This submit breaks the 2-yr silence of this weblog, showcasing a choice of memory corruption vulnerabilities in Bitdefender’s anti-virus engine. The objective of binary packing is to compress or obfuscate a binary, normally to avoid wasting house/bandwidth or to evade malware evaluation. A packed binary typically accommodates a compressed/obfuscated information payload. When the binary is executed, a loader decompresses this payload and then jumps to the precise entry level of the (interior) binary. Most anti-virus engines help binary unpacking not less than for packers (comparable to UPX) which can be extremely popular and which are also utilized by non-malware software. This blog submit is about UPX unpacking of PE binaries within the Bitdefender core engine. The following vulnerabilities are offered within the control-stream order of the UPX unpacker. Disclaimer: In the next, decompiled code from Bitdefender’s core engine is presented. The naming of variables, fields, and macros is closely impressed by the unique UPX. For some snippets, a reference to the unique function is added for comparability.

It is probably going that some sorts are incorrect. After the UPX loader has been detected, the Bitdefender engine tries to detect whether or not the loader applies a particular sort of deobfuscation to the compressed data payload earlier than extracting it. LEFT. If this deobfuscation is detected, then the engine iterates by the corresponding instructions of the loader and parses them with their operands in order to have the ability to deobfuscate the data as well. Observe how the bound-test on the index variable i is carried out. 16. Particularly, we are able to enhance i from 15 to 17, after which we are able to overwrite the stack with completely arbitrary data. The debug break is because of the stack canary which we've overwritten. If we proceed, we see that the return fails because the stack is corrupted. Clearly, this offsets must be checked before writing to it. Both checks test against the sector dword10.

The sphere dword10, sitting on the calling functions’s stack frame, is never initialized. This makes the certain verify useless and Memory Wave focus enhancer introduces a fully attacker-managed heap buffer overflow. After the extraction, the engine attempts to deobfuscate the extracted data with a static XOR key. The sure examine is totally mistaken. It should check in opposition to the dimensions of the extracted data buffer. As a substitute, it checks in opposition to a price that's beforehand set to the raw information size of the part we extracted the info from. Those two sizes have nothing to do with one another. Specifically, one could be much smaller than the opposite, or vice-versa. Because the operate doesn't return after the first deobfuscation run, the memory corruption may be triggered up to 0x300 times in a row. This allows us to bypass the limitation that in a single deobfuscation run we always XOR with the identical byte. Total, we then have XORed with C0 C0 C1 C1 C1 C2 C2 for utterly arbitrary C0, C1, and C2.

We will primarily XOR with such a pattern of nearly arbitrary size, and switch the byte at most 0x300 times. Needless to say, this vulnerability is a helpful exploitation primitive because it permits very powerful Memory Wave focus enhancer corruptions: XORing permits us to modify selectively solely sure elements of information, leaving different parts (for example heap metadata or important objects) untouched. A filter is a simple transformation on binary code (say, x86-sixty four code) that's applied before compression, with the objective to make the code extra compressible. After we have decompressed the information, we need to revert this filtering. Bitdefender helps about 15 different filters. Of the 15 filters, about eight appear to be affected by such a heap buffer overflow. I treated them all collectively as one bug (in spite of everything, it isn't unlikely that they share code). The next memory corruption happens in a loop of the operate PeFile::rebuildImports (cf.