Comodo – Integer Overflow Leading to Heap Overflow in Win32 Emulation

  • 作者: Google Security Research
    日期: 2016-03-23
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/39605/
  • Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=738
    
    A major component of Comodo Antivirus is the x86 emulator, which includes a number of shims for win32 API routines so that common API calls work in emulated programs (CreateFile, LoadLibrary, etc). The emulator itself is located in MACH32.DLL, which is compiled without /DYNAMICBASE, and runs as NT AUTHORITY\SYSTEM.
    
    These API routines access memory from the emulated virtual machine, perform the requested operation, and then poke the result back into the emulator. Because these emulated routines are all native code, they must take care not to trust values extracted from the emulator, which is running attacker controlled code.
    
    Browsing through the list of emulated routines, MSVBVM60!rtcLowerCaseVar jumped out as an obvious case of integer overflow due to trusting attacker-provided parameters.
    
    The code attempts to extract a VT_BSTR VARIANT, which contains a pascal-like string, something like:
    
    struct BSTR {
     DWORD Length;
     CHAR Data[0];
    };
    
    In pseudocode, the code does something like this:
    
    vm->ReadMemory(Parameter1); // PVARIANT
    vm->ReadMemory(Parameter2); // PVARIANT
    
    vm->GetData(&LocalVariant, Parameter2); // Read the second VARIANT
    
    if (LocalVariant.vt !== VT_BSTR)// Verify it's a BSTR
     return false;
    
    vm->GetData(&szLen, LocalVariant.bstr - 4); // Try to read the Length of the BSTR
    
    
    The code attempts to convert this BSTR into a nul-terminated wide string. This requires 2 additional bytes (for the terminator), so providing a length of 0xFFFFFFFF will cause the allocation to wrap.
    
    Buf = malloc(szLen + 2); // Allocate space for the string
    vm->GetWideString(Buf, Ptr, szLen >> 1); // Read Length/2 WCHARs
    
    
    This will read Length/2 WCHAR's from the hostile virtual machine and clobber the trusted heap buffer. The corruption can be halted early by placing the BSTR before an unmapped page boundary, resulting in a nice clean heap overflow.
    
    The scan process which runs as NT AUTHORITY\SYSTEM and does not use ASLR, making this a critical remote memory corruption that can be exploited via email, http, etc with zero user interaction.
    
    (e38.2c0): Access violation - code c0000005 (!!! second chance !!!)
    00000000`0ec6b5c6 0fb70408movzx eax,word ptr [rax+rcx] ds:00000000`4e6d1567=????
    0:009> r
    rax=000000004e6d0002 rbx=0000000000000100 rcx=0000000000001565
    rdx=000000005b0ce400 rsi=00000000000000c3 rdi=000000005b0ce510
    rip=000000000ec6b5c6 rsp=000000005b0ce3f0 rbp=0000000000006e58
     r8=000000005b0ce460r9=000000004e6d0005 r10=00000000000000e8
    r11=00000000000000e8 r12=00000000000000f7 r13=000000004e6bfe1c
    r14=0000000000014b08 r15=0000000000000100
    iopl=0 nv up ei pl nz ac pe nc
    cs=0033ss=002bds=002bes=002bfs=0053gs=002b efl=00010210
    00000000`0ec6b5c6 0fb70408movzx eax,word ptr [rax+rcx] ds:00000000`4e6d1567=????
    0:009> lmv mmach32
    start end module name
    00000000`17410000 00000000`17658000 mach32 (deferred) 
    Image path: C:\Program Files\COMODO\COMODO Internet Security\scanners\mach32.dll
    Image name: mach32.dll
    Timestamp:Mon Dec 29 04:57:44 2014 (54A14FC8)
    CheckSum: 00244AF0
    ImageSize:00248000
    File version: 6.2.15068.1057
    Product version:6.2.15068.1057
    File flags: 0 (Mask 3F)
    File OS:4 Unknown Win32
    File type:1.0 App
    File date:00000000.00000000
    Translations: 0409.04e4
    CompanyName:COMODO
    ProductName:COMODO Antivirus Scan Engine
    ProductVersion: 6, 2, 342748, 1057
    FileVersion:6, 2, 342748, 1057
    FileDescription:COMODO Antivirus Scan Engine
    LegalCopyright: 2005-2014 COMODO. All rights reserved.
    
    I think the same bug exists in rtcSpaceBstr, rtcSpaceVar, rtcUpperCaseBstr, rtcUpperCaseVar, and maybe a few more.
    
    
    Proof of Concept:
    https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39605.zip