您的位置：★快乐天地★超门户 >> 综合资讯 >> Vista >> Vista资讯 >> 查看资讯

多款杀毒软件存在严重漏洞可让黑客执行任意代码

发布: 2008-4-30 13:19 | 作者: 快乐天地 | 来源: www.2getherhappy.net | 查看: 4次

感谢AYANAMI REI的翻译。Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/★快乐天地★超门户yWP_o!s

对多款杀毒软件和防火墙的SSDT Hook函数的参数验证不严
q'B5[*m1P.`'Q*报告信息*

uM lanJ8o!F标题:对多款杀毒软件和防火墙的SSDT Hook函数的参数验证不严
报告ID: CORE-2008-0320
报告URL:http://www.coresecurity.com/?action=item&id=2249
发布日期: 2008-04-28
p)i1HdXw最后更新日期: 2008-04-28
包含厂商: BitDefender, Comodo, Sophos和瑞星
v2og8qEUR] Xg$L发布模式: 协调发布(BitDefender, Comodo, Rising), 用户发布 (Sophos)
*漏洞信息*

:p B}3V0M7w$ZC类别：无效内存参数★快乐天地★超门户3xt*|J8L:S
可远程利用：否★快乐天地★超门户.k"}xL(o3e
可本地利用：是
&T.Y2NhilJY'Q-C6IBugtraq ID：28741，28742，28743，28744
p(F&O$m'VZ+@n:^7IuCVE 名称：CVE-2008-1735, CVE-2008-1736, CVE-2008-1737, CVE-2008 -1738
*漏洞描述*

*Yd{m{通过对多款杀毒软件和防火墙的（BitDefender Antivirus [1], Comodo Firewall [2], Sophos Antivirus [3]和瑞星杀毒软件[4]）的SSDT hook 函数的粗略检查发现可以导致拒绝服务（DOS），并可能执行代码攻击。攻击者利用这些缺陷可以本地重启系统，关闭防火墙和杀毒软件保护。然而，很多情况下它可能利用这些bug导致在特权内核模式下执行任意代码。
cjYOtB‘
]eHh4S5RPZc*漏洞影响版本*

. BitDefender Antivirus 2008 Build 11.0.11
AK r+O"wa4J5g:rf k0z. Comodo Firewall Pro 2.4.18.184
s(c%kde3o. Sophos Antivirus 7.0.5
. 瑞星杀毒软件19.60.0.0 and 19.66.0.0
6M*D+g:i ?5R. 旧版本未测试，可能会被影响.
NaFR lw)hW:Pm2M*不受影响的版本*

. BitDefender Antivirus 2008版本可以通过自动更新更新至一月18号之后的版本
d$RF9SppBw;B. Comodo Firewall Pro 3.0
5goOmJEHm:W. 瑞星杀毒软件20.38.20
*厂商信息，解决方案和其他*

cZ~:Qnn2l,Z*{(A.}|1) BITDEFENDER ANTIVIRUS (BID 28741, CVE-2008-1735)

$d-N0r6s'S根据BitDefender的说明，这个缺陷尚未被恶意程序利用，并且可通过自动更新修正。这一问题的信息可以在BitDefender的网站上找到：http://kb.bitdefender.com/KB419-en–Security-vulnerability-in- BitDefender-2008.html
2) COMODO FIREWALL PRO (BID 28742, CVE-2008-1736)

这个漏洞在Comodo Firewall Pro 3.0中被修正，新版本在http://www.personalfirewall.comodo.com/download_firewall.html下载
h1T0j(mK3) SOPHOS ANTIVIRUS (BID 28743, CVE-2008-1737)

厂商声明：“在windows 2000，2003和XP下的Sophos Anti-Virus 7.x将会受此漏洞影响。”不受影响的SOPHOS产品包括早起的SOPHOS windows杀毒软件，SOPHOS飞windows平台杀毒软件和其他SOPHOS产品。★快乐天地★超门户2hc@&r.X

t Mh3te+Ki{.u这个漏洞只有在实时行为分析开启状态才可以利用。它需要用户将web浏览器的安全设置调整到默认级别以下或者允许从网页上启动ActiveX或 Java Applet。

