753 - Comodo Antivirus: Emulator Stack Buffer Overflow handling PSUBUSB (Packed Subtract Unsigned with Saturation) - project-zero

Starred by 1 user

Status:	Fixed
Owner:	taviso@google.com
Closed:	Mar 2016
Cc:	project-...@google.com
Vendor-comodo Deadline-90 Finder-taviso Reported-2016-Mar-01 Severity-Critical Product-comodo CCProjectZeroMembers

Comodo Antivirus: Emulator Stack Buffer Overflow handling PSUBUSB (Packed Subtract Unsigned with Saturation)

Project Member Reported by taviso@google.com, Mar 1 2016

Back to list

Comodo Antivirus includes a full x86 emulator that is used to unpack executables that are being scanned. Files read from disk or received over the network, including email, browser cache and so on can all trigger emulation.

The emulator itself uses a sequence of nested lookup tables to translate opcodes to the routines that emulate them. The xmm/ymm registers are used like a union in C.  For example, the registers can be treated as 4 floats, 2 doubles, 2 dwords, 8 shorts and so on - whatever is appropriate.

The comodo emulator uses a union to represent these registers, and then each emulated instruction uses whichever union member matches it's function. For example, PUNPCKLBW would use regs->words, PSRLQ would use regs->qwords and so on.

The code for PSUBUSB incorrectly uses the wrong union member (words instead of bytes), meaning it will clobber double the space allocated by CPU::MMX_OPCODE(). The fix for this vulnerability is to use the bytes member of the union instead.

This is the main loop for PSUBUSB, you can see it's writing up to edx words:

.text:10059465                loc_10059465:                           ; CODE XREF: MMX_PSUBUSB+2731j
.text:10059465 0F B6 3C 11                    movzx   edi, byte ptr [ecx+edx]
.text:10059469 0F B6 19                       movzx   ebx, byte ptr [ecx]
.text:1005946C 66 2B FB                       sub     di, bx
.text:1005946F 66 89 3C 46                    mov     [esi+eax*2], di
.text:10059473 40                             inc     eax
.text:10059474 41                             inc     ecx
.text:10059475 3B C2                          cmp     eax, edx
.text:10059477 7C EC                          jl      short loc_10059465

This is twice as much as intended, here is PSUBUSW for comparison:

.text:10059430                loc_10059430:                           ; CODE XREF: MMX_PSUBUSW+3331j
.text:10059430 0F B7 1C 0E                    movzx   ebx, word ptr [esi+ecx]
.text:10059434 0F B7 02                       movzx   eax, word ptr [edx]
.text:10059437 2B C3                          sub     eax, ebx
.text:10059439 66 89 01                       mov     [ecx], ax
.text:1005943C 83 C2 02                       add     edx, 2
.text:1005943F 83 C1 02                       add     ecx, 2
.text:10059442 4F                             dec     edi
.text:10059443 75 EB                          jnz     short loc_10059430

You can see it's adding two to the index, instead of 1.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Project Member Comment 1 by taviso@google.com, Mar 22 2016

Labels: -Restrict-View-Commit -Vendor-Comodo -Product-Comodo Vendor-comodo Product-comodo

This is resolved in the latest update.

Project Member Comment 2 by taviso@google.com, Mar 22 2016

Status: Fixed

► Sign in to add a comment