|
COMMAND PAV SYSTEMS AFFECTED PAV prior to 6.23.00 PROBLEM Vladimir Kraljevic found following. PAV handles in an insecure way UPX exe-packer information; this behavior occurs when PAV scans an malformed UPX-packed exe file (in our case "loader.exe", part of sglue teflon-like packageing program). Included sglue with this letter, please find it attached, password is "panda". PAV recognizes properly such executable, but when user tries to perform an action, here is the table of behaviors: - On rename - PAV crashes, but renames - On move - PAV crashes, but moves the file - On ignore - PAV crashes, but ignores :) - On delete - PAV never crashes (not affected) It is very likely that attacker can tamper an executable in such way that he/she can execute arbitrary code exactly where he/she needs it. UPX shows similar message when tries to process "loader.exe", as well. Disassembly of PAVDLL follows, you will be able to find the line in the source code by following the reference bytes in this listing (crash point is traced back to the pavdll.dll at address 0x0005EA51 in binary image). Crash point is marked with ">>>>>>>>>>>>>" in the listing file. 0174F421 55 push ebp 0174F422 8B EC mov ebp,esp 0174F424 53 push ebx 0174F425 56 push esi 0174F426 57 push edi 0174F427 33 F6 xor esi,esi 0174F429 8B 45 0C mov eax,dword ptr [ebp+0Ch] 0174F42C 8B 18 mov ebx,dword ptr [eax] 0174F42E EB 21 jmp 0174F451 0174F430 80 3B F0 cmp byte ptr [ebx],0F0h 0174F433 72 1A jb 0174F44F 0174F435 80 3B F0 cmp byte ptr [ebx],0F0h 0174F438 75 12 jne 0174F44C 0174F43A 8D 43 01 lea eax,[ebx+1] 0174F43D 50 push eax 0174F43E E8 69 EA FF FF call 0174DEAC 0174F443 59 pop ecx 0174F444 66 85 C0 test ax,ax 0174F447 75 03 jne 0174F44C 0174F449 83 C3 04 add ebx,4 0174F44C 83 C3 02 add ebx,2 0174F44F 43 inc ebx 0174F450 46 inc esi PAVDLL>>>>>>>>>> 0174F451 80 3B 00 cmp byte ptr [ebx],0 (EBX here is an invalid address [0x5259A8D8] that caused unhandled access violation exception; for information about other registers, please take a look at the bottom of the page) 0174F454 75 DA jne 0174F430 0174F456 6A 00 push 0 0174F458 C1 E6 02 shl esi,2 0174F45B 83 C6 04 add esi,4 0174F45E 56 push esi 0174F45F E8 BC 39 FA FF call 016F2E20 0174F464 83 C4 08 add esp,8 0174F467 8B 55 08 mov edx,dword ptr [ebp+8] 0174F46A 89 02 mov dword ptr [edx],eax 0174F46C 8B 4D 08 mov ecx,dword ptr [ebp+8] 0174F46F 83 39 00 cmp dword ptr [ecx],0 0174F472 75 07 jne 0174F47B 0174F474 33 C0 xor eax,eax 0174F476 E9 96 00 00 00 jmp 0174F511 0174F47B 8B 55 08 mov edx,dword ptr [ebp+8] 0174F47E 8B 3A mov edi,dword ptr [edx] 0174F480 BE FC FF FF FF mov esi,0FFFFFFFCh 0174F485 8B 45 0C mov eax,dword ptr [ebp+0Ch] 0174F488 8B 18 mov ebx,dword ptr [eax] 0174F48A EB 69 jmp 0174F4F5 0174F48C 80 3B