/p-w_GMm2eq^可以使用以下方法避免漏洞被利用：

'Gpl0S.m2FOea. 使用默认的安全设置或较高级别的最新版本Web浏览器。作为通用的安全管理，我们不建议用户下载ActiveX或者Java Applets，除非你信任他的内容。

1HiGwR|:ML$Vb. 关闭Sophos Anti-Virus的实时行为分析功能。（用户仍会受到Sophos 行为遗传分析和其他方式的对抗恶意软件的保护手段的保护。）

N.B. 如果攻击程序被放出，Sophos将会部署保护以对抗攻击程序。

:T8J4wuta^漏洞的修复需要用户重新启动终端。鉴于为非紧急漏洞，为了尽量不打扰我们的客户，Sophos将会尽早的在一个需要重新启动的产品中包含这个修正。
7C4J cN-})sZV4) RISING ANTIVIRUS (BID 28744, CVE-2008-1738)

瑞星杀毒软件的修正版可以在http://rsdownload.rising.com.cn/for_down/rsfree/ravolusrfree.exe 下载。

所有的瑞星用户都可以通过自动更新更新到修补过的版本。
*荣誉归功于*

']3?Y/`)R-o0P这些漏洞（除了瑞星）是被Core Security Technologies的Damian Saura, Anibal Sacco, Dario Menichelli, Norberto Kueffner, Andres Blancoy Rodrigo Carvalho在bugweek 2007时发现的。瑞星漏洞是被Core
W,@v[AA UR\Security Technologies exploit writers team的Anibal Sacco发现的。
*技术描述/poc代码*

我们发现BitDefender Antivirus, 瑞星杀毒软件, Comodo
Firewall和Sophos Antivirus并没有在使用hook函数时验证参数，导致程序试图转向无效内存，导致BSOD（Blue Screen of Death）。

R-{|K8j K在我们的测试中，我们使用了内核hook探测工具BSODhook [5]去寻找任何形式的未被充分验证的SSDT hook参数。从Matousec的文件[6]：

,k)v&WIF,@“Hooking kernel functions by modifying the System Service Descriptor
Table (SSDT) is a very popular method of implementation of additional
4aTuY)F0t"psecurity features and is used frequently by personal firewalls and other
security and low-level software. Although undocumented and despised by
Microsoft, this technique can be implemented in a correct and stable
.X/Ny5YBQ[Q SRway. However, many software vendors do not follow the rules and
recommendations for kernel-mode code writing and many drivers that
implement SSDT hooking do not properly validate the parameters of the
hooking functions.”

“Hooking SSDT functions requires extra caution. SSDT function handlers
&T"Q.}9Y!U1eare executed in the kernel mode but their callers are executed in the
Oo.knKI8?(xFuser mode. Hence all function arguments come from the user mode. This is
nu.K2Pr1hdwhy it is necessary to validate these arguments properly. Otherwise a
simple user call can easily crash the whole system. This bug usually
results in a system crash. However, it may happen that this bug is even
g[UG ?OMJmore dangerous and may lead to the execution of an arbitrary code in the
privileged kernel mode.”

5MA4J a9idRQ[A local DoS attack, despite not being a very sophisticated intrusion
0O!bxxr-B EH;i(tattack, could be used as an accessory under several scenarios. It is
{"o9pC?commonly used by viruses as added feature, when the specific AV is
detected on the infected machine, crashing the system just to annoy. Or
by a human attacker, after a succesful remote intrusion with
unprivileged credentials to make a computer resource unavailable to its
intended users. Besides, this could be a very valuable resource when
3i ff.C*sS-i|trying to fake some service that answers broadcasts request like a DHCP,
f4LHc5C\Qallowing to start the service in another location replacing the original
6h p5P*W+t$dmone.

1) BITDEFENDER ANTIVIRUS (BID 28741, CVE-2008-1735)

3XB b5f U8U_!c z g^BitDefender fails to validate the pointer to the ‘CLIENT_ID’ structure
Ks&o }z%Pprovided to ‘NtOpenProcess’. So, if we pass an invalid pointer, we will
x7W])Js,Vbhja:Ncrash the whole system.

