McAfee LiveSafe 14.0 - Relocations Processing Memory Corruption

EDB-ID:

39770




Platform:

Windows

Date:

2016-05-04


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=817

Fuzzing packed executables with McAfee's LiveSafe 14.0 on Windows found a signedness error parsing sections and relocations. The attached fuzzed testcase demonstrates this and causes a crash in mscan64a.dll. I verified that this crash reproduces on Linux and Windows, all version of McAfee appear to be affected including the embedded version and the SDK.

Naturally, this code runs as SYSTEM on Windows, with no sandboxing and is used to parse untrusted remote input.

0:045> .lastevent
Last event: d34.13a4: Access violation - code c0000005 (first chance)
  debugger time: Tue Apr  5 15:02:40.009 2016 (UTC - 7:00)
0:045> r
rax=00000000306f1000 rbx=00000000306f1000 rcx=00000000ffffffff
rdx=00000001031d114f rsi=00000000031d1150 rdi=00000000306f4000
rip=00000000711a36fa rsp=00000000064748a0 rbp=00000000031ca880
 r8=00000000000005d3  r9=00000000306f0fff r10=8d00008661e82404
r11=0000000000000000 r12=00000000306f4000 r13=000000000647917c
r14=000000001070c1b8 r15=00000000031ca698
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
mscan64a!RetrieveSingleExtensionList+0x19844a:
00000000`711a36fa 0fb64a01        movzx   ecx,byte ptr [rdx+1] ds:00000001`031d1150=??

Okay, what happened there?

0:007> ub 
mscan64a!RetrieveSingleExtensionList+0x198437:
00000000`71fd36e7 8b45c8          mov     eax,dword ptr [rbp-38h]
00000000`71fd36ea 8b08            mov     ecx,dword ptr [rax]
00000000`71fd36ec 8d4101          lea     eax,[rcx+1]
00000000`71fd36ef 3bc7            cmp     eax,edi
00000000`71fd36f1 7332            jae     mscan64a!RetrieveSingleExtensionList+0x198475 (00000000`71fd3725)
00000000`71fd36f3 2bcb            sub     ecx,ebx
00000000`71fd36f5 8bd1            mov     edx,ecx
00000000`71fd36f7 4803d6          add     rdx,rsi
0:007> dd @rbp-38 L1
00000000`0c529018  0c52d7ac
0:007> dd 0c52d7ac L1
00000000`0c52d7ac  90000fff

So it looks like that calculation is used as an index into @rsi, which is obviously going to be oob.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39770.zip