Skip to content

Kaspersky Antivirus PE unpacking integer overflow #526

New issue
New issue
Open
Open
Kaspersky Antivirus PE unpacking integer overflow#526
Labels
CCProjectZeroMembersDeadline-90Finder-tavisoProduct-KasperskyReported-2015-Sep-9Severity-moderateVendor-Kasperskyauto-migrated
@GoogleCodeExporter

Description

@GoogleCodeExporter
GoogleCodeExporter
opened on Oct 3, 2015
Fuzzing of packed executables found the attached crash.

0:022> g
(83c.bbc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0bd2 esp=0bb4ee04 ebp=0bb4ee20 iopl=0         ov up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010a06
15de0bd2 8a843700040000  mov     al,byte ptr [edi+esi+400h] ds:002b:84320483=??

If I step through that address calculation:

0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000022 edi=0432005c
eip=15de0d3a esp=0bb4ee04 ebp=0bb4ee20 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
15de0d3a 03f0            add     esi,eax
0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0d3c esp=0bb4ee04 ebp=0bb4ee20 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
15de0d3c 3b75f0          cmp     esi,dword ptr [ebp-10h] 
ss:002b:0bb4ee10=000003f1
0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0d3f esp=0bb4ee04 ebp=0bb4ee20 iopl=0         ov up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000a06
15de0d3f 0f8c8dfeffff    jl      15de0bd2                                [br=1]
0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0bd2 esp=0bb4ee04 ebp=0bb4ee20 iopl=0         ov up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000a06
15de0bd2 8a843700040000  mov     al,byte ptr [edi+esi+400h] ds:002b:84320483=??

This looks like an integer overflow:

int base;
int index;

if (base + index > argMaxSize)
 goto error;

Because it's a signed comparison, 7ffffffd + 5 is

0:022> ? ecx + eax
Evaluate expression: -2147483646

Which is less than 0x3f1, the size parameter. Those values are directly from 
the executable being scanned.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by tav...@google.com on 9 Sep 2015 at 10:57

Attachments:

Metadata

Metadata

Assignees

No one assigned

    Labels

    CCProjectZeroMembersDeadline-90Finder-tavisoProduct-KasperskyReported-2015-Sep-9Severity-moderateVendor-Kasperskyauto-migrated

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions