817 - McAfee: memory corruption processing relocations - project-zero

Starred by 1 user

Status:	Fixed
Owner:	taviso@google.com
Closed:	May 2016
Cc:	taviso@google.com project-...@google.com
Deadline-90 Finder-taviso Severity-Critical CCProjectZeroMembers Vendor-mcafee Product-mcafee Reported-2016-Apr-06 Vendor-Intel

McAfee: memory corruption processing relocations

Project Member Reported by taviso@google.com, May 2 2016

Back to list

Fuzzing packed executables with McAfee's LiveSafe 14.0 on Windows found a signedness error parsing sections and relocations. The attached fuzzed testcase demonstrates this and causes a crash in mscan64a.dll. I verified that this crash reproduces on Linux and Windows, all version of McAfee appear to be affected including the embedded version and the SDK.

Naturally, this code runs as SYSTEM on Windows, with no sandboxing and is used to parse untrusted remote input.

0:045> .lastevent
Last event: d34.13a4: Access violation - code c0000005 (first chance)
  debugger time: Tue Apr  5 15:02:40.009 2016 (UTC - 7:00)
0:045> r
rax=00000000306f1000 rbx=00000000306f1000 rcx=00000000ffffffff
rdx=00000001031d114f rsi=00000000031d1150 rdi=00000000306f4000
rip=00000000711a36fa rsp=00000000064748a0 rbp=00000000031ca880
 r8=00000000000005d3  r9=00000000306f0fff r10=8d00008661e82404
r11=0000000000000000 r12=00000000306f4000 r13=000000000647917c
r14=000000001070c1b8 r15=00000000031ca698
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
mscan64a!RetrieveSingleExtensionList+0x19844a:
00000000`711a36fa 0fb64a01        movzx   ecx,byte ptr [rdx+1] ds:00000001`031d1150=??

Okay, what happened there?

0:007> ub 
mscan64a!RetrieveSingleExtensionList+0x198437:
00000000`71fd36e7 8b45c8          mov     eax,dword ptr [rbp-38h]
00000000`71fd36ea 8b08            mov     ecx,dword ptr [rax]
00000000`71fd36ec 8d4101          lea     eax,[rcx+1]
00000000`71fd36ef 3bc7            cmp     eax,edi
00000000`71fd36f1 7332            jae     mscan64a!RetrieveSingleExtensionList+0x198475 (00000000`71fd3725)
00000000`71fd36f3 2bcb            sub     ecx,ebx
00000000`71fd36f5 8bd1            mov     edx,ecx
00000000`71fd36f7 4803d6          add     rdx,rsi
0:007> dd @rbp-38 L1
00000000`0c529018  0c52d7ac
0:007> dd 0c52d7ac L1
00000000`0c52d7ac  90000fff

So it looks like that calculation is used as an index into @rsi, which is obviously going to be oob.

The attached testcase (password: "infected") can be used to verify this bug.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

output.zip
206 KB Download

Project Member Comment 1 by taviso@google.com, May 2 2016

Cc: taviso@google.com

Issue 797 has been merged into this issue.

Project Member Comment 2 by taviso@google.com, May 2 2016

McAfee replied that they plan to resolve this issue with a DAT update, and will fix the actual bug at the end of the year. That seems like a terrible idea, but it's their software.

---------------------------------------

Dear Mr.  Ormandy,
 
Thank you for reaching out to Intel Security in regards to your findings. We have reviewed your findings with the development team and have assessed it as an actual product vulnerability.  Please continue to keep this information confidential until we can respond with a fix and a Security Bulletin.
 
We believe we have adequate information from the details you have provided to reproduce this issue.
 
After investigation by the engine engineering team, it was determined that the bug impacts the 64-bits variants of the engine from version 5200 to 5800, on both Windows and non-Windows platforms. The issue affects an emulation engine and an unpacking module of the McAfee AV engine and requires DAT content signatures to be exposed. The root cause is a 32-bit unsigned offset.
 
We have investigated the problem and all its ramifications. A fix has been targeted for the engine which is expected by the end of year, 2016.
 
The proposed resolution includes a code fix for the engine (engines are delivered by automatic upgrade) and an imminent DAT fix mitigation (automatic update) for pre-fix engines.
 
The DAT mitigation is currently being tested. After field telemetry is collected, the mitigation will be exposed to all our customers through DAT update. With the updated DAT, malformed samples are generically detected and blocked from triggering the bug, protecting our customers from any related exploit. We will provide you with the DAT versions and its release date as these become known.
 
If you desire further fuzzing tests or to confirm that the issue has been mitigated by the DAT release, you will need to update the DAT used by your testing environment.
 
Our policy is to credit the discoverer in our Security Bulletin (SB) or Knowledgebase Article (KB) if you do not make your research public before the SB or KB is published.  Please let us know if you do not want to be acknowledged.
 
Sincerely,

Project Member Comment 3 by taviso@google.com, May 2 2016

Status: Fixed

Update from McAfee:


“You can let Tavis know that the content is in the production DAT 8145 (released over the weekend). The content is being drip fed, but starting DAT 8145 it is exposed to the command line scanner which should be enough for him to integrate in his test environment. If drip-feeding is successful, full exposure should be obtained by May 6th, potentially earlier.”

It looks like this is live now.

Project Member Comment 4 by taviso@google.com, May 2 2016

Labels: -Restrict-View-Commit

Removing view restrictions.

Comment 5 Deleted

► Sign in to add a comment