superuser5 / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Kaspersky Antivirus UPX parsing remote memory corruption #527

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
While fuzzing UPX packed files, this crash was discovered resulting in an 
arbitrary stack-relative write. This vulnerability is obviously remotely 
exploitable for remote code execution as NT AUTHORITY\SYSTEM.

First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000001 ecx=f93900c7 edx=00000020 esi=00000001 edi=057b9d60
eip=15ea22da esp=0497eb2c ebp=0497ec80 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
15ea22da 01840dbcfeffff  add     dword ptr [ebp+ecx-144h],eax 
ss:002b:fdd0ec03=????????

This decoding loop is trying to modify a value in a stack buffer with an 
attacker controlled index.

The index and Those values are taken verbatim from the input:

50 BC C7 00 39 F9 0F B6 47 FB F7 D8 01 04 24 39
C7 83 EF F1 8D 7F F2 80 7F FB 0A 89 E4 8B C9 8D
00 58 FC 90 8D 3F 77 D2 8D 36 8D 00 B8 54 C8 B4
F6 31 44 24 FC 8B 44 24 04 31 44 24 FC 75 A3 90
90 FC 90 FC 89 DB 9B FC 9B FC 83 E9 ED 83 C4 08

And the value being added is from here:

00 00 00 00 82 51 33 4D 00 00 A3 02 02 00 03 00
D8 01 00 80 38 00 00 80 EE 01 00 80 78 00 00 80
03 00 00 00 B8 00 00 80 0E 00 00 00 58 01 00 80
10 00 00 00 98 01 00 80 00 00 00 00 00 00 00 00

The bug is that the index is not verified, resulting in an arbitrary write. 
This is obviously exploitable for arbitrary code execution.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by tav...@google.com on 9 Sep 2015 at 11:19

Attachments:

GoogleCodeExporter commented 9 years ago
This one would be quite nice to exploit, because you can add offsets to 
randomized addresses, so it's a free ASLR defeat.

Original comment by tav...@google.com on 9 Sep 2015 at 11:24

GoogleCodeExporter commented 9 years ago

Original comment by scvi...@google.com on 10 Sep 2015 at 1:42

GoogleCodeExporter commented 9 years ago
Confirmed by Kaspersky on 10 September.

Original comment by tav...@google.com on 10 Sep 2015 at 7:45

GoogleCodeExporter commented 9 years ago

Original comment by tav...@google.com on 22 Sep 2015 at 5:23