Bitdefender in processing PE code signing the organizationName field when there is buffer overflow vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201786390
Type myhack58
Reporter 佚名
Modified 2017-05-23T00:00:00


A vulnerability summary This paper describes the Bitdefender PE engine in the presence of a buffer overflow vulnerability. Bitdefender provides“anti-malware antimalware”of the engine, the engine can be integrated to other security vendors ' products, Bitdefender in their products, such as Bitdefender Internet Security 2017 and the following version is also using the engine. In the security products of many functions, The Anti-Malware engine is the core function for scanning potentially malicious portable executable files portable executable, PE in. Second, the vulnerability details PE files can be used to X the. 509 certificates for signatures. Signature mechanisms can ensure that the executable file contents haven't been tampered with, and file comes from a trusted source. The certificate information is stored in the PE data of a directory, the directory by the IMAGE_NT_HEADERS. IMAGE_OPTIONAL_HEADER fields to be defined. PE file in the IMAGE_NT_HEADERS structure is the body to feature characters“PE\0\0”started: typedef struct IMAGE_NT_HEADERS { DWORD Signature; "PE\0\0" IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER OptionalHeader; } IMAGE_NT_HEADERS32, PIMAGE_NT_HEADERS32; IMAGE_OPTIONAL_HEADER structure of the last part contains a number of type IMAGE_DATA_DIRECTORY the DataDirectory structure of the body: WORD Magic BYTE MajorLinkerVersion ... DWORD LoaderFlags DWORD NumberOfRvaAndSizes IMAGE_DATA_DIRECTORY DataDirectory[16] ---------------------------------------------------- typedef struct _IMAGE_DATA_DIRECTORY { DWORD VirtualAddress; // RVA of the data DWORD Size; // Size of the data }; DataDirectory[4]representative is the IMAGE_DIRECTORY_ENTRY_SECURITY, pointing to the one containing the WIN_CERTIFICATE structure of the list. VirtualAddress field refers to the file offset and not RVA, relative virtual address, Relative Virtual Address it. WIN_CERTIFICATE structure is defined as follows: typedef struct _WIN_CERTIFICATE { DWORD dwLength; WORD wRevision; WORD wCertificateType; BYTE bCertificate[ANYSIZE_ARRAY]; } WIN_CERTIFICATE, PWIN_CERTIFICATE; vsserv. exe is Bitdefender system services, the process automatically to scan a PE file, by cevakrnl. rv8 module analysis of the PE file's digital signature. cevakrnl. rv8 module is a compression module, located in the“%ProgramFiles%\Common Files\Bitdefender\Bitdefender Threat Scanner\Antivirus...\Plugins\”directory. Bitdefender when the service starts, it will unzip the cevakrnl. rv8 module, and load it as executable code. When the processing after the signature of the PE file, cevakrnl. rv8! sub_40ACFF0()function will be called. cevakrnl. rv8:040AE691 lea eax, [ebp+var_2C] cevakrnl. rv8:040AE694 push eax ; &(ebp-0x2C) - object placed on the stack cevakrnl. rv8:040AE695 call sub_40ACFF0 ; call here

cevakrnl. rv8! sub_40ACFF0() extracts the IMAGE_DIRECTORY_ENTRY_SECURITY offset and size fields.

cevakrnl. rv8:040ACFF0 sub_40ACFF0 proc near ; CODE XREF: sub_40AE5C0+D5p cevakrnl. rv8:040ACFF0 ... cevakrnl. rv8:040AD007 mov edi, [ebp+arg_0] ... cevakrnl. rv8:040AD025 mov eax, [edi+4] ; eax = IMAGE_NT_HEADERS cevakrnl. rv8:040AD025 ; contains at cevakrnl. rv8:040AD025 ; offset 0x0: DWORD Signature ("PE");

[1] [2] [3] [4] [5] [6] next