F0 cmp byte ptr [ebx],0F0h 0174F48F 73 08 jae 0174F499 0174F491 33 C0 xor eax,eax 0174F493 8A 03 mov al,byte ptr [ebx] 0174F495 03 F0 add esi,eax 0174F497 EB 2F jmp 0174F4C8 0174F499 8D 53 01 lea edx,[ebx+1] 0174F49C 52 push edx 0174F49D E8 0A EA FF FF call 0174DEAC 0174F4A2 59 pop ecx 0174F4A3 0F B7 C0 movzx eax,ax 0174F4A6 33 D2 xor edx,edx 0174F4A8 8A 13 mov dl,byte ptr [ebx] 0174F4AA 83 E2 0F and edx,0Fh 0174F4AD C1 E2 10 shl edx,10h 0174F4B0 03 C2 add eax,edx 0174F4B2 83 C3 02 add ebx,2 0174F4B5 85 C0 test eax,eax 0174F4B7 75 0D jne 0174F4C6 0174F4B9 8D 4B 01 lea ecx,[ebx+1] 0174F4BC 51 push ecx 0174F4BD E8 25 EA FF FF call 0174DEE7 0174F4C2 59 pop ecx 0174F4C3 83 C3 04 add ebx,4 0174F4C6 03 F0 add esi,eax 0174F4C8 89 37 mov dword ptr [edi],esi 0174F4CA 83 C7 04 add edi,4 0174F4CD 83 7D 14 00 cmp dword ptr [ebp+14h],0 0174F4D1 74 21 je 0174F4F4 0174F4D3 83 7D 10 00 cmp dword ptr [ebp+10h],0 0174F4D7 74 1B je 0174F4F4 0174F4D9 8B 45 10 mov eax,dword ptr [ebp+10h] 0174F4DC 03 C6 add eax,esi 0174F4DE 50 push eax 0174F4DF E8 03 EA FF FF call 0174DEE7 0174F4E4 59 pop ecx 0174F4E5 50 push eax 0174F4E6 8B 55 10 mov edx,dword ptr [ebp+10h] 0174F4E9 03 D6 add edx,esi 0174F4EB 52 push edx 0174F4EC E8 6D EA FF FF call 0174DF5E 0174F4F1 83 C4 08 add esp,8 0174F4F4 43 inc ebx 0174F4F5 80 3B 00 cmp byte ptr [ebx],0 0174F4F8 75 92 jne 0174F48C 0174F4FA 43 inc ebx 0174F4FB 8B 45 0C mov eax,dword ptr [ebp+0Ch] 0174F4FE 89 18 mov dword ptr [eax],ebx 0174F500 8B 55 08 mov edx,dword ptr [ebp+8] 0174F503 8B C7 mov eax,edi 0174F505 2B 02 sub eax,dword ptr [edx] 0174F507 85 C0 test eax,eax 0174F509 79 03 jns 0174F50E 0174F50B 83 C0 03 add eax,3 0174F50E C1 F8 02 sar eax,2 0174F511 5F pop edi 0174F512 5E pop esi 0174F513 5B pop ebx 0174F514 5D pop ebp 0174F515 C3 ret EAX = 068AB750 EBX = 5259A8D8 ECX = 01A0FB00 EDX = 068AB740 ESI = 00000000 EDI = 01A0FA89 EIP = 0174F451 ESP = 068AB6BC EBP = 068AB6C8 EFL = 00000246 MM0 = 00D4D0C800D4D0C8 MM1 = 0000000000000000 MM2 = 000000D300CF00C7 MM3 = 000000D300CF00C7 MM4 = 00D4D0C800D4D0C8 MM5 = 000000D400D000C8 MM6 = 0000000000000000 MM7 = 0080008000800080 XMM0 = 0013799000137E6000130C5877FCB1BE XMM1 = 00137D68008F2898002BDA9F00137D68 XMM2 = 544E4E49575C3A430000000000000001 XMM3 = 001379C801005C320013017800130178 XMM4 = 00130000000000100000000000130640 XMM5 = 00130168001384480013845000000158 XMM6 = 00000000002DD4540000001F002DD400 XMM7 = 000000000000001E017FFC5000406218 CS = 001B DS = 0023 ES = 0023 SS = 0023 FS = 003B GS = 0000 OV=0 UP=0 EI=1 PL=0 ZR=1 AC=0 PE=1 CY=0 5259A8D8 = ?? SOLUTION With the latest Platinum version (6.23.00) the problem is solved. This version is available since February 2001, if you are a registered customer of Panda Software you can upgrade it to this version.