sla-cker / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

ESET NOD32 Heap overflow unpacking EPOC installation files. #466

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
$ head -30 symbian.c 
#include <stdio.h>
#include <stdint.h>
#include <stddef.h>

//
// ESET NOD32 Heap overflow unpacking EPOC installation files.
//
// By creating a file record with type SIS_FILE_MULTILANG (meaning a different
// file is provided for every supported language), and then claiming to support
// a very large number of languages, a 16-bit calculation overflows. This leads
// to a nice clean heap overflow.
//
// The maximum possible value for the number of languages is 99, because only
// 99 language codes are defined. Even if you included a different file for
// every language it wouldn't exceed 99.
//
// So the bug is, check for overflow if you want to support non-existant
// language codes, or cap it at 99.
//
$ gcc symbian.c -o symbian
$ ./symbian > testcase
$ esets_scan testcase
Segmentation fault

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by tav...@google.com on 26 Jun 2015 at 4:37

Attachments:

GoogleCodeExporter commented 9 years ago
ESET pushed out an update

http://www.virusradar.com/en/update/info/11861

Original comment by tav...@google.com on 30 Jun 2015 at 2:29

GoogleCodeExporter commented 9 years ago
Some more information about the update, so customers can make sure they are 
updated:
http://www.eset.com/int/about/press/eset-blog/article/eset-regularly-releasing-u
pdates-to-products/

Original comment by ignac...@gmail.com on 30 Jun 2015 at 3:38