Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Security App Flaws :: pav~1.htm

PAV prior to 6.23.00 handles malformed UPX-packed files badly



COMMAND

    PAV

SYSTEMS AFFECTED

    PAV prior to 6.23.00

PROBLEM

    Vladimir Kraljevic found  following.  PAV  handles in an  insecure
    way  UPX  exe-packer  information;  this  behavior occurs when PAV
    scans an malformed UPX-packed exe file (in our case  "loader.exe",
    part of  sglue teflon-like  packageing program).   Included  sglue
    with this letter, please find it attached, password is "panda".

    PAV recognizes properly  such executable, but  when user tries  to
    perform an action, here is the table of behaviors:
    - On rename - PAV crashes, but renames
    - On move - PAV crashes, but moves the file
    - On ignore - PAV crashes, but ignores :)
    - On delete - PAV never crashes (not affected)

    It is very likely that  attacker can tamper an executable  in such
    way that he/she  can execute arbitrary  code exactly where  he/she
    needs  it.   UPX  shows  similar  message  when  tries  to process
    "loader.exe", as well.

    Disassembly of PAVDLL follows, you  will be able to find  the line
    in  the  source  code  by  following  the  reference bytes in this
    listing (crash point is traced  back to the pavdll.dll at  address
    0x0005EA51  in  binary   image).  Crash  point   is  marked   with
    ">>>>>>>>>>>>>" in the listing file.

        0174F421 55                   push        ebp
        0174F422 8B EC                mov         ebp,esp
        0174F424 53                   push        ebx
        0174F425 56                   push        esi
        0174F426 57                   push        edi
        0174F427 33 F6                xor         esi,esi
        0174F429 8B 45 0C             mov         eax,dword ptr [ebp+0Ch]
        0174F42C 8B 18                mov         ebx,dword ptr [eax]
        0174F42E EB 21                jmp         0174F451
        0174F430 80 3B F0             cmp         byte ptr [ebx],0F0h
        0174F433 72 1A                jb          0174F44F
        0174F435 80 3B F0             cmp         byte ptr [ebx],0F0h
        0174F438 75 12                jne         0174F44C
        0174F43A 8D 43 01             lea         eax,[ebx+1]
        0174F43D 50                   push        eax
        0174F43E E8 69 EA FF FF       call        0174DEAC
        0174F443 59                   pop         ecx
        0174F444 66 85 C0             test        ax,ax
        0174F447 75 03                jne         0174F44C
        0174F449 83 C3 04             add         ebx,4
        0174F44C 83 C3 02             add         ebx,2
        0174F44F 43                   inc         ebx
        0174F450 46                   inc         esi
        
        PAVDLL>>>>>>>>>> 0174F451 80 3B 00             cmp         byte ptr [ebx],0
        (EBX here is an invalid address [0x5259A8D8] that caused unhandled access
        violation exception; for information about other registers, please take a
        look at the bottom of the page)
        
