支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: e55340ee90404440880507781a67ef4a8ea75a32

来源
https://github.com/0neb1n/CVE-2020-1493
关联漏洞
标题:Microsoft Outlook 信息泄露漏洞 (CVE-2020-1493)
Description:Microsoft Outlook是美国微软(Microsoft)公司的一套电子邮件应用程序。 Microsoft Outlook中存在信息泄露漏洞。攻击者可利用该漏洞访问特定文件。以下产品及版本受到影响:Microsoft 365 Apps for Enterprise,Office 2019;Outlook 2010 SP2,Outlook 2013 RT SP1,Outlook 2013 SP1,Outlook 2016。
介绍
# CVE-2020-1493

This vulnerability occurs in Outlook 2019 (16.0.12624.20424) installed on Windows 10 1909 x64, Also This vulnerability is **zero click** vulnerability.


## TLDR;

I found this bug usng winafl fuzzer. This bug occured when parsing ms-tnef file. that attachement of eml file. 
vulnerable method read and using out-of-bounds data to vftable ptr. so, when attacker succeceful exploit this vulnerability triggers remote command execution.


## Details

```
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
outlook!GetOutlookSafeModeState+0x5ef49:
00007ff7`3c93d499 0fb65110        movzx   edx,byte ptr [rcx+10h] ds:00000279`121cf000=??
0:000> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 00007ff7`3c93d466 : 00000279`13cd1e38 00000279`13cd1e38 00000000`00008c23 00007ff7`3e8f2e20 : outlook!GetOutlookSafeModeState+0x5ef49
01 00007ff7`3c84eb61 : 00000279`0f842ae0 00007ff7`3c91cce9 00000000`00000000 00000279`13cd1e00 : outlook!GetOutlookSafeModeState+0x5ef16
02 00007ff7`3c84e9c8 : 00000279`711122f0 00000279`0f842ae0 00000000`00000000 00000000`0d2293e2 : outlook!FOutlookIsBooting+0x4dff1
03 00007ff7`3c930a77 : 00000279`71112a90 00000000`00000000 00000279`13cd1e00 00000000`00000006 : outlook!FOutlookIsBooting+0x4de58
04 00007ff7`3c829c5c : 00000000`00000000 000000d5`edd6ad09 00000000`00000000 00000000`00000000 : outlook!GetOutlookSafeModeState+0x52527
05 00007ff7`3c86dd1f : 00000279`000001bc 00000279`0c31cef8 000000d5`00000000 00007ff7`00000001 : outlook!FOutlookIsBooting+0x290ec
06 00007ff7`3ce6ac37 : 00000279`71111780 000000d5`edd6add0 00000279`0c31cef8 00000000`00000000 : outlook!GetFBPublishingInterval+0x1c86f
07 00007ff7`3c8d8ad9 : 00000000`00000000 00000000`00000000 000000d5`edd6aed9 00007ff7`3c98162d : outlook!HrSetOutlookSpecialFolderEntryID+0x2987c7
08 00007ff7`3c8d7cee : 00000279`71111780 00000000`00000001 00000000`00000001 00000279`71111788 : outlook!HrMsgDownloadedNotification+0x3889
09 00007ff7`3c69aada : ffffffff`fffffffe 00000279`72c86ee8 00000279`775c49e0 00007ff7`3ce57112 : outlook!HrMsgDownloadedNotification+0x2a9e
0a 00007ff7`3c69a851 : 00000279`00010000 00000000`00000000 00000279`0322cff8 00000000`00001000 : outlook+0x9aada
0b 00007ff7`3c7916e6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : outlook+0x9a851
0c 00007ff7`3c78e691 : 00000000`00000000 00000279`53f30b08 00000279`0322cff8 00000000`0e170003 : outlook!FEnableAMapProgress+0xc266
0d 00007ff7`3d4c1e41 : 00000279`7420bfb0 00000000`00000000 00000279`53f30b08 00000279`72c86ee0 : outlook!FEnableAMapProgress+0x9211
0e 00007ff7`3d008548 : 00000000`00000000 000000d5`edd6b370 00000279`53f30b08 00000279`53f30b08 : outlook!HrGetGlobalOfflineState+0x7b41
0f 00007ff7`3c66b32f : 00000000`00000001 00000279`00000005 000000d5`edd6b400 00000000`00000001 : outlook!HrSetOutlookSpecialFolderEntryID+0x4360d8
10 00007ff7`3c66ee46 : 00007ff7`3e9ce648 00007ff7`3e9ce5e0 00000279`3c59ef1c 00007ff7`3e9087d0 : outlook+0x6b32f
11 00007ff7`3c66e27d : 00007ff7`3e8d9758 000000d5`edd6b579 00000000`ffffffff 00007ff7`3e9087d0 : outlook+0x6ee46
