is patched one. Unpatched one has whole a lot of red and yellow blocks. Red block means it has no match in the other side. Yellow block means the block has been changed. In short, the whole function’s basic blocks have been changed or removed. The function is responsible for querying registry key for JNLPFile Shell Open key and launching it using CreateProcessA API. And they removed it to fix @taviso’s 0-day. Simple! No further analysis needed. But I’m not so sure how this will impact their normal deploy process.

Anyway that’s it for now and thanks for reading.

Advertisements

Setting breakpoint on entry point with Windbg

You might wonder how to breakpoint on entry point in windbg. I didn’t know neither because I never tried it. I usually do kernel mode debugging so I didn’t need to bp on entry point. Here’s a little bit complicated method. But if you find any simpler way, just let me know.

First, start the application from windbg using File -> Open Executable(or ^E).
On the first breakpoint, execute the following commands.

0:000> !peb

PEB at 7ffd8000

InheritedAddressSpace: No

ReadImageFileExecOptions: No

BeingDebugged: Yes

ImageBaseAddress: 01000000

Ldr 001a1ea0

Ldr.Initialized: Yes

Ldr.InInitializationOrderModuleList: 001a1f58 . 001a2920

Ldr.InLoadOrderModuleList: 001a1ee0 . 001a2910

Ldr.InMemoryOrderModuleList: 001a1ee8 . 001a2918

Base TimeStamp Module

1000000 48025287 Apr 13 11:35:51 2008 c:\windows\notepad.exe

7c900000 4802a12c Apr 13 17:11:24 2008 C:\WINDOWS\system32\ntdll.dll

7c800000 4802a12c Apr 13 17:11:24 2008 C:\WINDOWS\system32\kernel32.dll

763b0000 4802a0c9 Apr 13 17:09:45 2008 C:\WINDOWS\system32\comdlg32.dll

77dd0000 4802a0b2 Apr 13 17:09:22 2008 C:\WINDOWS\system32\ADVAPI32.dll

77e70000 4802a106 Apr 13 17:10:46 2008 C:\WINDOWS\system32\RPCRT4.dll

77fe0000 4802a11b Apr 13 17:11:07 2008 C:\WINDOWS\system32\Secur32.dll

773d0000 4802a094 Apr 13 17:08:52 2008 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll

77c10000 4802a188 Apr 13 17:12:56 2008 C:\WINDOWS\system32\msvcrt.dll

77f10000 49006fbe Oct 23 05:36:14 2008 C:\WINDOWS\system32\GDI32.dll

7e410000 4802a11b Apr 13 17:11:07 2008 C:\WINDOWS\system32\USER32.dll

77f60000 45091361 Sep 14 01:31:29 2006 C:\WINDOWS\system32\SHLWAPI.dll

7c9c0000 48580a39 Jun 17 12:02:17 2008 C:\WINDOWS\system32\SHELL32.dll

73000000 4802a127 Apr 13 17:11:19 2008 C:\WINDOWS\system32\WINSPOOL.DRV

SubSystemData: 00000000

ProcessHeap: 000a0000

ProcessParameters: 00020000

WindowTitle: 'c:\windows\notepad.exe'

ImageFile: 'c:\windows\notepad.exe'

CommandLine: 'c:\windows\notepad.exe'

...

WINDBG_DIR=C:\Program Files\Debugging Tools for Windows (x86)

windir=C:\WINDOWS

_NT_SYMBOL_PATH=srv*c:\Symbols*http://msdl.microsoft.com/download/symbols

0:000> !dh 01000000

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES

14C machine (i386)

3 number of sections

48025287 time date stamp Sun Apr 13 11:35:51 2008

0 file pointer to symbol table

0 number of symbols

E0 size of optional header

10F characteristics

Relocations stripped

Executable

Line numbers stripped

Symbols stripped

32 bit word machine

OPTIONAL HEADER VALUES

10B magic #

7.10 linker version

7800 size of code

A600 size of initialized data

0 size of uninitialized data

739D address of entry point

1000 base of code

----- new -----

01000000 image base

1000 section alignment

200 file alignment

2 subsystem (Windows GUI)

