ESET NOD32 Heap overflow unpacking EPOC installation files.

GoogleCodeExporter commented 9 years ago

$ head -30 symbian.c 
#include <stdio.h>
#include <stdint.h>
#include <stddef.h>

//
// ESET NOD32 Heap overflow unpacking EPOC installation files.
//
// By creating a file record with type SIS_FILE_MULTILANG (meaning a different
// file is provided for every supported language), and then claiming to support
// a very large number of languages, a 16-bit calculation overflows. This leads
// to a nice clean heap overflow.
//
// The maximum possible value for the number of languages is 99, because only
// 99 language codes are defined. Even if you included a different file for
// every language it wouldn't exceed 99.
//
// So the bug is, check for overflow if you want to support non-existant
// language codes, or cap it at 99.
//
$ gcc symbian.c -o symbian
$ ./symbian > testcase
$ esets_scan testcase
Segmentation fault

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by tav...@google.com on 26 Jun 2015 at 4:37

Attachments:

symbian.c

GoogleCodeExporter commented 9 years ago

ESET pushed out an update

http://www.virusradar.com/en/update/info/11861

Original comment by tav...@google.com on 30 Jun 2015 at 2:29

Changed state: Fixed
Removed labels: Restrict-View-Commit

GoogleCodeExporter commented 9 years ago

Some more information about the update, so customers can make sure they are 
updated:
http://www.eset.com/int/about/press/eset-blog/article/eset-regularly-releasing-u
pdates-to-products/

Original comment by ignac...@gmail.com on 30 Jun 2015 at 3:38

d3k4z / google-security-research

ESET NOD32 Heap overflow unpacking EPOC installation files. #466