Page MenuHome

Exploitable - User Mode Write AV starting at blender!PyInit_aud+0x00000000003a56cc
Closed, InvalidPublic

Description

I spent some cpu cycles fuzzing some Blender files and found some crashes that are qualifed as exploitable by Microsoft's tool Bang Exploitable (http://msecdbg.codeplex.com/ ) I would like to know if there is interest into fixing this possible security issues or not.

This is using Blender 2.63 for Windows official release.

I am attaching the original file and the fuzzed file that creates the problem. This is the stack trace and output from windbg when the bug occurs.

blender!PyInit_aud+0x3a56cc:
00f3f01c 89448ffc mov dword ptr [edi+ecx*4-4],eax ds:002b:05841040=????????
0:000:x86> !exploitable -v;q
eax=ff462416 ebx=05841040 ecx=00000001 edx=00000000 esi=055589c4 edi=05841040
eip=00f3f01c esp=0028f8f4 ebp=0028f8fc iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210297
blender!PyInit_aud+0x3a56cc:
00f3f01c 89448ffc mov dword ptr [edi+ecx*4-4],eax ds:002b:05841040=????????
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll32.dll -
Exception Faulting Address: 0x5841040
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x23420309.0x667c4642

Stack Trace:
blender!PyInit_aud+0x3a56cc
blender!turbulence1+0x97340
blender!turbulence1+0x97c4a
blender!turbulence1+0x98056
blender!turbulence1+0x98118
blender!xmlCheckHTTPInput+0x19438f
blender!xmlCheckHTTPInput+0x19b852
blender!xmlCheckHTTPInput+0x19b981
blender!xmlCheckHTTPInput+0x1a9b15
ntdll32!RtlImageNtHeader+0xb10
ntdll32!RtlImageNtHeader+0xb3f
ntdll32!RtlImageNtHeader+0xb3f
ntdll32!RtlImageNtHeader+0xb6a
ntdll32!RtlImageNtHeader+0xb3f
ntdll32!RtlImageNtHeader+0xb6a
ntdll32!RtlInitUnicodeString+0x164
ntdll32!RtlInitUnicodeString+0x164
ntdll32!RtlInitUnicodeString+0x164
ntdll32!RtlInitUnicodeString+0x164
Instruction Address: 0x0000000000f3f01c

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at blender!PyInit_aud+0x00000000003a56cc (Hash=0x23420309.0x667c4642)

User mode write access violations that are not near NULL are exploitable.
quit:

Details

Type
Bug

Event Timeline

Hi, we're aware that you can likely hand-create blend files which do all sorts of bad things.

We don't consider these bugs at the moment.

Closing.