5.01 operating system version

5.01 image version

4.00 subsystem version

14000 size of image

400 size of headers

18700 checksum

00040000 size of stack reserve

00011000 size of stack commit

00100000 size of heap reserve

00001000 size of heap commit

0 [ 0] address [size] of Export Directory

7604 [ C8] address [size] of Import Directory

B000 [ 8948] address [size] of Resource Directory

0 [ 0] address [size] of Exception Directory

0 [ 0] address [size] of Security Directory

0 [ 0] address [size] of Base Relocation Directory

1350 [ 1C] address [size] of Debug Directory

0 [ 0] address [size] of Description Directory

0 [ 0] address [size] of Special Directory

0 [ 0] address [size] of Thread Storage Directory

18A8 [ 40] address [size] of Load Configuration Directory

250 [ D0] address [size] of Bound Import Directory

1000 [ 348] address [size] of Import Address Table Directory

0 [ 0] address [size] of Delay Import Directory

0 [ 0] address [size] of COR20 Header Directory

0 [ 0] address [size] of Reserved Directory

SECTION HEADER #1

.text name

7748 virtual size

1000 virtual address

7800 size of raw data

400 file pointer to raw data

0 file pointer to relocation table

0 file pointer to line numbers

0 number of relocations

0 number of line numbers

60000020 flags

Code

(no align specified)

Execute Read

Debug Directories(1)

Type Size Address Pointer

cv 24 18f0 cf0 Format: RSDS, guid, 1, notepad.pdb

SECTION HEADER #2

.data name

1BA8 virtual size

9000 virtual address

800 size of raw data

7C00 file pointer to raw data

0 file pointer to relocation table

0 file pointer to line numbers

0 number of relocations

0 number of line numbers

C0000040 flags

Initialized Data

(no align specified)

Read Write

SECTION HEADER #3

.rsrc name

8948 virtual size

B000 virtual address

8A00 size of raw data

8400 file pointer to raw data

0 file pointer to relocation table

0 file pointer to line numbers

0 number of relocations

0 number of line numbers

40000040 flags

Initialized Data

(no align specified)

Read Only

0:000> u 01000000+739D

notepad!WinMainCRTStartup:

0100739d 6a70 push 70h

0100739f 6898180001 push offset notepad!`string'+0x8 (01001898)

010073a4 e8bf010000 call notepad!_SEH_prolog (01007568)

010073a9 33db xor ebx,ebx

010073ab 53 push ebx

010073ac 8b3dcc100001 mov edi,dword ptr [notepad!_imp__GetModuleHandleA (010010cc)]

010073b2 ffd7 call edi

010073b4 6681384d5a cmp word ptr [eax],5A4Dh

0:000> bp 01000000+739D

0:000> g

ModLoad: 5cb70000 5cb96000 C:\WINDOWS\system32\ShimEng.dll

ModLoad: 6f880000 6fa4a000 C:\WINDOWS\AppPatch\AcGenral.DLL

ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.dll

ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dll

ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll

ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll

ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll

ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\USERENV.dll

ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\UxTheme.dll

ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL

ModLoad: 629c0000 629c9000 C:\WINDOWS\system32\LPK.DLL

ModLoad: 74d90000 74dfb000 C:\WINDOWS\system32\USP10.dll

ModLoad: 48000000 48022000 C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll

ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll

Breakpoint 0 hit

eax=00000000 ebx=7ffd8000 ecx=0007ffb0 edx=7c90e4f4 esi=08f2f55c edi=7c911440

eip=0100739d esp=0007ffc4 ebp=0007fff0 iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

notepad!WinMainCRTStartup:

0100739d 6a70 push 70h

Exporting IDA function for IDC Script Usage

Sometimes you want to specify additional options or to call internal function of IDA plugin that you wrote. You can use “set_idc_func” API to achive this. Here’s a sample skeleton code that is showing how to make a custom function that idc script can call.
char *OutputFilename;
static const char SendDiassemblyInfoArgs[]={VT_STR,0 };
static error_t idaapi SendDiassemblyInfo(value_t *argv,value_t *res)
{
msg("%s is called with arg0=%s\n",argv[0].str);
OutputFilename=strdup(argv[0].str);
run(2);
res->num=1;
return eOk;
}

int idaapi init(void)
{
if ( inf.filetype == f_ELF ) return PLUGIN_SKIP;

set_idc_func("SendDiassemblyInfo",SendDiassemblyInfo,SendDiassemblyInfoArgs);
return PLUGIN_KEEP;
}

void idaapi term(void)
{
set_idc_func("SendDiassemblyInfo",NULL,NULL);
}
From idc script, you can call the defined function as if it’s a built-in API like following.
static main()
{
RunPlugin("DarunGrim2",1);
SendDiassemblyInfo("disassembly.info");
Exit(0);
}
Simple!

Dumping NT_TIB

When a thread is crashed without any clue at all(eg. all registers are set to invalid value or something), you might try to get stack trace by manually pointing esp/ebp to some probable value inside stack. In that case, you need to get valid stack range. It can be achieved with following windbg command. Check out StackBase,StackLimit field from NT_TIB structure.

0:005> dt -r ntdll!_NT_TIB poi(fs:18h)

+0x000 ExceptionList : 0x01c3ac88 _EXCEPTION_REGISTRATION_RECORD

+0x000 Next : 0x01c3fecc _EXCEPTION_REGISTRATION_RECORD

+0x000 Next : 0x01c3ff2c _EXCEPTION_REGISTRATION_RECORD

+0x004 Handler : 0x7e44048f _EXCEPTION_DISPOSITION user32!_except_handler3+0

+0x004 Handler : 0x7e44048f _EXCEPTION_DISPOSITION user32!_except_handler3+0

+0x004 StackBase : 0x01c40000

+0x008 StackLimit : 0x01c2c000

+0x00c SubSystemTib : (null)

+0x010 FiberData : 0x00001e00

+0x010 Version : 0x1e00

+0x014 ArbitraryUserPointer : (null)

+0x018 Self : 0x7ffd9000 _NT_TIB

+0x000 ExceptionList : 0x01c3ac88 _EXCEPTION_REGISTRATION_RECORD

+0x000 Next : 0x01c3fecc _EXCEPTION_REGISTRATION_RECORD

+0x004 Handler : 0x7e44048f _EXCEPTION_DISPOSITION user32!_except_handler3+0

+0x004 StackBase : 0x01c40000

+0x008 StackLimit : 0x01c2c000

+0x00c SubSystemTib : (null)

+0x010 FiberData : 0x00001e00

+0x010 Version : 0x1e00

+0x014 ArbitraryUserPointer : (null)

+0x018 Self : 0x7ffd9000 _NT_TIB

+0x000 ExceptionList : 0x01c3ac88 _EXCEPTION_REGISTRATION_RECORD

+0x004 StackBase : 0x01c40000

+0x008 StackLimit : 0x01c2c000

+0x00c SubSystemTib : (null)

+0x010 FiberData : 0x00001e00

+0x010 Version : 0x1e00

+0x014 ArbitraryUserPointer : (null)

+0x018 Self : 0x7ffd9000 _NT_TIB

Dumping Kernel Service Table from Windbg

You can use following commands from windbg to dump system service table nicely. Of course, you need to be connected to remote system kernel or load kernel dump file.

Dumping KeServiceDescriptorTable

0:kd> dds poi(nt!KeServiceDescriptorTable) L poi(nt!KeServiceDescriptorTable+8)

808341b0 8092023a nt!NtAcceptConnectPort

808341b4 8096b71e nt!NtAccessCheck

808341b8 8096f9be nt!NtAccessCheckAndAuditAlarm

...

80834640 80994ea4 nt!NtWaitForKeyedEvent

80834644 80944e6c nt!NtQueryPortInformationProcess

80834648 8094546e nt!NtGetCurrentProcessorNumber

8083464c 809390f8 nt!NtWaitForMultipleObjects32

Dumping KeServiceDescriptorTableShadow

0:kd> dds poi(nt!KeServiceDescriptorTableShadow+10) L poi(nt!KeServiceDescriptorTableShadow+18)

bf9a3000 bf92bf8c win32k!NtGdiAbortDoc

bf9a3004 bf941589 win32k!NtGdiAbortPath

bf9a3008 bf818ddf win32k!NtGdiAddFontResourceW

bf9a300c bf936c02 win32k!NtGdiAddRemoteFontToDC

...

bf9a3a50 bf9515d6 win32k!NtGdiBRUSHOBJ_DeleteRbrush

bf9a3a54 bf94ec39 win32k!NtGdiUMPDEngFreeUserMem

bf9a3a58 bf944082 win32k!NtGdiDrawStream

bf9a3a5c bf9459a0 win32k!UMPDDrvQuerySpoolType

bf9a3a60 bf929d4d win32k!NtGdiMakeObjectUnXferable