RE: Bug report -- Incident number 240649

From: Technical Support (supportat_private)
Date: Tue Aug 21 2001 - 09:58:10 PDT

  • Next message: Michel Arboi: "Re: Windows XP RC2"

    Dear Vladimir,
    
    With the latest Platinum version (6.23.00) the problem is solved. This
    version is available since February 2001, if you are a registered customer
    of Panda Software you can upgrade it to this version.
    
    If you are testing the product you can download tha sharevare version from
    our web site (6.23.00).
    
    Best regards,
    
    Luis Corrons
    Technical Support
    PANDA SOFTWARE
    Buenos Aires, 12
    48001 BILBAO - SPAIN
    Phone: +34 94 425 11 00     Fax: +34 94 424 46 97
    
    MailTo:techsupportat_private     WEB: http://www.pandasoftware.com
    Rid the Planet of Viruses with Panda Platinum!! Try it at
    http://www.pandasoftware.com/form.htm
    "The only antivirus company in the world that provides you with technical
    support personnel 24 hours a day, 365 days a year and daily updates."
    
    
    -----Original Message-----
    From: Vladimir Kraljevic [mailto:vladimir_kraljevicat_private]
    Sent: Tuesday, August 21, 2001 12:37 PM
    To: Technical Support
    Subject: Re: Bug report -- Incident number 240649
    
    
    Bug report, applies to PAV 6.19 perhaps other versions as well
    --------------------------------------------------------------
    
    Description: PAV handles in an insecure way UPX exe-packer information; This
    behavior occurs when PAV scans an malformed UPX-packed exe file (in my case
    "loader.exe", part of sglue teflon-like packageing program). I included
    sglue with this letter, please find it attached, password is "panda".
    
    PAV recognizes properly such executable, but when user tries to perform an
    action, here is the table of behaviors:
    
    On rename - PAV crashes, but renames
    On move - PAV crashes, but moves the file
    On ignore - PAV crashes, but ignores :)
    On delete - PAV never crashes (not affected)
    
    It is very likely that attacker can tamper an executable in such way that
    he/she can execute arbitrary code exactly where he/she needs it. UPX shows
    similar message when tries to process "loader.exe", as well.
    
    My suggestion for PAV in the future is to include
    "SetUnhandledExceptionFilter(...)" API call in each instance initialization
    and exit, thus even when such an error occurs, you'll be able to preserve
    EIP exclusively to yourself (this usually means few lines of code, including
    exception handler, but it will improve overall security, espetially because
    you are running PAV in LocalSystem account on Windows 2000 by default).
    
    Disassembly of PAVDLL follows, you will be able to find the line in the
    source code by following the reference bytes in this listing (crash point is
    traced back to the pavdll.dll at address 0x0005EA51 in binary image). Crash
    point is marked with ">>>>>>>>>>>>>" in the listing file.
    
    I hope that this helps more than just a report on my hardware configuration.
    Since this is your product and I was only testing/evaluating it, please
    notify security focus list by yourself (mailto:vuln-devat_private),
    I am signing off because I'm pretty sure that you will handle it.
    
    I'm still confident that PAV is much better than anything else I was able to
    see these days, please keep it that way.
    
    Best wishes,
    Vladimir Kraljevic
    Technical Consultant
    
    P.S. For more information, please feel free to contact me, but I think that
    this will be enough.
    
    
    0174F421 55                   push        ebp
    0174F422 8B EC                mov         ebp,esp
    0174F424 53                   push        ebx
    0174F425 56                   push        esi
    0174F426 57                   push        edi
    0174F427 33 F6                xor         esi,esi
    0174F429 8B 45 0C             mov         eax,dword ptr [ebp+0Ch]
    0174F42C 8B 18                mov         ebx,dword ptr [eax]
    0174F42E EB 21                jmp         0174F451
    0174F430 80 3B F0             cmp         byte ptr [ebx],0F0h
    0174F433 72 1A                jb          0174F44F
    0174F435 80 3B F0             cmp         byte ptr [ebx],0F0h
    0174F438 75 12                jne         0174F44C
    0174F43A 8D 43 01             lea         eax,[ebx+1]
    0174F43D 50                   push        eax
    0174F43E E8 69 EA FF FF       call        0174DEAC
    0174F443 59                   pop         ecx
    0174F444 66 85 C0             test        ax,ax
    0174F447 75 03                jne         0174F44C
    0174F449 83 C3 04             add         ebx,4
    0174F44C 83 C3 02             add         ebx,2
    0174F44F 43                   inc         ebx
    0174F450 46                   inc         esi
    
    PAVDLL>>>>>>>>>> 0174F451 80 3B 00             cmp         byte ptr [ebx],0
    (EBX here is an invalid address [0x5259A8D8] that caused unhandled access
    violation exception; for information about other registers, please take a
    look at the bottom of the page)
    
    0174F454 75 DA                jne         0174F430
    0174F456 6A 00                push        0
    0174F458 C1 E6 02             shl         esi,2
    0174F45B 83 C6 04             add         esi,4
    0174F45E 56                   push        esi
    0174F45F E8 BC 39 FA FF       call        016F2E20
    0174F464 83 C4 08             add         esp,8
    0174F467 8B 55 08             mov         edx,dword ptr [ebp+8]
    0174F46A 89 02                mov         dword ptr [edx],eax
    0174F46C 8B 4D 08             mov         ecx,dword ptr [ebp+8]
    0174F46F 83 39 00             cmp         dword ptr [ecx],0
    0174F472 75 07                jne         0174F47B
    0174F474 33 C0                xor         eax,eax
    0174F476 E9 96 00 00 00       jmp         0174F511
    0174F47B 8B 55 08             mov         edx,dword ptr [ebp+8]
    0174F47E 8B 3A                mov         edi,dword ptr [edx]
    0174F480 BE FC FF FF FF       mov         esi,0FFFFFFFCh
    0174F485 8B 45 0C             mov         eax,dword ptr [ebp+0Ch]
    0174F488 8B 18                mov         ebx,dword ptr [eax]
    0174F48A EB 69                jmp         0174F4F5
    0174F48C 80 3B F0             cmp         byte ptr [ebx],0F0h
    0174F48F 73 08                jae         0174F499
    0174F491 33 C0                xor         eax,eax
    0174F493 8A 03                mov         al,byte ptr [ebx]
    0174F495 03 F0                add         esi,eax
    0174F497 EB 2F                jmp         0174F4C8
    0174F499 8D 53 01             lea         edx,[ebx+1]
    0174F49C 52                   push        edx
    0174F49D E8 0A EA FF FF       call        0174DEAC
    0174F4A2 59                   pop         ecx
    0174F4A3 0F B7 C0             movzx       eax,ax
    0174F4A6 33 D2                xor         edx,edx
    0174F4A8 8A 13                mov         dl,byte ptr [ebx]
    0174F4AA 83 E2 0F             and         edx,0Fh
    0174F4AD C1 E2 10             shl         edx,10h
    0174F4B0 03 C2                add         eax,edx
    0174F4B2 83 C3 02             add         ebx,2
    0174F4B5 85 C0                test        eax,eax
    0174F4B7 75 0D                jne         0174F4C6
    0174F4B9 8D 4B 01             lea         ecx,[ebx+1]
    0174F4BC 51                   push        ecx
    0174F4BD E8 25 EA FF FF       call        0174DEE7
    0174F4C2 59                   pop         ecx
    0174F4C3 83 C3 04             add         ebx,4
    0174F4C6 03 F0                add         esi,eax
    0174F4C8 89 37                mov         dword ptr [edi],esi
    0174F4CA 83 C7 04             add         edi,4
    0174F4CD 83 7D 14 00          cmp         dword ptr [ebp+14h],0
    0174F4D1 74 21                je          0174F4F4
    0174F4D3 83 7D 10 00          cmp         dword ptr [ebp+10h],0
    0174F4D7 74 1B                je          0174F4F4
    0174F4D9 8B 45 10             mov         eax,dword ptr [ebp+10h]
    0174F4DC 03 C6                add         eax,esi
    0174F4DE 50                   push        eax
    0174F4DF E8 03 EA FF FF       call        0174DEE7
    0174F4E4 59                   pop         ecx
    0174F4E5 50                   push        eax
    0174F4E6 8B 55 10             mov         edx,dword ptr [ebp+10h]
    0174F4E9 03 D6                add         edx,esi
    0174F4EB 52                   push        edx
    0174F4EC E8 6D EA FF FF       call        0174DF5E
    0174F4F1 83 C4 08             add         esp,8
    0174F4F4 43                   inc         ebx
    0174F4F5 80 3B 00             cmp         byte ptr [ebx],0
    0174F4F8 75 92                jne         0174F48C
    0174F4FA 43                   inc         ebx
    0174F4FB 8B 45 0C             mov         eax,dword ptr [ebp+0Ch]
    0174F4FE 89 18                mov         dword ptr [eax],ebx
    0174F500 8B 55 08             mov         edx,dword ptr [ebp+8]
    0174F503 8B C7                mov         eax,edi
    0174F505 2B 02                sub         eax,dword ptr [edx]
    0174F507 85 C0                test        eax,eax
    0174F509 79 03                jns         0174F50E
    0174F50B 83 C0 03             add         eax,3
    0174F50E C1 F8 02             sar         eax,2
    0174F511 5F                   pop         edi
    0174F512 5E                   pop         esi
    0174F513 5B                   pop         ebx
    0174F514 5D                   pop         ebp
    0174F515 C3                   ret
    
    EAX = 068AB750 EBX = 5259A8D8 ECX = 01A0FB00 EDX = 068AB740 ESI = 00000000
    EDI = 01A0FA89
     EIP = 0174F451 ESP = 068AB6BC EBP = 068AB6C8 EFL = 00000246
     MM0 = 00D4D0C800D4D0C8 MM1 = 0000000000000000 MM2 = 000000D300CF00C7 MM3 =
    000000D300CF00C7 MM4 =
    
    00D4D0C800D4D0C8
     MM5 = 000000D400D000C8 MM6 = 0000000000000000 MM7 = 0080008000800080
     XMM0 = 0013799000137E6000130C5877FCB1BE XMM1 =
    00137D68008F2898002BDA9F00137D68 XMM2 =
    
    544E4E49575C3A430000000000000001
     XMM3 = 001379C801005C320013017800130178 XMM4 =
    00130000000000100000000000130640 XMM5 =
    
    00130168001384480013845000000158
     XMM6 = 00000000002DD4540000001F002DD400 XMM7 =
    000000000000001E017FFC5000406218
     CS = 001B DS = 0023 ES = 0023 SS = 0023 FS = 003B GS = 0000 OV=0 UP=0 EI=1
    PL=0 ZR=1 AC=0 PE=1
    
    CY=0
    
     5259A8D8 = ??
    



    This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 10:44:15 PDT