520 - Kaspersky Antivirus RAR file format parsing memory corruption - project-zero

Starred by 1 user

Status:	Fixed
Owner:	taviso@google.com
Closed:	Nov 2015
Cc:	project-...@google.com
Product-KasperskyAntivirus Deadline-90 Finder-taviso Vendor-Kaspersky Reported-2015-Sep-2 Severity-Critical CCProjectZeroMembers

Kaspersky Antivirus RAR file format parsing memory corruption

Project Member Reported by taviso@google.com, Sep 7 2015

Back to list

Fuzzing the RAR file format found multiple crashes, some of which are obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM on any system with Kaspersky Antivirus.

I've tested Windows, Linux, Mac and a product using the Kaspersky SDK (ZoneAlarm Pro), all were exploitable.

Here is an example of one of the more critical crashes.

First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03004d18 ebx=053ee3e4 ecx=72cd004a edx=63e85150 esi=02e24448 edi=00000000
eip=63e85150 esp=053ee36c ebp=053ee3c0 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
63e85150 ??              ???
0:026> kvn 2
 # ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 053ee368 72cb9ae2 03004d18 00000000 02e24448 0x63e85150
01 053ee3c0 72cb9d60 01d34644 a6f839da 053ee3e4 prcore+0x19ae2
0:026> .frame /c 1
01 053ee3c0 72cb9d60 prcore+0x19ae2
eax=03004d18 ebx=053ee3e4 ecx=72cd004a edx=63e85150 esi=02e24448 edi=00000000
eip=72cb9ae2 esp=053ee370 ebp=053ee3c0 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
prcore+0x19ae2:
72cb9ae2 8bf0            mov     esi,eax
0:026> ub
prcore+0x19acc:
72cb9acc 3bc7            cmp     eax,edi
72cb9ace 0f84de010000    je      prcore+0x19cb2 (72cb9cb2)
72cb9ad4 8b55e8          mov     edx,dword ptr [ebp-18h]
72cb9ad7 8b4204          mov     eax,dword ptr [edx+4]
72cb9ada 8b08            mov     ecx,dword ptr [eax]
72cb9adc 8b511c          mov     edx,dword ptr [ecx+1Ch]
72cb9adf 50              push    eax
72cb9ae0 ffd2            call    edx

Here is another example crash:

(5dc.f78): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\rar.ppl
eax=0000094d ebx=189904b5 ecx=00003563 edx=00000243 esi=03428e20 edi=0a0d77b9
eip=6b8aa54a esp=0b3ee834 ebp=0b3ee850 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010283
rar+0xa54a:
6b8aa54a 0fb65705        movzx   edx,byte ptr [edi+5]       ds:002b:0a0d77be=??

The testcases are too large to attach to this bug, but a sample is attached with the password `infected`. I actually uploaded 19 unique crash testcases to a support site Kaspersky set up for me.

$ ls -l *.zip
-rw------- 1 taviso eng 331K Sep  7 12:03 1ab5c282c94c6296beb7895eca22e05e.zip
-rw------- 1 taviso eng 9.3M Sep  7 12:03 3787187898c1ce372cf0b51c27826783.zip
-rw------- 1 taviso eng  20M Sep  7 12:03 47c776b04f80cfb0390cf9c3e8f94d84.zip
-rw------- 1 taviso eng 6.2K Sep  7 12:03 519a84c040d293ccc709072d795431ab.zip
-rw------- 1 taviso eng 5.4M Sep  7 12:03 73fc7f72034d537619005b62e1b2c494.zip
-rw------- 1 taviso eng 423K Sep  7 12:03 79554ff30d09885ddfbeab6247cfb81f.zip
-rw------- 1 taviso eng  22M Sep  7 12:03 815a87dea178fd4b55210a78898f6deb.zip
-rw------- 1 taviso eng 6.8M Sep  7 12:03 9050dc7f748880cee360806a1f642afb.zip
-rw------- 1 taviso eng 545K Sep  7 12:03 a431e5b42f4aa52483914806febe77ef.zip
-rw------- 1 taviso eng 2.7M Sep  7 12:03 b2edd31eb89a648b354fe9480da3a71e.zip
-rw------- 1 taviso eng 2.4M Sep  7 12:03 c7517be2c91c80870ecbedca31e06db8.zip
-rw------- 1 taviso eng 8.8M Sep  7 12:03 cb0a3a98be7f165dd9fa30e174ec270b.zip
-rw------- 1 taviso eng 5.1M Sep  7 12:03 ccb4277f0b97315f4ae007a80133c25b.zip
-rw------- 1 taviso eng 3.5M Sep  7 12:03 e1013d1d73c4c70be6f41d1bb66d61d0.zip
-rw------- 1 taviso eng  84K Sep  7 12:03 e5f744da28275b65b29dc486693c0415.zip
-rw------- 1 taviso eng 861K Sep  7 12:03 eb960c3ced051a6625ee491754139f59.zip
-rw------- 1 taviso eng  15M Sep  7 12:03 f2a0805c317647c3ff7db52481005b4d.zip
-rw------- 1 taviso eng  21K Sep  7 12:03 fdb9b952ae77c638d4654995d0761db5.zip

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Project Member Comment 1 by taviso@google.com, Sep 8 2015

Update from Kaspersky on the 8th:

There are several different memory corruptions that can be reproduced with rar-files you provided. We confirm the bugs in our products. We found at least one root cause of the memory corruption and planning to fix it within next 2 days. There are at least one more root cause – still working on localizing it and planning a fix. I’ll keep you updated on progress of our analysis.

Project Member Comment 2 by scvitti@google.com, Sep 10 2015

Labels: -Reported-09022015 Reported-2015-Sep-2

Project Member Comment 3 by taviso@google.com, Nov 16 2015

Labels: -Restrict-View-Commit -Severity-crtical Severity-Critical
Status: Fixed

These issues were resolved on updates published the 16th November.

► Sign in to add a comment