/———–

NtOpenProcess(PHANDLE ProcessHandle,★快乐天地★超门户8c*Ck]-Hzn
ACCESS_MASK AccessMask,
POBJECT_ATTRIBUTES ObjectAttributes,
2Wb0JC0r1n-C`5gPCLIENT_ID ClientId )

+B8YV+C[7R;jba.text:00010ADE push 0Ch
.text:00010AE0 push offset stru_114E8
.|%] v[tCwd.text:00010AE5 call __SEH_prolog★快乐天地★超门户0P;q+{8\2S'S
.text:00010AEA call KeGetCurrentThread
T4Q@X n(F'd0i.text:00010AEF xor ebx, ebx
?.zD_a2F0~8n lSd&g.text:00010AF1 cmp [eax+140h], bl
&Rn |g d He$H.text:00010AF7 jz short loc_10B0D
.text:00010AF9 call PsGetCurrentProcessId
t8QcXL+Oc*E'Q.text:00010AFE call PsGetCurrentProcessId
.text:00010B03 push eax
4lSw4ZLX.text:00010B04 call sub_10724
.text:00010B09 test eax, eax
lhWXGg-z.text:00010B0B jnz short loc_10B12★快乐天地★超门户'f"y&~ g4jc
.text:00010B0D
2MC&F1SrS.text:00010B0D loc_10B0D: ; CODE XREF: sub_10ADE+19_j
.text:00010B0D push [ebp+ClientId]
;[I|)Hei3S.text:00010B10 jmp short loc_10B73

/{pZ%N5U9Q6j[.text:00010B12★快乐天地★超门户+]1N2LKzv
.text:00010B12 loc_10B12: ; CODE XREF: sub_10ADE+2D_j
.text:00010B12 mov edi, [ebp+ClientId]
-}_}e"do.K.text:00010B15 cmp edi, ebx ; Little check to avoid a
-qUI_[9c G5^Null Pointer

.rH^R^?k- ———–/

'|X.lt.AH4NvHere it gets the pointer to the ‘ClientId’ value, and if it is non zero
(’!= 0′) it does not care where it is pointing to.

/———–

.text:00010B17 jnz short loc_10B1C
.text:00010B19 push ebx
.text:00010B1A jmp short loc_10B73

.text:00010B1C
/iGyv0t0wV:D.text:00010B1C loc_10B1C: ; CODE XREF: sub_10ADE+39_j
.text:00010B1C mov [ebp+ms_exc.disabled], ebx
.text:00010B1F mov esi, [edi] ; Here it crashes

- ———–/

RGfH&U0Z6NIt access to that memory, and if that is invalid memory the system will
crash.

Hs5a7`3r fCj/———–

.text:00010B21 mov [ebp+var_1C], esi
;M|w(nqy[.c.text:00010B24 or [ebp+ms_exc.disabled], 0FFFFFFFFh
(?%T#nHi~.text:00010B28 jmp short loc_10B3B
XK/uMCNV#P.text:00010B28 sub_10ADE endp

- ———–/

2) COMODO FIREWALL PRO (BID 28742, CVE-2008-1736)

1ia+wYe)@`RIn Comodo there are problems in the arguments validation of
7}?4~r Q-F:hsfY7x5M‘NtDeleteFile’, ‘NtCreateFile’ and ‘NtSetThreadContext’ functions.
r7aadV‘NtDeleteFile’ receives just one parameter, a pointer to an
}d!N ?2a)Bq5i‘OBJECT_ATTRIBUTES’ structure. These attributes would include the
^@M5Ry‘ObjectName’ and the ‘SECURITY_DESCRIPTOR’, for example. This is the
;I__$T&N u&eNhook placed by Comodo at ‘NtDeleteFile’.