12 00007ff7`3c66ee46 : 00007ff7`3e8d9758 00000279`3c59ef1c 00007ff7`3e9087d0 00000000`00000000 : outlook+0x6e27d
13 00007ff7`3c66e9c8 : 00000000`0000002a 000000d5`edd6b720 00000000`0000000a 00007ff7`3e8d8e00 : outlook+0x6ee46
14 00007ff7`3c718dfa : 00000000`00000000 00000000`00000000 00007ff7`3e908b60 00007ff7`3e8e5d80 : outlook+0x6e9c8
15 00007ff7`3c81c9ba : 00000000`00000001 00000000`0000000a 00007ff7`3c600000 00000000`00000000 : outlook!FFolderSupportsUnicode+0x45a4a
16 00007ff7`3c9a0302 : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : outlook!FOutlookIsBooting+0x1be4a
17 00007ff9`474a6fd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : outlook!OlkGetResourceHandle+0x5542
18 00007ff9`4789cec1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
19 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

0:000> !heap -p -a rcx
    address 00000279121ceff0 found in
    _DPH_HEAP_ROOT @ 2793c521000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                             279151a2000:      279121cefe0               11 -      279121ce000             2000
    00007ff9479473ab ntdll!RtlDebugAllocateHeap+0x000000000000003b
    00007ff947869745 ntdll!RtlpAllocateHeap+0x00000000000000f5
    00007ff9478673d4 ntdll!RtlpAllocateHeapInternal+0x00000000000006d4
    00007ff8ed59effe OLMAPI32!MAPIAllocateMore+0x000000000000012e
    00007ff8ed6451b8 OLMAPI32!MlangWideCharToMultiByte+0x0000000000000288
    00007ff8ed58e31b OLMAPI32!HrGetMAPIMalloc2+0x0000000000000cab
    00007ff8ed58db56 OLMAPI32!HrGetMAPIMalloc2+0x00000000000004e6
    00007ff8ed58cd1e OLMAPI32!HrCreateNewWrappedObjectEx+0x00000000000016ce
    00007ff8ff089bb1 exsec32!GetCertSubjectExW+0x0000000000006c91
    00007ff8ff07b40d exsec32!HrExsec32Initialize+0x0000000000004f6d
    00007ff73c829b2d outlook!FOutlookIsBooting+0x0000000000028fbd
    00007ff73c86dd1f outlook!GetFBPublishingInterval+0x000000000001c86f
    00007ff73ce6ac37 outlook!HrSetOutlookSpecialFolderEntryID+0x00000000002987c7
    00007ff73c8d8ad9 outlook!HrMsgDownloadedNotification+0x0000000000003889
    00007ff73c8d7cee outlook!HrMsgDownloadedNotification+0x0000000000002a9e
    00007ff73c69aada outlook+0x000000000009aada
    00007ff73c69a851 outlook+0x000000000009a851
    00007ff73c7916e6 outlook!FEnableAMapProgress+0x000000000000c266
    00007ff73c78e691 outlook!FEnableAMapProgress+0x0000000000009211
    00007ff73d4c1e41 outlook!HrGetGlobalOfflineState+0x0000000000007b41
    00007ff73d008548 outlook!HrSetOutlookSpecialFolderEntryID+0x00000000004360d8
    00007ff73c66b32f outlook+0x000000000006b32f
    00007ff73c66ee46 outlook+0x000000000006ee46
    00007ff73c66e27d outlook+0x000000000006e27d
    00007ff73c66ee46 outlook+0x000000000006ee46
    00007ff73c66e9c8 outlook+0x000000000006e9c8
    00007ff73c718dfa outlook!FFolderSupportsUnicode+0x0000000000045a4a
    00007ff73c81c9ba outlook!FOutlookIsBooting+0x000000000001be4a
    00007ff73c9a0302 outlook!OlkGetResourceHandle+0x0000000000005542
    00007ff9474a6fd4 KERNEL32!BaseThreadInitThunk+0x0000000000000014
    00007ff94789cec1 ntdll!RtlUserThreadStart+0x0000000000000021
```

The size of the allocated heap is controlled by the user, but the vulnerability occurs because the index used in the method is a constant value that exceeds the size of the heap.
文件快照

 [4.0K]  /data/pocs/e55340ee90404440880507781a67ef4a8ea75a32
├── [7.1K]  oob_read.eml
└── [6.6K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。