MSXML6 Microsoft Core XML Services Bug Discovered

Hi,

Yesterday I was researching the presence of bugs into PasswordSafe3.13 and one of the tests was directed to the Import XML Option, so I produced a large malformed XML File (about 12 MBytes of repetitions). The applicaton crashed. Apparently could appear as a bug of PasswordSafe, but when you’re dealing with XML it’s fundamental to inspect accurately what component faulted, cause the first possible reason is the XML Parser Component (as in our case).

First operation is to fire up windbg as Post-Mortem debugger suddenly after clicking import it popups but is unable to catch handle the occurred exception (e0000001) so proprietary handler silently drops the process, and no stack informations come out.

Let’s set a breakpoint on exception sxe e0000001 and import the XML Malicious file..

WinDbg suddenly pops out, our exception happened and execution is now blocked into RaiseException procedure.. The Faulted Application is now known! msxml6.dll that is the Microsoft Core of XML Services. In the past msxml6 suffered of various bugs correlated to its parsing functionalities , so if you want to make some experiment be sure of the dll version that you have.

Latest patches and upgrades can be downloaded here

Cooming back to windbg here is the result of the Exception Analysis:

EXCEPTION_RECORD: ffffffff — (.exr 0xffffffffffffffff)
ExceptionAddress: 7c81eb33 (kernel32!RaiseException+0x00000053)
ExceptionCode: e0000001
ExceptionFlags: 00000000
NumberParameters: 1
Parameter[0]: 80004005

FAULTING_THREAD: 000007c0
BUGCHECK_STR: e0000001
DEFAULT_BUCKET_ID: APPLICATION_FAULT
PROCESS_NAME: image00400000
ERROR_CODE: (NTSTATUS) 0xe0000001 – <Unable to get error code text>
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
LAST_CONTROL_TRANSFER: from 5888d5af to 7c81eb33

STACK_TEXT:
0012e0e8 5888d5af e0000001 00000000 00000001 kernel32!RaiseException+0x53
0012e108 5888176b 80004005 00000000 0161c228 msxml6!Exception::raiseException+0x5f
0012e17c 588c5b07 016e2440 0161c294 00000000 msxml6!SchemaValidator::startElement+0x46e
0012e24c 5882ca04 0161c228 5882d7f4 00000000 msxml6!SAXSchemaProxy::startElement+0x1db
0012e2b4 5882d407 5882d7f4 00000000 01605fe0 msxml6!Reader::ParseElementN+0x124
0012e2c4 5882d312 5882d7f4 5882d7f4 01605fe0 msxml6!Reader::ParseDocument+0x9c
0012e2fc 5882d1bf ffffffff 01605fe0 00000000 msxml6!Reader::Parse+0x93
0012e36c 5883d67f 01605fe0 0012e43c ffffffff msxml6!Reader::parseURL+0x12e
0012e3ac 004a8921 01605fe0 0012e43c 3ff5c5a7 msxml6!SAXReader::parseURL+0x6e
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e3b8 3ff5c5a7 0012e748 0055532c 0012e758 image00400000+0xa8921
0012e43c 0070005c 00730077 00660061 00650065 0x3ff5c5a7
0012e440 00730077 00660061 00650065 002e0065 0x70005c
0012e444 00660061 00650065 002e0065 006d0078 0x730077
0012e448 00650065 002e0065 006d0078 0000006c 0x660061
0012e44c 002e0065 006d0078 0000006c 00000000 0x650065 <- Suspicious
0012e450 006d0078 0000006c 00000000 00000000 0x2e0065 <- Suspicious
0012e454 00000000 00000000 00000000 00000000 0x6d0078 <- Suspicious

FOLLOWUP_IP:
msxml6!Exception::raiseException+5f
5888d5af 5f pop edi

SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: msxml6!Exception::raiseException+5f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: msxml6
IMAGE_NAME: msxml6.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 454d0ec6
BUCKET_ID: e0000001_msxml6!Exception::raiseException+5f
FAILURE_BUCKET_ID: msxml6.dll!Exception::raiseException_e0000001_APPLICATION_FAULT
Followup: MachineOwner

Here the Xml to cause the crash:

<?xml version=”1.0″ encoding=”UTF-8″?>
<?xml-stylesheet type=”text/xsl” href=”pwsafe.xsl”?>
<paaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa {10/11 MB of Repetitions} aaaaaaaaaaaaaaasswordsafe
delimiter=”»”
Database=”C:\xxxxx.psafe3″
ExportTimeStamp=”2008-05-21T11:31:20″
FromDatabaseFormat=”3.04″
WhoSaved=”xxxxxxxxxxx”
WhatSaved=”Password Safe V3.13″
WhenLastSaved=”2008-05-21T11:28:08″
Database_uuid=”a079e304-75d7-4dd2-9a8a-9568ece18b08″

xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221;

xsi:noNamespaceSchemaLocation=”pwsafe.xsd”>

</passwordsafe>

It’s all for now, may be that I’ll publish a more deep analysis of that Bug

See you to the next post..🙂

Giuseppe ‘Evilcry’ Bonfa’

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: