Comodo - Integer Overflow Leading to Heap Overflow in Win32 Emulation

2016-03-23T00:00:00
ID EDB-ID:39605
Type exploitdb
Reporter Google Security Research
Modified 2016-03-23T00:00:00

Description

Comodo - Integer Overflow Leading to Heap Overflow in Win32 Emulation. Dos exploit for windows platform

                                        
                                            Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=738

A major component of Comodo Antivirus is the x86 emulator, which includes a number of shims for win32 API routines so that common API calls work in emulated programs (CreateFile, LoadLibrary, etc). The emulator itself is located in MACH32.DLL, which is compiled without /DYNAMICBASE, and runs as NT AUTHORITY\SYSTEM.

These API routines access memory from the emulated virtual machine, perform the requested operation, and then poke the result back into the emulator. Because these emulated routines are all native code, they must take care not to trust values extracted from the emulator, which is running attacker controlled code.

Browsing through the list of emulated routines, MSVBVM60!rtcLowerCaseVar jumped out as an obvious case of integer overflow due to trusting attacker-provided parameters.

The code attempts to extract a VT_BSTR VARIANT, which contains a pascal-like string, something like:

struct BSTR {
 DWORD Length;
 CHAR Data[0];
};

In pseudocode, the code does something like this:

vm->ReadMemory(Parameter1); // PVARIANT
vm->ReadMemory(Parameter2); // PVARIANT

vm->GetData(&LocalVariant, Parameter2); // Read the second VARIANT

if (LocalVariant.vt !== VT_BSTR)  // Verify it's a BSTR
 return false;

vm->GetData(&szLen, LocalVariant.bstr - 4); // Try to read the Length of the BSTR


The code attempts to convert this BSTR into a nul-terminated wide string. This requires 2 additional bytes (for the terminator), so providing a length of 0xFFFFFFFF will cause the allocation to wrap.

Buf = malloc(szLen + 2); // Allocate space for the string
vm->GetWideString(Buf, Ptr, szLen >> 1); // Read Length/2 WCHARs


This will read Length/2 WCHAR's from the hostile virtual machine and clobber the trusted heap buffer. The corruption can be halted early by placing the BSTR before an unmapped page boundary, resulting in a nice clean heap overflow.

The scan process which runs as NT AUTHORITY\SYSTEM and does not use ASLR, making this a critical remote memory corruption that can be exploited via email, http, etc with zero user interaction.

(e38.2c0): Access violation - code c0000005 (!!! second chance !!!)
00000000`0ec6b5c6 0fb70408        movzx   eax,word ptr [rax+rcx] ds:00000000`4e6d1567=????
0:009> r
rax=000000004e6d0002 rbx=0000000000000100 rcx=0000000000001565
rdx=000000005b0ce400 rsi=00000000000000c3 rdi=000000005b0ce510
rip=000000000ec6b5c6 rsp=000000005b0ce3f0 rbp=0000000000006e58
 r8=000000005b0ce460  r9=000000004e6d0005 r10=00000000000000e8
r11=00000000000000e8 r12=00000000000000f7 r13=000000004e6bfe1c
r14=0000000000014b08 r15=0000000000000100
iopl=0         nv up ei pl nz ac pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010210
00000000`0ec6b5c6 0fb70408        movzx   eax,word ptr [rax+rcx] ds:00000000`4e6d1567=????
0:009> lmv mmach32
start             end                 module name
00000000`17410000 00000000`17658000   mach32     (deferred)             
    Image path: C:\Program Files\COMODO\COMODO Internet Security\scanners\mach32.dll
    Image name: mach32.dll
    Timestamp:        Mon Dec 29 04:57:44 2014 (54A14FC8)
    CheckSum:         00244AF0
    ImageSize:        00248000
    File version:     6.2.15068.1057
    Product version:  6.2.15068.1057
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04e4
    CompanyName:      COMODO
    ProductName:      COMODO Antivirus Scan Engine
    ProductVersion:   6, 2, 342748, 1057
    FileVersion:      6, 2, 342748, 1057
    FileDescription:  COMODO Antivirus Scan Engine
    LegalCopyright:   2005-2014 COMODO. All rights reserved.

I think the same bug exists in rtcSpaceBstr, rtcSpaceVar, rtcUpperCaseBstr, rtcUpperCaseVar, and maybe a few more.


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39605.zip