Lzx_Decoder::init() Initialization Vulnerability

vendor:

COMODO Internet Security

by:

Project Zero

7,5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: COMODO Internet Security

Affected Version From: 6.2.15068.1057

Affected Version To: 6.2.15068.1057

Patch Exists: YES

Related CWE: N/A

CPE: a:comodo:comodo_internet_security:6.2.15068.1057

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2014

Lzx_Decoder::init() Initialization Vulnerability

It is possible for LZX compressed streams to exceed the size of the vector Lzx_Decoder->window which is initialized to a fixed size of 2^method bytes. Writes to the window buffer are bounds checked, but only after the write is completed. This means the overflow still occurs, resulting in memory corruption, and can be corrupted multiple times per stream as a single scan can contain multiple LZX compressed blobs.

Mitigation:

Ensure that the size of the vector Lzx_Decoder->window is large enough to accommodate the LZX compressed streams.

Source

Exploit-DB raw data:

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=737

Lzx_Decoder::init() initializes the vector Lzx_Decoder->window to a fixed size of 2^method bytes, which is then used during Lzx_Decoder::Extract(). It's possible for LZX compressed streams to exceed this size. Writes to the window buffer are bounds checked, but only after the write is completed.

The code is probably something like:

window[++window_pos] = foo;
if (window_pos > window.size())
 return false;

This means the overflow still occurs, resulting in memory corruption, and can be corrupted multiple times per stream as a single scan can contain multiple LZX compressed blobs. Scanning the attached testcase with page heap enabled results in the following error:

(918.644): Unknown exception - code 000006ba (first chance)
===========================================================
VERIFIER STOP 000000000000000F: pid 0x918: corrupted suffix pattern 

	0000000040C71000 : Heap handle
	0000000040F76FE0 : Heap block
	0000000000010018 : Block size
	0000000040F86FF8 : corruption address
===========================================================
> lmv munarch
start             end                 module name
000007fe`f44c0000 000007fe`f4562000   unarch     (export symbols)       C:\Program Files\COMODO\COMODO Internet Security\scanners\unarch.cav
    Loaded symbol image file: C:\Program Files\COMODO\COMODO Internet Security\scanners\unarch.cav
    Image path: C:\Program Files\COMODO\COMODO Internet Security\scanners\unarch.cav
    Image name: unarch.cav
    Timestamp:        Mon Dec 29 04:52:14 2014 (54A14E7E)
    CheckSum:         000AC529
    ImageSize:        000A2000
    File version:     6.2.15068.1057
    Product version:  6.2.15068.1057
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04e4
    CompanyName:      COMODO
    ProductName:      COMODO Antivirus Scan Engine
    ProductVersion:   6, 2, 342748, 1057
    FileVersion:      6, 2, 342748, 1057
    FileDescription:  COMODO Antivirus Scan Engine
    LegalCopyright:   2005-2014 COMODO. All rights reserved.


Please note that many of the CAV modules used by Comodo do not use dynamic base, so ASLR does not work. Naturally, all files are scanned with NT AUTHORITY\SYSTEM and with no sandboxing.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39606.zip