Kaspersky AntiVirus – ‘.ZIP’ File Format Use-After-Free

• Exploit Database
• 11 阅读

• 作者： Google Security Research
  日期： 2015-11-16
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38736/

• Source: https://code.google.com/p/google-security-research/issues/detail?id=521
  
  Fuzzing the ZIP file format found multiple memory corruption issues, some of which are obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM on any system with Kaspersky Antivirus.
  
  This testcase should fault by jumping to an unmapped address
  
  (aac.fa4): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=cccccccc ebx=00000000 ecx=01bc2974 edx=73a10002 esi=02e0a598 edi=5b2266bb
  eip=cccccccc esp=05dde330 ebp=05dde354 iopl=0 nv up ei pl nz na po nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010202
  cccccccc ?????
  
  # where did that come from?
  
  0:036> kvn 2
   # ChildEBP RetAddrArgs to Child
  00 05dde32c 739fd847 02e0a598 05dde370 00000000 0xcccccccc
  01 05dde354 739fe438 01bc2974 002266bb 05dde370 prcore!PragueUnload+0x2687
  
  0:036> ub 739fd847 L9
  prcore!PragueUnload+0x2673:
  739fd833 8b4d08mov ecx,dword ptr [ebp+8]
  739fd836 8b7104mov esi,dword ptr [ecx+4]
  739fd839 8975ecmov dword ptr [ebp-14h],esi
  739fd83c 85f6testesi,esi
  739fd83e 740ajeprcore!PragueUnload+0x268a (739fd84a)
  739fd840 8b16mov edx,dword ptr [esi]
  739fd842 8b02mov eax,dword ptr [edx]
  739fd844 56pushesi
  739fd845 ffd0calleax
  
  # that pointer is in edx
  
  0:088> dd edx
  739a0002cccccccc cccccccc cccccccc 8b55cccc
  739a001277e95dec ccffffff cccccccc 8b55cccc
  739a00220c4d8bec 8b04418b 42390855 501a7504
  739a00320a8b018b d3e85150 83fffff9 c0850cc4
  739a004201b80775 5d000000 5dc033c3 8b55ccc3
  739a00520c4d8bec 8b04418b 42390855 501a7504
  739a00620a8b018b 63e85150 83fffff9 c0850cc4
  739a007201b80775 5d000000 5dc033c3 6c83ccc3
  
  # So what is that?
  
  0:088> !address edx
  Usage:Image
  Base Address: 73971000
  End Address:739aa000
  Region Size:00039000
  State:00001000	MEM_COMMIT
  Protect:00000020	PAGE_EXECUTE_READ
  Type: 01000000	MEM_IMAGE
  Allocation Base:73970000
  Allocation Protect: 00000080	PAGE_EXECUTE_WRITECOPY
  Image Path: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\prcore.dll
  Module Name:prcore
  Loaded Image Name:C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\prcore.dll
  Mapped Image Name:
  0:088> !chkimg prcore
  0 errors : prcore 
  
  # Hmm, so why is esi pointing there?
  
  0:088> !address esi
  
  Mapping file section regions...
  Mapping module regions...
  Mapping PEB regions...
  Mapping TEB and stack regions...
  Mapping heap regions...
  Mapping page heap regions...
  Mapping other regions...
  Mapping stack trace database regions...
  Mapping activation context regions...
  
  
  Usage:Heap
  Base Address: 02a00000
  End Address:02c33000
  Region Size:00233000
  State:00001000	MEM_COMMIT
  Protect:00000004	PAGE_READWRITE
  Type: 00020000	MEM_PRIVATE
  Allocation Base:02a00000
  Allocation Protect: 00000004	PAGE_READWRITE
  More info:heap owning the address: !heap 0x4a0000
  More info:heap segment
  More info:heap entry containing the address: !heap -x 0x2bf4760
  
  
  0:088> !heap -x 0x2bf4760
  Entry UserHeapSegment SizePrevSizeUnusedFlags
  -----------------------------------------------------------------------------
  02bf475802bf4760004a000002b00ac860-0LFH;free 
  
  # So looks like an exploitable use after free vulnerability.
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38736.zip