526 - Kaspersky Antivirus PE unpacking integer overflow - project-zero

Starred by 1 user

Status:	Fixed
Owner:	taviso@google.com
Closed:	Oct 2015
Cc:	project-...@google.com
Product-Kaspersky Deadline-90 Severity-moderate Reported-2015-Sep-9 Finder-taviso Vendor-Kaspersky CCProjectZeroMembers Restrict-AddIssueComment-Commit

Restricted

Only users with Commit permission may comment.

Kaspersky Antivirus PE unpacking integer overflow

Project Member Reported by taviso@google.com, Sep 9 2015

Back to list

Fuzzing of packed executables found the attached crash.

0:022> g
(83c.bbc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0bd2 esp=0bb4ee04 ebp=0bb4ee20 iopl=0         ov up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010a06
15de0bd2 8a843700040000  mov     al,byte ptr [edi+esi+400h] ds:002b:84320483=??

If I step through that address calculation:

0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000022 edi=0432005c
eip=15de0d3a esp=0bb4ee04 ebp=0bb4ee20 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
15de0d3a 03f0            add     esi,eax
0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0d3c esp=0bb4ee04 ebp=0bb4ee20 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
15de0d3c 3b75f0          cmp     esi,dword ptr [ebp-10h] ss:002b:0bb4ee10=000003f1
0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0d3f esp=0bb4ee04 ebp=0bb4ee20 iopl=0         ov up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000a06
15de0d3f 0f8c8dfeffff    jl      15de0bd2                                [br=1]
0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0bd2 esp=0bb4ee04 ebp=0bb4ee20 iopl=0         ov up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000a06
15de0bd2 8a843700040000  mov     al,byte ptr [edi+esi+400h] ds:002b:84320483=??

This looks like an integer overflow:

int base;
int index;

if (base + index > argMaxSize)
 goto error;

Because it's a signed comparison, 7ffffffd + 5 is

0:022> ? ecx + eax
Evaluate expression: -2147483646

Which is less than 0x3f1, the size parameter. Those values are directly from the executable being scanned.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

a8aa54ce172cce32269f63ae636d0bfd.zip
103 KB Download

Project Member Comment 1 by scvitti@google.com, Sep 10 2015

Labels: -Reported-09092015 Reported-2015-Sep-9

Project Member Comment 2 by taviso@google.com, Sep 10 2015

Confirmed by Kaspersky on 10 Sep.

Project Member Comment 3 by taviso@google.com, Sep 22 2015

Labels: -Restrict-View-Commit

Project Member Comment 4 by hawkes@google.com, Oct 12 2015

Status: Fixed

Comment 5 Deleted

Project Member Comment 6 by taviso@google.com, Nov 13 2015

Labels: Restrict-AddIssueComment-Commit

► Sign in to add a comment