470 - ESET NOD32 emulator fails if you modify .idata after imports - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Jul 2015
Cc:	project-...@google.com
Product-NOD32 Deadline-90 Finder-taviso Reported-2015-Jun-30 Vendor-ESET CCProjectZeroMembers Severity-critical

ESET NOD32 emulator fails if you modify .idata after imports

Project Member Reported by taviso@google.com, Jun 30 2015

Back to list

If you import _encode_pointer from MSVCR90 and then modify the IAT in your code, the emulator gets very confused.

Verify like so:

$ nasm -f bin modifyidata.asm -o modifyidata
$ esets_scan modifyidata
Segmentation Fault

This seems likely to be remotely exploitable.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

modifyidata.asm
6.1 KB Download

Project Member Comment 1 by scvitti@google.com, Jul 1 2015

Labels: -Reported-20-Jun-15 Reported-2015-Jun-30

Project Member Comment 2 by taviso@google.com, Jul 1 2015

Labels: -Restrict-View-Commit
Status: Fixed

ESET report that this vulnerability was fixed in version 1156, and had already been discovered via internal testing.

It's my understanding that the fix was rolled out the same day I had reported it.

► Sign in to add a comment