$N[-p_C'C/———–★快乐天地★超门户.g%D~xz

NTDeleteFile (POBJECT_ATTRIBUTES ObjectAttributes)

.text:0001ACB0 push 1Ch
(J{J%M.z.text:0001ACB2 push offset stru_1E3F0★快乐天地★超门户n{Pt0a
.text:0001ACB7 call __SEH_prolog
#jtZ#CV6@ @.text:0001ACBC xor ebx, ebx★快乐天地★超门户n v;_.vZu
.text:0001ACBE inc ebx
9~c)yy(Q3`*I1sTMQ A.text:0001ACBF mov [ebp+var_1C], ebx
.text:0001ACC2 xor esi, esi
(e8W4[(H2[lc.|6nK(~.text:0001ACC4 mov [ebp+var_24], esi
.text:0001ACC7 mov [ebp+var_20], ebx
Nh{A$}$OW5Y*o.text:0001ACCA mov [ebp+var_28], esi
4J2X$[begbsT+qp.text:0001ACCD mov [ebp+ms_exc.disabled], esi
-Bit.J:g.text:0001ACD0 call ds:ExGetPreviousMode
.text:0001ACD6 mov edi, [ebp+ObjectAttributes]

r"rQ{`(t'L1E- ———–/

8g|$Z!Z-x4jI\vGHere it does a lot of ‘ProbeForRead’ checks to see if the pointers of
the structure are valid. Nice! (’EDI’ still has a pointer to the
V9][4B;};e‘OBJECT_ATTRIBUTES’ structure)

/———–

….
|Q5xPoLzu!I.text:0001AD25 push edi ; ObjectAttributes
$r @Q&R\$z!@ s.text:0001AD26 call sub_1A692 ; Here it passes the
,Sl+p[fyavg,VOBJECT_ATTRIBUTES structure pointer to the next function.

sub_1A692
+dP-rCR+IXw%G&D.text:0001A692 push 28h
*@n1h8s%~C.text:0001A694 push offset stru_1E3C0
_6X Ip4\*ql l7V.text:0001A699 call __SEH_prolog
:s#GWM`L7^wv.text:0001A69E xor edi, edi
….
T4W1~'D-@!P_/{9brH.text:0001A6B3 mov [ebp+ms_exc.disabled], edi
6U8]:c1ubx+Mk.text:0001A6B6 push 72747052h ; Tag
X jpD?5U0va5Q.text:0001A6BB mov ebx, 400h
.text:0001A6C0 push ebx ; NumberOfBytes
.text:0001A6C1 push 1 ; PoolType
.text:0001A6C3 call ds:ExAllocatePoolWithTag ; Allocates memory to
hold the data retrieved by ZwQueryObject
"x6e,Q;Ew?FX E4}.text:0001A6C9 mov esi, eax
R8X%I6JZ:s.text:0001A6CB mov [ebp+var_28], esi
*u)b` Qv)sl.c8Wz0].text:0001A6CE cmp esi, edi★快乐天地★超门户8t$tHlXY
.text:0001A6D0 jz short loc_1A74F

n;]&\C0oq n.text:0001A6D2 mov edi, [ebp+ObjectAttributes]
hV ~J[Vtd:tf9m.text:0001A6D5 mov eax, [edi+OBJECT_ATTRIBUTES.RootDirectory] ;
I M:xO@"aHHere, the code retrieves the RootDirectory’s field value from the
#{-sn8~0uEstructure, controled by us.
.text:0001A6D8 test eax, eax★快乐天地★超门户YU+l"w;GJ
.text:0001A6DA jz short loc_1A71B

.text:0001A6DC push 0 ; ReturnLength
c:p;nT_:zVB.text:0001A6DE push ebx ; ObjectInformationLength
}]x.dc.text:0001A6DF push esi ; ObjectInformation
; buffer where ZwQueryObject will put the object information

