New issue
Advanced search Search tips
Issue 552
Starred by 1 user
Status: Fixed
Owner:
taviso@google.com
Closed: Dec 2015
Cc:
project-...@google.com



Sign in to add a comment
 Avast: heap overflow unpacking MoleBox archives
Project Member Reported by taviso@google.com, Oct 6 2015 Back to list 
Trivial fuzzing of molebox archives revealed a heap overflow decrypting the packed image in moleboxMaybeUnpack. This vulnerability is obviously exploitable for remote arbitrary code execution as NT AUTHORITY\SYSTEM.

The attached testcase should cause heap corruption in AvastSvc.exe, please enable page heap if you have trouble reproducing. The archive is encrypted to help avoid inadvertently crashing your mail server, the password is "infected".

HEAP[AvastSvc.exe]: ZwAllocateVirtualMemory failed c0000018 for heap 00310000 (base 0E560000, size 0006B000)
(474.9f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0e5cb478 ebx=0dd70000 ecx=0000d87f edx=0e55f080 esi=00310000 edi=00003bf8
eip=7731836b esp=0be6d338 ebp=0be6d364 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
ntdll!RtlpDeCommitFreeBlock+0x146:
7731836b 80780703        cmp     byte ptr [eax+7],3         ds:002b:0e5cb47f=??

#0  0xf702d588 in asw::root::NewDesCryptBlock(unsigned char*, unsigned int, unsigned char const*, bool, int) ()
#1  0xf702b009 in Mole_DecryptBuffer () from /proc/self/cwd/defs/15092301/engine.so
#2  0xf6f6a124 in moleboxMaybeUnpack(CFMap&, _PEEXE_INFO*, asw::root::CGenericFile*, _EXE_UNPACK_INFO*) () 
#3  0xf6f7630d in CPackWinExec::packGetNext(void*, ARCHIVED_FILE_INFO*) ()
#4  0xf6e8cdf3 in CAllPackers::GetNext(unsigned int, void*, ARCHIVED_FILE_INFO*) ()
#5  0xf6e76fc9 in CScanInfo::ProcessPackingReal(CObjectName&, CFMap&, _VIRUSDATAARRAY*, int&, unsigned int) ()
#6  0xf6e78bdd in CScanInfo::ProcessPacking(CObjectName&, unsigned int, unsigned int) ()
#7  0xf6e74fbd in CScanInfo::ProcessArea(CObjectName&, unsigned int, unsigned int) ()
#8  0xf6e752af in CScanInfo::ProcessTopArea(CObjectName&, unsigned int) ()
#9  0xf6e7d6db in avfilesScanRealMulti ()
#10 0xf6e81915 in avfilesScanReal ()
#11 0x0805d2a5 in avfilesScanReal ()
#12 0x0805498c in engine_scan ()

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
molebox.zip
603 bytes Download
Project Member Comment 1 by taviso@google.com, Dec 9 2015
Labels: -Restrict-View-Commit
Status: Fixed
This issue appears to be resolved.
Sign in to add a comment