OFD文件阅读器漏洞挖掘与分析技术文档<\/h1>

1. 概述<\/h2>
OFD(Open Fixed-layout Document)是由中国电子技术标准化研究院制定的版式文档国家标准。本文档详细记录了针对国产OFD阅读器软件的漏洞挖掘与分析过程，包括动态Fuzzing和静态分析技术。<\/p>

2. 动态漏洞挖掘<\/h2>

2.1 工具准备<\/h3>

主要工具<\/strong>:<\/p>

WinAFL: Windows平台上的模糊测试框架<\/li>
DynamoRIO: 动态二进制插桩工具<\/li>
ProcMon: 进程监控工具<\/li>
IDA Pro: 反汇编与逆向分析工具<\/li>
StudyPE: PE文件分析工具<\/li>
x64dbg: 调试器<\/li> <\/ul> <\/li>

测试环境<\/strong>:<\/p>

Windows 10 1909 64位<\/li>
目标软件: SuwellReader.exe (版本1.6.6.29)<\/li> <\/ul> <\/li> <\/ul>
2.2 Fuzzing流程<\/h3>
2.2.1 函数偏移定位<\/h4>

使用ProcMon监控程序行为，确定文件处理流程<\/li>
通过IDA静态分析结合动态调试，寻找接近调用栈底部的函数偏移<\/li>
选择能够覆盖最大解析逻辑的函数作为Fuzzing目标<\/li> <\/ol>
2.2.2 文件句柄管理<\/h4>