'?~z+celbi.text:0001A6E0 push 1 ; ObjectInformationClass
; Specifies an OBJECT_INFORMATION_CLASS value that determines the type★快乐天地★超门户&J BT|"Cs
; of information returned in the ObjectInformation buffer. It’s using
o$TY:GE4D3A; an undocumented type (OBJECT_NAME_INFORMATION) which returns an
s&Ss{1v&ac-~zUNICODE_STRING structure
VL!`~P;s*Cz%W.text:0001A6E2 push eax ; ObjectHandle
+H(|SG~'ks; Now, the user-controlled handle ‘ll be used here to identify the
object by ZwQueryObject,
.text:0001A6E3 call ds:ZwQueryObject
.text:0001A6E9 mov [ebp+var_20], eax
#L8SJ~9H9r(V.text:0001A6EC test eax, eax
!j.]fEPGQ.text:0001A6EE jl short loc_1A746

- ———–/

Here is where the problem shows up. The code does not properly validates
B}U#h0|m T~}6uthe data retrieved by ‘ZwQueryObject’, expecting an ‘UNICODE_STRING’
structure. But it is possible to make multiple calls to the function★快乐天地★超门户%p6r6hsk~
using different handlers to obtain a null structure crashing the system
when the code tries to dereference its ‘Buffer’ field.

ab;ck6[Bu}/———–

.text:0001A6F0 movzx eax, [esi+UNICODE_STRING.Length]
-Aq|!mMP ps.text:0001A6F3 shr eax, 1
.text:0001A6F5 mov ecx, [esi+UNICODE_STRING.Buffer]
rRbqB.text:0001A6F8 movzx eax, word ptr [ecx+eax*2-2] ; Here is the problem★快乐天地★超门户7n)@6d5[X%U
.text:0001A6FD mov [ebp+var_30], eax
f(Cd-y;N ^E&iC.text:0001A700 cmp ax, 5Ch
.text:0001A704 jz short loc_1A725

- ———–/★快乐天地★超门户pW[ Fw}

3) SOPHOS ANTIVIRUS (BID 28743, CVE-2008-1737)

Insufficient argument validation of hooked SSDT functions on Sophos lead
to a DoS. An attacker, utilizing this flaw, would be able to locally
LPV4DfOk/zreboot the whole system shutting down the Firewall or AV protection.
Although neither the vendor nor Core Security has found a means of
-z D7kg'G G3jS$p.Caexploiting the flaw to execute arbitrary code, it has not been possible
to rule this out.

In Sophos AV there is a problem in the arguments validation of★快乐天地★超门户K1U\%K'Kx
‘NtCreateKey’ function.

p4m)m:ChF:N/———–

B7FRK-f7kint __cdecl NtCreateKeyHook(PHANDLE pKeyHandle,
ACCESS_MASK DesiredAccess,
8n o:VE*e)yPOBJECT_ATTRIBUTES ObjectAttributes,
/y&SHa?$@H Ik `oULONG TitleIndex,PUNICODE_STRING Class,
ULONG CreateOptions,
PULONG Disposition)

[…]
.text:0001C01C push 4 ; Alignment
.text:0001C01E push 18h ; Length
*kX0t GIgmG#}.text:0001C020 mov esi, [ebp+ObjectAttributes]
of-Mh?7L9|.text:0001C023 push esi ; Address
x0^#Zn-@"g\ ^,Y.text:0001C024 call ds:ProbeForRead

- ———–/

Here it checks for ‘ObjectAttributes’ to be pointing to a valid address.

/———–

4c'}.B2k0iq B.text:0001C02A mov eax, [esi+OBJECT_ATTRIBUTES.RootDirectory]
.text:0001C02D mov [ebp+Handle], eax
.text:0001C030 mov esi, [esi+OBJECT_ATTRIBUTES.ObjectName]
.text:0001C033 mov [ebp+pUnicodeString], esi

- ———–/

4XsJ9\;I/?(v&qNow, it gets from ‘OBJECT_ATTRIBUTES’ a handle and a pointer to an
g8pz4Ao0e s;X‘UNICODE_STRING’ structure.

