Comodo Antivirus includes a full x86 emulator that is used to unpack executables that are being scanned. Files read from disk or received over the network, including email, browser cache and so on can all trigger emulation. The emulator itself uses a sequence of nested lookup tables to translate opcodes to the routines that emulate them. The xmm/ymm registers are used like a union in C. For example, the registers can be treated as 4 floats, 2 doubles, 2 dwords, 8 shorts and so on – whatever is appropriate. The comodo emulator uses a union to represent these registers, and then each emulated instruction uses whichever union member matches it’s function. For example, PUNPCKLBW would use regs->words, PSRLQ would use regs->qwords and so on. The code for PSUBUSB incorrectly uses the wrong union member (words instead of bytes), meaning it will clobber double the space allocated by CPU::MMX_OPCODE(). The fix for this vulnerability is to use the bytes member of the union instead.
Monthly Archives: March 2016
Wireshark dissect_ber_integer Static Out-Of-Bounds Write
Wireshark suffers from a crash vulnerability due to a static memory out-of-bounds write that can be observed in an ASAN build of Wireshark .
Comodo Antivirus Win32 Emulation Integer / Heap Overflow
A major component of Comodo Antivirus is the x86 emulator, which includes a number of shims for win32 API routines so that common API calls work in emulated programs (CreateFile, LoadLibrary, etc). The emulator itself is located in MACH32.DLL, which is compiled without /DYNAMICBASE, and runs as NT AUTHORITYSYSTEM. These API routines access memory from the emulated virtual machine, perform the requested operation, and then poke the result back into the emulator. Because these emulated routines are all native code, they must take care not to trust values extracted from the emulator, which is running attacker controlled code. Browsing through the list of emulated routines, MSVBVM60!rtcLowerCaseVar jumped out as an obvious case of integer overflow due to trusting attacker-provided parameters.
DSA-3526 libmatroska – security update
It was discovered that libmatroska, an extensible open standard
audio/video container format, incorrectly processed EBML lacing. By
providing maliciously crafted input, an attacker could use this flaw
to force some leakage of information located in the process heap
memory.
DSA-3529 redmine – security update
Multiple vulnerabilities have been found in Redmine, a project management
web application, which may result in information disclosure.
DSA-3528 pidgin-otr – security update
Stefan Sperling discovered that pidgin-otr, a Pidgin plugin
implementing Off-The-Record messaging, contained a use-after-free
bug. This could be used by a malicious remote user to intentionally
crash the application, thus causing a denial-of-service.
Joomla Easy Youtube Gallery 1.0.2 SQL Injection
Joomla Easy Youtube Gallery version 1.0.2 suffers from a remote SQL injection vulnerability.
Comodo Antivirus LZX Decompression Heap Overflow
Lzx_Decoder::init() initializes the vector Lzx_Decoder->window to a fixed size of 2^method bytes, which is then used during Lzx_Decoder::Extract(). It’s possible for LZX compressed streams to exceed this size. Writes to the window buffer are bounds checked, but only after the write is completed.
Joomla iCagenda 3.5.15 Cross Site Scripting
Joomla iCagenda versions 3.5.5 through 3.5.15 suffer from a cross site scripting vulnerability.
OS X Kernel AppleUSBPipe::Abort Missing Bounds Checking
Mac OS X kernel suffers from a code execution vulnerability due to a lack of bounds checking in AppleUSBPipe::Abort.