Kaspersky Antivirus VB6 parsing integer overflow

[GoogleCodeExporter]

Fuzzing VB6 executables produced the attached crash testcase:

(5a8.dc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffffff ebx=0a07e8ec ecx=0a07eb04 edx=00000000 esi=0907e924 edi=00000010
eip=13d64b78 esp=0ea6ee30 ebp=0ea6ee38 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
13d64b78 0fb60e          movzx   ecx,byte ptr [esi]         ds:002b:0907e924=??

# where does esi come from?
0:121> ub @eip La
13d64b60 55              push    ebp
13d64b61 8bec            mov     ebp,esp
13d64b63 8b4514          mov     eax,dword ptr [ebp+14h]
13d64b66 57              push    edi
13d64b67 8b7d0c          mov     edi,dword ptr [ebp+0Ch]
13d64b6a f7d0            not     eax
13d64b6c 85ff            test    edi,edi
13d64b6e 0f849e000000    je      13d64c12
13d64b74 56              push    esi
13d64b75 8b7510          mov     esi,dword ptr [ebp+10h]

# Okay, it's a parameter
0:121> kvn1
 # ChildEBP RetAddr  Args to Child              
00 0ea6ee38 14424d8f 1656cae4 00000010 0907e924 0x13d64b78
0:121> ub 14424d8f La
14424d77 8b4304          mov     eax,dword ptr [ebx+4]    <-- load index
14424d7a 03c3            add     eax,ebx                  <-- add to pointer
14424d7c 8d4c3bf0        lea     ecx,[ebx+edi-10h]        <-- probably load 
bounds of buffer
14424d80 3bc1            cmp     eax,ecx                  <-- check if index is 
in bounds
14424d82 771f            ja      14424da3                 <-- too late, 
overflow has already happened
14424d84 6a00            push    0
14424d86 50              push    eax < +0x10
14424d87 6a10            push    10h
14424d89 56              push    esi
14424d8a e8d1fd93ff      call    13d64b60

Looks like the code is doing

ptr += offset;
if (ptr > ptr+SizeOfBuffer)
 goto error;

This is obviously incorrect, because the offset can wrap. Where does that value 
come from?

0:121> dd ebx
0a07e8ec  00000228 ff000038 000000d0 000000f8
0a07e8fc  0000014f 00000120 00000158 000001bc
0a07e90c  00000048 00000000 00000204 00000211
0a07e91c  38000208 00000000 02a69b00 101b081b
0a07e92c  00083389 5a4f2f2b 02a69b02 101b081b
0a07e93c  00083389 5a4f2f2b 09194000 11cfdf6e
0a07e94c  a000748e f8260fc9 bac300ac 4551fc30
0a07e95c  204f1db8 383f2a55 77696e7e 4df2a25e

That is from the input file:

*0001e10: 2802 0000 3800 00ff d000 0000 f800 0000  (...8...........
 0001e20: 4f01 0000 2001 0000 5801 0000 bc01 0000  O... ...X.......
 0001e30: 4800 0000 0000 0000 0402 0000 1102 0000  H...............
 0001e40: 0802 0038 0000 0000 009b a602 1b08 1b10  ...8............
 0001e50: 8933 0800 2b2f 4f5a 029b a602 1b08 1b10  .3..+/OZ........
 0001e60: 8933 0800 2b2f 4f5a 0040 1909 6edf cf11  .3..+/OZ.@..n...

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by tav...@google.com on 8 Sep 2015 at 10:11

[GoogleCodeExporter]

Original comment by tav...@google.com on 8 Sep 2015 at 10:11

Attachments:

• 55f09c8d9f30c304b16a4ddaf023ff40.zip

[GoogleCodeExporter]

Kaspersky replied and confirmed this issue and believe they can deploy a fix 
today (09 Sep).

Original comment by tav...@google.com on 9 Sep 2015 at 7:01

[GoogleCodeExporter]

Original comment by scvi...@google.com on 10 Sep 2015 at 1:46

• Added labels: Reported-2015-Sep-8
• Removed labels: Reported-08092015

[GoogleCodeExporter]

Original comment by tav...@google.com on 22 Sep 2015 at 5:44

• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Is this POC password protected? Are you going to wait 90 days to release the 
POC?

Original comment by athmi...@gmail.com on 24 Sep 2015 at 9:52

[GoogleCodeExporter]

The password is "infected", Kaspersky requested that (presumably to prevent 
crashing their mail servers and development machines).

Original comment by tav...@google.com on 24 Sep 2015 at 10:01

[GoogleCodeExporter]

Awesome!! Thank you very much!

Original comment by athmi...@gmail.com on 24 Sep 2015 at 10:15

[GoogleCodeExporter]

Also it looks like Kaspersky is preventing windbg from attaching to its 
processes. You output looks like its from windbg. How did you manage to get 
around this? 

Original comment by athmi...@gmail.com on 24 Sep 2015 at 10:31

[GoogleCodeExporter]

They use a driver to interfere with debugging, but there's an option in the 
settings UI called "self defense" that disables it.

Original comment by tav...@google.com on 24 Sep 2015 at 10:36

[GoogleCodeExporter]

great! Thank you so much!

Original comment by athmi...@gmail.com on 24 Sep 2015 at 10:37

[GoogleCodeExporter]

Sorry to bother you so much, but is it possible to obtain the POC before 
fuzzing? With the Microsoft office ones, both the fuzzed poc and original 
normal were provided. Thank you for your help!

Original comment by athmi...@gmail.com on 25 Sep 2015 at 5:46

[GoogleCodeExporter]

Original comment by haw...@google.com on 12 Oct 2015 at 6:12

• Changed state: Fixed

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Original comment by tav...@google.com on 13 Nov 2015 at 7:18

• Added labels: Restrict-AddIssueComment-Commit