/———–

,[pz3_xR\ c.text:0001C095 push 4
.text:0001C097 push 8
.text:0001C099 push esi
kh7N!B:@.text:0001C09A mov ebx, ds:ProbeForRead
W bO8f Qeg4o9L.text:0001C0A0 call ebx ; ProbeForRead, it checks the
pointer before the dereference.★快乐天地★超门户x1j%u~/K

X#m:a Bl.text:0001C0A2 mov eax, dword ptr [esi+UNICODE_STRING.Length]
-Gm-U[hQ:MsK%|.text:0001C0A4 mov dword ptr [ebp+stUnicodeString.Length], eax
6i:s5RQI+k4e.text:0001C0A7 mov esi, [esi+UNICODE_STRING.Buffer] ; And gets★快乐天地★超门户ZR|4c{
from the UNICODE_STRING structure
; a pointer to the unicode buffer.
.text:0001C0AA mov [ebp+stUnicodeString.Buffer], esi
.text:0001C0AD push 2 ; Alignment
d{]\S+@7P(p(\1a.text:0001C0AF shr eax, 10h
.text:0001C0B2 push eax ; Length
.text:0001C0B3 push esi ; Address
.text:0001C0B4 call ebx ; ProbeForRead

- ———–/

It does the check, but here is the problem

8]F:h A l9u/———–

.text:0001C0B6 push gdwValue
.text:0001C0BC lea eax, [ebp+stUnicodeString]★快乐天地★超门户$eAQ p}%\
.text:0001C0BF push eax
.text:0001C0C0 push [ebp+Object]
\eo,Tm k.text:0001C0C3 call sub_1cb40

Q#},`j|MM3y?- ———–/

The problem relies in the function not properly checking the ‘Length’★快乐天地★超门户?+M[B e
field of the ‘UNICODE_STRING’ structure. When doing the check,
‘ProbeForRead’ receives the length field of the structure as a parameter
without any kind of validation.

So, if we set this field to 0, ‘ProbeForRead’ will not raise any
exception even though we were passing it an invalid address. And it will★快乐天地★超门户,uG$e1|*O
crash when trying to access to the desired invalid memory.

x qp vl7[/———–

/DZ!s[ADsub_1cb40

KAaPr"I9V[…]
.text:0001CB5E xor esi, esi
.text:0001CB60 mov [ebp+ms_exc.disabled], esi
{-xw[_]MI&u.text:0001CB63 mov edi, [ebp+pUnicodeString]
%W8b/k C] u#P A.text:0001CB66 mov eax, [edi+UNICODE_STRING.Buffer]

- ———–/★快乐天地★超门户\"U"}4x;Y#J

j.\(HE V(|6AAnd here is where it will crash:

/———–

ir0j3t3hhHt.text:0001CB69 cmp word ptr [eax], ‘\’ ; Reference the first
c$f$AD(S&npointed byte

4nAc+wW sjO- ———–/★快乐天地★超门户p?n9\Q-Q

4) RISING ANTIVIRUS (BID 28744, CVE-2008-1738)

b?.X6Z$p;y`FIn Rising antivirus the code of the ‘NtOpenProcess’ hook does not
UwPO@ EA,l!Vvalidates if the pointer to the structure

7]I#L _.x$`#Q;YP!{/———–★快乐天地★超门户 {wy-Yx c

typedef struct _CLIENT_ID {
)A`mU0sAHANDLE UniqueProcess;
HANDLE UniqueThread;}

- ———–/

0tVte'B$jis really pointing to mapped memory. So, when the code tries to
dereference the pointer to check the ‘CLIENT_ID->UniqueProcess’ value,
n,[v(} P%F B b)iif it is pointing to invalid memory, will crash.

%J.|cxGD/———–

NtOpenProcess( OUT PHANDLE ProcessHandle,★快乐天地★超门户+Nj.F5h2S
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
xbHw8[0zYIN PCLIENT_ID ClientId )

&Mc\4L nqi!mt!U.text:00010EAA push ebp★快乐天地★超门户 H&kZY7X
.text:00010EAB mov ebp, esp
*W^1uT5J C a.text:00010EAD push esi
o,E0_L.A,i.text:00010EAE mov esi, offset Addend
.text:00010EB3 push edi
.text:00010EB4 mov ecx, esi ; Addend
.text:00010EB6 call ds:InterlockedIncrement★快乐天地★超门户'g~!F&UR%t
.text:00010EBC call PsGetCurrentProcessId
QQ,h(l {8|.p3N8F.text:00010EC1 cmp eax, dword_11C8C★快乐天地★超门户v2^Uys{
.text:00010EC7 jnz short loc_10ECE
V;T0z3r6T.hI~.text:00010EC9
dcn]$a7h.text:00010EC9 loc_10EC9: ; CODE XREF: sub_10EAA+37_j
.text:00010EC9 push [ebp+ClientId]★快乐天地★超门户B7V6nbZ
.text:00010ECC jmp short loc_10EF0

