536 - Kaspersky Antivirus multiple memory corruption issues - project-zero

Starred by 1 user

Status:	Fixed
Owner:	taviso@google.com
Closed:	Nov 2015
Cc:	project-...@google.com
Product-Kaspersky Deadline-90 Finder-taviso Vendor-Kaspersky Reported-2015-Sep-16 CCProjectZeroMembers Severity-critical

Kaspersky Antivirus multiple memory corruption issues

Project Member Reported by taviso@google.com, Sep 17 2015

Back to list

Kaspersky requested that I start sending them raw fuzz output, in order to more rapidly get reports. I agreed, and sent them the first batch of crashes after verifying they all reproduced with the signatures released on the 16th September.

The first batch contained the following samples:

$ ls -l
total 117M
-rw------- 1 taviso eng 297K Sep  1 16:11 171817281d5fef3c5c903f2e7c4c5e2b
-rw------- 1 taviso eng  97K Sep  1 14:54 3af29369d082014b9d5bea18cf803fd7
-rw------- 1 taviso eng  20M Sep  1 16:11 47c776b04f80cfb0390cf9c3e8f94d84
-rw------- 1 taviso eng 6.6K Sep  1 14:54 519a84c040d293ccc709072d795431ab
-rw------- 1 taviso eng  83K Sep  1 14:54 52963bec3b89bb49d368dff0f35ab97d
-rw------- 1 taviso eng 4.4M Sep  1 14:54 5c8539c20583d72d21a02bee1d408709
-rw------- 1 taviso eng 5.0M Sep  1 14:54 724e01a9a98ec3747dbf7dbdb778dc08
-rw------- 1 taviso eng  32K Sep  1 14:54 78e152bc8068e00203d14e1a3f5e9012
-rw------- 1 taviso eng 409K Sep  1 14:54 83323657d40a07ef07539f007f427bf3
-rw------- 1 taviso eng  24K Sep  1 14:54 89ebf1d6f3a838806069784fa4d71f7d
-rw------- 1 taviso eng 6.8M Sep  1 14:54 9050dc7f748880cee360806a1f642afb
-rw------- 1 taviso eng 194K Sep  1 14:54 9902cf17a16c7eb52d8177627cf96a32
-rw------- 1 taviso eng 546K Sep  1 16:11 a431e5b42f4aa52483914806febe77ef
-rw------- 1 taviso eng 234K Sep  1 14:54 b2b07ce799c02910c07413e06b24ed3e
-rw------- 1 taviso eng 102K Sep  9 10:04 c3608a793a7e9e24264211ff095b944b
-rw------- 1 taviso eng 234K Sep  9 10:04 c37ac9a3e967934a2746241f9a526665
-rw------- 1 taviso eng 5.1M Sep  1 14:54 ccb4277f0b97315f4ae007a80133c25b
-rw------- 1 taviso eng 879K Sep  9 10:04 cde3bffa5d400854b13d8ee2ba43cd87
-rw------- 1 taviso eng 7.0M Sep  1 14:54 d82108b5a24ed770a305b6e58205e367
-rw------- 1 taviso eng 418K Sep  9 10:04 e0bd1a7f4960133f88eb914e67468bbe
-rw------- 1 taviso eng 3.5M Sep  1 16:11 e1013d1d73c4c70be6f41d1bb66d61d0
-rw------- 1 taviso eng 588K Sep  9 10:04 e75344e847d70065b219995ec01c73b8
-rw------- 1 taviso eng  21K Sep  1 14:54 fdb9b952ae77c638d4654995d0761db5
-rw------- 1 taviso eng 607K Sep  1 16:11 fe1049c91cb3056bac6fceda92af420d
-rw------- 1 taviso eng 3.0M Sep  9 10:04 fe24d9f99e2a43d9576767d19fd4420e

The samples are too big to attach, but many were obviously exploitable.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Project Member Comment 1 by taviso@google.com, Sep 17 2015

Kaspersky replied:

Hi Tavis,
 
Thank you for sending these samples to us!
 
We have released fixes for following samples:
a0d384bfe30ee1d17f87c41ae60937aa
cde3bffa5d400854b13d8ee2ba43cd87
e0bd1a7f4960133f88eb914e67468bbe
e75344e847d70065b219995ec01c73b8
5c8539c20583d72d21a02bee1d408709
fe24d9f99e2a43d9576767d19fd4420e
78e152bc8068e00203d14e1a3f5e9012
9902cf17a16c7eb52d8177627cf96a32
c3608a793a7e9e24264211ff095b944b
3af29369d082014b9d5bea18cf803fd7
fe1049c91cb3056bac6fceda92af420d
52963bec3b89bb49d368dff0f35ab97d
83323657d40a07ef07539f007f427bf3
89ebf1d6f3a838806069784fa4d71f7d

and continue working on remaining ones.

Project Member Comment 2 by taviso@google.com, Sep 21 2015

Kaspersky Update:

Hi Tavis,
 
We have fixed bugs reproduced with following samples:
b2b07ce799c02910c07413e06b24ed3e
c37ac9a3e967934a2746241f9a526665
171817281d5fef3c5c903f2e7c4c5e2b
 
There are few more to analyze and fix.
 
Thanks,
Igor

Project Member Comment 3 by taviso@google.com, Nov 16 2015

Labels: -Restrict-View-Commit
Status: Fixed

All of these issues were resolved by November 16th.

► Sign in to add a comment