定位创建文件句柄的函数尾部偏移<\/li>
定位完全读取文件后的函数偏移<\/li>
在这些位置插入关闭文件句柄的代码<\/li> <\/ol>
2.2.3 WinAFL调试模式测试<\/h4>
drrun.exe -c winafl.dll -debug -target_module SuwellReader.exe -target_offset 0x195b30 -call_convention fastcall -nargs 2<\/span> -fuzz_iterations 10<\/span> -- C:\t<\/span>arget\s<\/span>huke\S<\/span>uwell\R<\/span>eader_Pro\S<\/span>uwellReader.exe C:\f<\/span>uzztools\m<\/span>anul\i<\/span>nput\P<\/span>DFBOX-1074-1.pdf <\/span><\/span><\/code><\/pre>2.2.4 样本处理<\/h4> PDF样本获取<\/strong>:<\/p> 公开Fuzzing样本集<\/li> 搜索引擎爬取<\/li> 使用libfuzzer\/honggfuzz生成样本<\/li> <\/ul> <\/li> 样本裁剪<\/strong>:<\/p> 使用winafl-cmin.py脚本筛选触发新路径的样本<\/li> <\/ul> <\/li> <\/ol> 2.2.5 正式Fuzzing<\/h4> afl-fuzz.exe -i in -o out -t 20000<\/span> -m none -D C:\f<\/span>uzz\f<\/span>uzz_tools\d<\/span>yn\d<\/span>yn\b<\/span>in32\ <\/span>-M fuzz1 -- -covtype bb -call_convention fastcall -target_module SuwellReader.exe -target_offset 0x195b30 -coverage_module SuwellReader.exe -fuzz_iterations 50000<\/span> -nargs 2<\/span> -- C:\f<\/span>uzz\f<\/span>uzz_tools\R<\/span>eader_Pro\S<\/span>uwellReader.exe @@ <\/span><\/span><\/code><\/pre>2.3 OFD文件Fuzzing的特殊处理<\/h3> 2.3.1 样本获取挑战<\/h4> 互联网上公开OFD样本稀少<\/li> 解决方案: PDF转OFD 使用自动化工具(AutoHotkey\/按键精灵)批量转换<\/li> 示例转换脚本:<\/li> <\/ul> <\/li> <\/ol> Function<\/span> SaveToOfd<\/span> <\/span><\/span> mm =<\/span> lib<\/span>.API.查找窗口句柄<\/span>(0, "ofd阅读器"<\/span>) <\/span><\/span> Call<\/span> Lib<\/span>.API.激活窗口并置前<\/span>(mm) <\/span><\/span> MoveTo 46, 50 <\/span><\/span> LeftClick 1 <\/span><\/span> Delay 500 <\/span><\/span> LeftUp 1 <\/span><\/span> MoveTo 115, 282 <\/span><\/span> LeftClick 1 <\/span><\/span> Delay 500 <\/span><\/span> MoveTo 1011, 708 <\/span><\/span> LeftClick 1 <\/span><\/span> Delay 500 <\/span><\/span> MoveTo 1372, 719 <\/span><\/span> Delay 500 <\/span><\/span> LeftClick 1 <\/span><\/span> KeyDown "Ctrl"<\/span>, 1 <\/span><\/span> Delay 490 <\/span><\/span> Delay 31 <\/span><\/span> KeyDown "Ctrl"<\/span>, 1 <\/span><\/span> Delay 22 <\/span><\/span> KeyDown "W"<\/span>, 1 <\/span><\/span> Delay 180 <\/span><\/span> KeyUp "W"<\/span>, 1 <\/span><\/span> Delay 16 <\/span><\/span> KeyUp "Ctrl"<\/span>, 1 <\/span><\/span> Delay 6 <\/span><\/span>End<\/span> Function<\/span> <\/span><\/span><\/code><\/pre>2.3.2 ZIP格式处理<\/h4> OFD本质是ZIP压缩包包含XML文件<\/li> 开发post_library模块处理变异后的数据:<\/li> <\/ol> extern<\/span> "C"<\/span> __declspec<\/span>(dllexport)const<\/span> unsigned<\/span> char<\/span>*<\/span> afl_postprocess(const<\/span> unsigned<\/span> char<\/span>*<\/span> in_buf, <\/span><\/span> unsigned<\/span> int<\/span>*<\/span> len,unsigned<\/span> char<\/span>*<\/span> id) <\/span><\/span>{ <\/span><\/span> \/\/ ZIP压缩处理代码 <\/span><\/span><\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> return<\/span> zipbuf; <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. 静态漏洞挖掘<\/h2> 3.1 开源组件识别<\/h3> 使用Karta工具识别闭源程序中的开源组件:<\/p> libpng: 1.6.37<\/li> zlib: 1.2.11<\/li> libxml2: 20901<\/li> libtiff: unknown<\/li> libjpeg: 9a<\/li> <\/ul> 3.2 历史漏洞测试<\/h3> 测试libjpeg历史漏洞(无果)<\/li> 测试libxml2历史漏洞: 发现堆越界读和释放后重引用漏洞<\/li> <\/ul> <\/li> <\/ol> 4. 线程竞争漏洞分析<\/h2> 4.1 漏洞表现<\/h3> 多线程环境下全局变量访问冲突<\/li> 导致释放后重引用(UAF)<\/li> <\/ol> 4.2 根本原因<\/h3> QT的QMutex误用:<\/p> 每次线程传入不同的QMutex对象<\/li> lock操作对不同对象无效<\/li> 无法实现真正的线程同步<\/li> <\/ul> <\/li> 关键代码分析:<\/p> <\/li> <\/ol> push<\/span> ebx<\/span> <\/span><\/span>push<\/span> esi<\/span> <\/span><\/span>mov<\/span> ebx<\/span>, 1<\/span> <\/span><\/span>xor<\/span> eax<\/span>, eax<\/span> <\/span><\/span>push<\/span> edi<\/span> <\/span><\/span>mov<\/span> edi<\/span>, ecx<\/span> <\/span><\/span>mov<\/span> edx<\/span>, ebx<\/span> <\/span><\/span>lock<\/span> cmpxchg<\/span> [edi<\/span>], edx<\/span> <\/span><\/span>mov<\/span> esi<\/span>, eax<\/span> <\/span><\/span>test<\/span> esi<\/span>, esi<\/span> <\/span><\/span>jz<\/span> short<\/span> loc_67028549<\/span> <\/span><\/span><\/code><\/pre>4.3 调试验证<\/h3> 使用Windbg验证QMutex对象:<\/p> QMutex:5E9C2FF8-->00000000 QMutex:68214FF8-->00000000 QMutex:63246FF8-->00000000 QMutex:646EEFF8-->00000000 QMutex:60DD8FF8-->00000000 <\/code><\/pre> 5. 总结<\/h2> 通过动态Fuzzing发现5个不同类型漏洞<\/li> 静态分析发现开源组件历史漏洞<\/li> 深入分析线程竞争漏洞及其根本原因<\/li> 所有发现漏洞已提交CNVD并修复<\/li> <\/ol> 6. 经验教训<\/h2> 新版DynamoRIO性能问题需注意<\/li> OFD样本处理需要特殊方法<\/li> QT多线程编程需正确使用同步机制<\/li> 闭源程序分析需结合多种工具和技术<\/li> <\/ol>

OFD文件阅读器漏洞挖掘与分析技术文档<\/h1>

1. 概述<\/h2> OFD(Open Fixed-layout Document)是由中国电子技术标准化研究院制定的版式文档国家标准。本文档详细记录了针对国产OFD阅读器软件的漏洞挖掘与分析过程，包括动态Fuzzing和静态分析技术。<\/p>

2. 动态漏洞挖掘<\/h2>

2.2 Fuzzing流程<\/h3>

2.3 OFD文件Fuzzing的特殊处理<\/h3>

3. 静态漏洞挖掘<\/h2>

4. 线程竞争漏洞分析<\/h2>

6. 经验教训<\/h2> 新版DynamoRIO性能问题需注意<\/li> OFD样本处理需要特殊方法<\/li> QT多线程编程需正确使用同步机制<\/li> 闭源程序分析需结合多种工具和技术<\/li> <\/ol>

1. 概述<\/h2>
OFD(Open Fixed-layout Document)是由中国电子技术标准化研究院制定的版式文档国家标准。本文档详细记录了针对国产OFD阅读器软件的漏洞挖掘与分析过程，包括动态Fuzzing和静态分析技术。<\/p>

6. 经验教训<\/h2>

新版DynamoRIO性能问题需注意<\/li>
OFD样本处理需要特殊方法<\/li>
QT多线程编程需正确使用同步机制<\/li>
闭源程序分析需结合多种工具和技术<\/li> <\/ol>