"MS3e I K&@.text:00010ECE
Bg+r6P:i.text:00010ECE loc_10ECE: ; CODE XREF: sub_10EAA+1D_j
J@L,J,E'A}(b3o'O.text:00010ECE call PsGetCurrentProcessId
.text:00010ED3 mov ecx, dword_11C80
G|!j[u"v*^.text:00010ED9 push eax
4k@ T'Mv#L`O;j.text:00010EDA call sub_11070
Uo!Y*K$t.text:00010EDF test al, al
.text:00010EE1 jnz short loc_10EC9
.text:00010EE3 call PsGetCurrentProcessId★快乐天地★超门户8HDR+|Y%L
.text:00010EE8 mov edi, [ebp+ClientId] ; Here is the bug, if
ClientId is pointing to an invalid address
Nk|0W4m2O e n.text:00010EEB cmp eax, [edi] ; it will crash.
'h2l)uLyq+}.text:00010EED jnz short loc_10F0D★快乐天地★超门户oo$hd)^

- ———–/

*Report Timeline*

qNZ$l)If F!`qV. 2008-01-11: Core Security Technologies found a security vulnerability
in BitDefender antivirus.
. 2008-01-14: BitDefender team is contacted by Core.★快乐天地★超门户-E'fOr}0N
. 2008-01-15: BitDefender team asks Core for technical description of
the vulnerability.
H,\i3f"d!}"s. 2008-01-15: Technical details are sent to BitDefender team by Core.
. 2008-01-22: BitDefender notifies Core that a fix has been produced and
the flaw was corrected through automatic updates.
upwn&n[*{X1Q. 2008-02-04: According to the original schedule, the CORE-2008-0320
Rd6F0Wcadvisory would be released at this date, but similar flaws in other
antivirus products were discovered by Core exploit writers team.
P,Z([C+k1UgConsidering all BitDefender users are patched, Core Security
Technologies does not release the advisory and continues the research of
this issue in other products.
. 2008-03-20: Core analyzes similar vulnerabilities in Comodo Firewall,
Sophos Antivirus and Rising Antivirus.
)d"j8R~6Iw4[7]. 2008-03-25: Core notifies the Comodo, Sophos and Rising teams of the
$Z4Z(Xl1hxUvulnerabilities.
. 2008-03-27: Comodo team asks Core for technical description of the★快乐天地★超门户 N){2iAi
vulnerability.★快乐天地★超门户Ha S`\ ~
. 2008-03-27: Technical details are sent to Comodo team by Core.
lLrt;N E. 2008-03-31: Rising team asks Core for technical description of the
}QLsthNmBevulnerability.
. 2008-04-01: Technical details are sent to Rising team by Core.
. 2008-04-02: Rising team inform Core that the flaw has been fixed in
the Rising AV 2008 version.★快乐天地★超门户|JR3Jl/an
. 2008-04-02: Sophos team asks Core for technical description of the
vulnerability.
k.p'A l)]2u#~;w2s;v1V. 2008-04-07: Technical details are sent to Sophos team by Core.
y+Pj#m7].vp. 2008-04-11: Sophos team informs that the flaw is found in one of the
*|TJ8DIZantivirus drivers, and fixing it will require a reboot for all of Sophos
(N3u n6I/\2]PWindows customers. Sophos would like to fix the bug in the next major
olkR2Y)Y&h;Smversion (second quarter 2009), in particular considering the fact that
X_j:uN,T'RFu'N"Hathey were unable to come up with any practical use of this vulnerability.
. 2008-04-14: Comodo notifies Core that a fix has been produced.
. 2008-04-14: Sophos informs Core that they will be able to release a
fX7w V/y9n6k[#Lfix to the vulnerability at the end of October 2008.
. 2008-04-21: Core responds that they will reschedule the publication to
April 24th, 2008. Since the vulnerability is not critical, and has been
!ZJJUW.g` }9vfound using publicly available tools, like the other vulnerabilities
7S9UD k&w4V'~ _.U`6mincluded in the advisory, Core doesn’t see a reason to postpone the
EJ(Jo!c.pEkMf0]publication of the Sophos bug until October 2008.
/k(U hNZdm}. 2008-04-21: Sophos asks Core not to release details of the
J2Zgym&PW&dvulnerability until a fix is available, and not to publish Proof of
_4v8h5}~1zPConcept code. Sophos informs that they do not believe that arbitrary
code execution is possible.
;p)A x?D1g@. 2008-04-24: Core responds that the advisory does not contain Proof of
#c%bVB%B1f^.?6mConcept code. Core confirms its intention of publishing the advisory,
r\})fE6z']including the technical description, but decides to postpone it to April
28th, to give the participants more time to coordinate the release of
l:i+[a0t)I3kg6[Upublic information.
bA9|:Tb[v(N. 2008-04-25: Sophos provides additional information, included in the
“vendor information” section of the advisory.★快乐天地★超门户4QZ-fzui
. 2008-04-28: CORE-2008-0320 advisory is published.