        0174F454 75 DA                jne         0174F430
        0174F456 6A 00                push        0
        0174F458 C1 E6 02             shl         esi,2
        0174F45B 83 C6 04             add         esi,4
        0174F45E 56                   push        esi
        0174F45F E8 BC 39 FA FF       call        016F2E20
        0174F464 83 C4 08             add         esp,8
        0174F467 8B 55 08             mov         edx,dword ptr [ebp+8]
        0174F46A 89 02                mov         dword ptr [edx],eax
        0174F46C 8B 4D 08             mov         ecx,dword ptr [ebp+8]
        0174F46F 83 39 00             cmp         dword ptr [ecx],0
        0174F472 75 07                jne         0174F47B
        0174F474 33 C0                xor         eax,eax
        0174F476 E9 96 00 00 00       jmp         0174F511
        0174F47B 8B 55 08             mov         edx,dword ptr [ebp+8]
        0174F47E 8B 3A                mov         edi,dword ptr [edx]
        0174F480 BE FC FF FF FF       mov         esi,0FFFFFFFCh
        0174F485 8B 45 0C             mov         eax,dword ptr [ebp+0Ch]
        0174F488 8B 18                mov         ebx,dword ptr [eax]
        0174F48A EB 69                jmp         0174F4F5
        0174F48C 80 3B F0             cmp         byte ptr [ebx],0F0h
        0174F48F 73 08                jae         0174F499
        0174F491 33 C0                xor         eax,eax
        0174F493 8A 03                mov         al,byte ptr [ebx]
        0174F495 03 F0                add         esi,eax
        0174F497 EB 2F                jmp         0174F4C8
        0174F499 8D 53 01             lea         edx,[ebx+1]
        0174F49C 52                   push        edx
        0174F49D E8 0A EA FF FF       call        0174DEAC
        0174F4A2 59                   pop         ecx
        0174F4A3 0F B7 C0             movzx       eax,ax
        0174F4A6 33 D2                xor         edx,edx
        0174F4A8 8A 13                mov         dl,byte ptr [ebx]
        0174F4AA 83 E2 0F             and         edx,0Fh
        0174F4AD C1 E2 10             shl         edx,10h
        0174F4B0 03 C2                add         eax,edx
        0174F4B2 83 C3 02             add         ebx,2
        0174F4B5 85 C0                test        eax,eax
        0174F4B7 75 0D                jne         0174F4C6
        0174F4B9 8D 4B 01             lea         ecx,[ebx+1]
        0174F4BC 51                   push        ecx
        0174F4BD E8 25 EA FF FF       call        0174DEE7
        0174F4C2 59                   pop         ecx
        0174F4C3 83 C3 04             add         ebx,4
        0174F4C6 03 F0                add         esi,eax
        0174F4C8 89 37                mov         dword ptr [edi],esi
        0174F4CA 83 C7 04             add         edi,4
        0174F4CD 83 7D 14 00          cmp         dword ptr [ebp+14h],0
        0174F4D1 74 21                je          0174F4F4
        0174F4D3 83 7D 10 00          cmp         dword ptr [ebp+10h],0
        0174F4D7 74 1B                je          0174F4F4
        0174F4D9 8B 45 10             mov         eax,dword ptr [ebp+10h]
        0174F4DC 03 C6                add         eax,esi
        0174F4DE 50                   push        eax
        0174F4DF E8 03 EA FF FF       call        0174DEE7
        0174F4E4 59                   pop         ecx
        0174F4E5 50                   push        eax
        0174F4E6 8B 55 10             mov         edx,dword ptr [ebp+10h]
        0174F4E9 03 D6                add         edx,esi
        0174F4EB 52                   push        edx
        0174F4EC E8 6D EA FF FF       call        0174DF5E
        0174F4F1 83 C4 08             add         esp,8
        0174F4F4 43                   inc         ebx
        0174F4F5 80 3B 00             cmp         byte ptr [ebx],0
        0174F4F8 75 92                jne         0174F48C
        0174F4FA 43                   inc         ebx
        0174F4FB 8B 45 0C             mov         eax,dword ptr [ebp+0Ch]
        0174F4FE 89 18                mov         dword ptr [eax],ebx
        0174F500 8B 55 08             mov         edx,dword ptr [ebp+8]
        0174F503 8B C7                mov         eax,edi
        0174F505 2B 02                sub         eax,dword ptr [edx]
        0174F507 85 C0                test        eax,eax
        0174F509 79 03                jns         0174F50E
        0174F50B 83 C0 03             add         eax,3
        0174F50E C1 F8 02             sar         eax,2
        0174F511 5F                   pop         edi
        0174F512 5E                   pop         esi
        0174F513 5B                   pop         ebx
        0174F514 5D                   pop         ebp
        0174F515 C3                   ret
        
        EAX = 068AB750 EBX = 5259A8D8 ECX = 01A0FB00 EDX = 068AB740 ESI = 00000000 EDI = 01A0FA89
        EIP = 0174F451 ESP = 068AB6BC EBP = 068AB6C8 EFL = 00000246
        MM0 = 00D4D0C800D4D0C8 MM1 = 0000000000000000 MM2 = 000000D300CF00C7 MM3 = 000000D300CF00C7
        MM4 = 00D4D0C800D4D0C8 MM5 = 000000D400D000C8 MM6 = 0000000000000000 MM7 = 0080008000800080
        XMM0 = 0013799000137E6000130C5877FCB1BE XMM1 = 00137D68008F2898002BDA9F00137D68
        XMM2 = 544E4E49575C3A430000000000000001 XMM3 = 001379C801005C320013017800130178
        XMM4 = 00130000000000100000000000130640 XMM5 = 00130168001384480013845000000158
        XMM6 = 00000000002DD4540000001F002DD400 XMM7 = 000000000000001E017FFC5000406218
        CS = 001B DS = 0023 ES = 0023 SS = 0023 FS = 003B GS = 0000 OV=0 UP=0 EI=1
        PL=0 ZR=1 AC=0 PE=1 CY=0
        
        5259A8D8 = ??

SOLUTION

    With the latest Platinum version (6.23.00) the problem is  solved.
    This  version  is  available  since  February  2001,  if you are a
    registered customer of Panda Software  you can upgrade it to  this
    version.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH