Kaspersky Antivirus DEX file format parsing memory corruption

[GoogleCodeExporter]

Fuzzing the DEX file format found a crash that loads a function pointer from an 
attacker controlled pointer, on Windows this results in a call to an unmapped 
address. This is obviously exploitable for remote, zero-interaction code 
execution as NT AUTHORITY\SYSTEM on any system with Kaspersky Antivirus. I've 
tested Windows, Linux, Mac and a product using the Kaspersky SDK (ZoneAlarm 
Pro), all were exploitable.

(5dc.990): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=9c000000 ebx=00000000 ecx=053ef3ec edx=00020009 esi=04130d40 edi=800000d8
eip=9c000000 esp=053eec14 ebp=053eec74 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
9c000000 ??              ???
0:026> kv
ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
053eec10 1740927e 04137af0 04137ac8 04130d40 0x9c000000
053eecb8 70118a64 04130d40 00000002 04130d40 0x1740927e
053eecd0 70116a1c 04130d40 0000234c 00000001 
kavbase_kdl!KLAV_Engine_Create+0x17a62
053eed80 70113829 04130d40 0500234c 00000000 
kavbase_kdl!KLAV_Engine_Create+0x15a1a
053eedc0 70117156 04130d40 107407b4 00000001 
kavbase_kdl!KLAV_Engine_Create+0x12827
053eee6c 70113926 04130d40 20000001 00000000 
kavbase_kdl!KLAV_Engine_Create+0x16154
053eee94 701167f2 04130d40 000001e3 053eeed4 
kavbase_kdl!KLAV_Engine_Create+0x12924
053eeea4 70112c28 04130d40 00000067 0e5100a2 
kavbase_kdl!KLAV_Engine_Create+0x157f0
053eeed4 70112cef 053eeee0 04130d40 16d30ae0 
kavbase_kdl!KLAV_Engine_Create+0x11c26
0:026> .frame /c 1
01 053eecb8 70118a64 0x1740927e
eax=9c000000 ebx=00000000 ecx=053ef3ec edx=00020009 esi=04130d40 edi=800000d8
eip=1740927e esp=053eec18 ebp=053eec74 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
1740927e 83c404          add     esp,4
0:026> ub
17409269 8b45fc          mov     eax,dword ptr [ebp-4]
1740926c 85c0            test    eax,eax
1740926e 7411            je      17409281
17409270 c745fc00000000  mov     dword ptr [ebp-4],0
17409277 8b10            mov     edx,dword ptr [eax]
17409279 50              push    eax
1740927a 8b02            mov     eax,dword ptr [edx] <-- corrupt attacker 
controlled pointer
1740927c ffd0            call    eax                 <-- attacker gains control 
of execution

The testcase attached has the password `infected`,

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by tav...@google.com on 7 Sep 2015 at 6:44

Attachments:

• d6eb12cc27607589bdcf74c178c7d6fe.zip

[GoogleCodeExporter]

Kaspersky confirmed the vulnerability on the 7th, and estimate it will take 
them 2 days to implement a fix.

On the 8th they informed me they were on track for their original estimate.

Original comment by tav...@google.com on 8 Sep 2015 at 11:27

[GoogleCodeExporter]

Kaspersky responded that a fix will be released today.

Original comment by tav...@google.com on 9 Sep 2015 at 7:02

[GoogleCodeExporter]

Original comment by scvi...@google.com on 10 Sep 2015 at 1:48

• Added labels: Reported-2015-Sep-7

[GoogleCodeExporter]

Original comment by tav...@google.com on 22 Sep 2015 at 5:23

• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 24 Sep 2015 at 11:37

• Added labels: Product-Kaspersky
• Removed labels: Product-KasperskyAntivirus