pr@$Ce&Pw*References*

uND?peB!gm[1] http://www.bitdefender.com
[2] http://www.comodo.com
JR*mh-ZcK[3] http://www.sophos.com
"K3k![P/@VF$[J[4] http://www.rising-global.com
_tB/k3B%Xb[5] http://www.matousec.com/downloads
:m\Ig"ZgFM[6]★快乐天地★超门户6iBu|f
http://www.matousec.com/info/articles/plague-in-security-software-driver
7bs%aP2d6_s.php

+MKP+K"Y+b0vf*About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
;o'Hw}f:G&[.ewith anticipating the future needs and requirements for information
security technologies. We conduct our research in several important★快乐天地★超门户I5ypF9mt
areas of computer security including system vulnerabilities, cyber★快乐天地★超门户!LPt,Xx-e
attack planning and simulation, source code auditing, and cryptography.
g6I'm0i aOur results include problem formalization, identification of
'w C;AImT4q&evulnerabilities, novel solutions and prototypes for new technologies.
%~)PiB9FxoCoreLabs regularly publishes security advisories, technical papers,
#l8Ue$N;sRBN2\0|0Mrsproject information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/.

*About Core Security Technologies*

lzVdbN!aA_Core Security Technologies develops strategic solutions that help★快乐天地★超门户ux+u y9NA
security-conscious organizations worldwide develop and maintain a
F1P b7\J!z8Mproactive process for securing their networks. The company’s flagship
product, CORE IMPACT, is the most comprehensive product for performing
i@h:n&hB*]enterprise security assurance testing. CORE IMPACT evaluates network,
@:k9l+cO!B p-bendpoint and end-user vulnerabilities and identifies what resources are★快乐天地★超门户1Q7i&| wC
exposed. It enables organizations to determine if current security
v)r5|\L'x6C.[investments are detecting and preventing attacks. Core Security
`5IdK"x9sNTechnologies augments its leading technology solution with world-class
CvD-cqdisecurity consulting services, including penetration testing and software
,n ]qE9|Z1t2Eisecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
X%~*ebbM9JSecurity Technologies can be reached at 617-399-6980 or on the Web at★快乐天地★超门户a4X~'m@/^
http://www.coresecurity.com.

X5ad%gh4H*Disclaimer*

The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
%Z~#?%AYJ0tdprovided that no fee is charged for this distribution and proper credit★快乐天地★超门户/Zi cPP$g
is given.

TAG: 黑客杀毒软件漏洞代码

字号: 小中大 | 推荐给好友

-5 -3 -1 - +1 +3 +5

评分：0

多款杀毒软件存在严重漏洞可让黑客执行任意代码

我来说两句

相关阅读

最新更新