search

lovekurdt / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Kaspersky Antivirus PE unpacking integer overflow #526

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
Fuzzing of packed executables found the attached crash.

0:022> g
(83c.bbc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0bd2 esp=0bb4ee04 ebp=0bb4ee20 iopl=0         ov up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010a06
15de0bd2 8a843700040000  mov     al,byte ptr [edi+esi+400h] ds:002b:84320483=??

If I step through that address calculation:

0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000022 edi=0432005c
eip=15de0d3a esp=0bb4ee04 ebp=0bb4ee20 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
15de0d3a 03f0            add     esi,eax
0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0d3c esp=0bb4ee04 ebp=0bb4ee20 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
15de0d3c 3b75f0          cmp     esi,dword ptr [ebp-10h] 
ss:002b:0bb4ee10=000003f1
0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0d3f esp=0bb4ee04 ebp=0bb4ee20 iopl=0         ov up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000a06
15de0d3f 0f8c8dfeffff    jl      15de0bd2                                [br=1]
0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0bd2 esp=0bb4ee04 ebp=0bb4ee20 iopl=0         ov up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000a06
15de0bd2 8a843700040000  mov     al,byte ptr [edi+esi+400h] ds:002b:84320483=??

This looks like an integer overflow:

int base;
int index;

if (base + index > argMaxSize)
 goto error;

Because it's a signed comparison, 7ffffffd + 5 is

0:022> ? ecx + eax
Evaluate expression: -2147483646

Which is less than 0x3f1, the size parameter. Those values are directly from 
the executable being scanned.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by tav...@google.com on 9 Sep 2015 at 10:57

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by scvi...@google.com on 10 Sep 2015 at 1:42

GoogleCodeExporter commented 8 years ago 
Confirmed by Kaspersky on 10 Sep.

Original comment by tav...@google.com on 10 Sep 2015 at 7:46

GoogleCodeExporter commented 8 years ago

Original comment by tav...@google.com on 22 Sep 2015 at 5:24