Symantec attempts to clean or remove components from archives or other multipart containers that they detect as malicious. The code that they use to remove components from MIME encoded messages in CMIMEParser::UpdateHeader() assumes that filenames cannot be longer than 77 characters. This assumption is obviously incorrect, names can be any length, resulting in a very clean heap overflow.
4ee204b77a45094748b81a74a8091d2a517ab376bd6d2bf0dafe5788af13c366
Symantec Antivirus suffers from multiple remote memory corruption issues when unpacking MSPACK archives.
e9d8e37d67b1b78a70b6ba1087bb9ad488f89ea7270258280a0c162de1eee2f1
The Symantec dec2lha library is the library responsible for decompressing LZH and LHA archives. The CSymLHA::get_header() routine has a trivial stack buffer overflow.
7a45122b3424d74bb5da649ff1caa2ecb47dc7b5c6a0d4f9cfd4d9d854735409
Symantec Antivirus version 5.3.11 suffers from multiple remote memory corruption vulnerabilities when unpacking RAR files.
9e44f967c750c035ba888192a2e531afb42978c1fb75803ba25499dfcaae8bc4
Symantec / Norton Antivirus suffers from a remote ring0 memory corruption vulnerability.
21cdf1867131c9fd3d343f392430fc0eb800cce0626266748dac5dd7851a01d4
TrendMicro suffers from multiple HTTP problems in CoreServiceShell.exe.
66cb00c146f952cc997388b5ddb1c0039e197d650c1e6a388b719ebecf1ec16f
Fuzzing packed executables with McAfee's LiveSafe version 14.0 on Windows found a signedness error parsing sections and relocations.
df3a3c638fb803483492e5595745c6b207dc5378a2e3150bc4c2f7d4306afa97
There is a remote debugger stub listening by default on a new install of TrendMicro Antivirus that can be exploited to launch executables.
191c3b9d20b797c02c3aeb399b9f99fed1f18221adf47c360e14714b35343f0c
The mip user is already quite privileged, capable of accessing sensitive network data. However, as the child process has supplementary gid contents, there is a very simple privilege escalation to root.
5b5d78147822a04ece55e3ad4dc78e4634f5ee4ab840d7ead31f0b0e6099d778
Comodo Antivirus includes a x86 emulator that is used to unpack and monitor obfuscated executables, this is common practice among antivirus products. The idea is that emulators can run the code safely for a short time, giving the sample enough time to unpack itself or do something that can be profiled. Needless to say, this is a very significant and complicated attack surface, as an attacker can trigger emulation simply by sending the victim an email or getting them to visit a website with zero user interaction. Multiple memory corruption issues have been found with the emulator.
cfbf0dd1caad664a8a36d0e11f52ccba899cbf069cf799a34ef08893acaf37b2
Packman is an obscure opensource executable packer that Comodo Antivirus attempts to unpack during scanning. If the compression method is set to algorithm 1, compression parameters are read directly from the input executable without validation. Fuzzing this unpacker revealed a variety of crashes due to this, such as causing pointer arithmetic in CAEPACKManUnpack::DoUnpack_With_NormalPack to move pksDeCodeBuffer.ptr to an arbitrary address, which allows an attacker to free() an arbitrary pointer. This issue is obviously exploitable to execute code as NT AUTHORITY\SYSTEM.
adf1b7ee75650e302c810380b477450604f08412c70d3784267cfd3c982dd3ea
The Comodo Antivirus LZMA decoder performs insufficient parameter checks, resulting in a heap overflow vulnerability.
80e8644d174a99b1386292c6a83033e7044613fa936d4b5dfafeec8f9086d5f4
In COleMemFile::LoadDiFatList, values from the header are used to parse the document FAT. If header.csectDif is very high, the calculation overflows and a very small buffer is allocated. The document FAT is then memcpy'd onto the buffer directly from the input file being scanned, resulting in a nice clean heap overflow. This vulnerability is obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM, the attached test cases should reproduce the problem reliably (this issue was found using trivial fuzzing). You can see this testcase has this->m_oleDocHeader.csectDif = 0x40000001, and so this->m_oleDocHeader.csectDif * this->diFATPerSect * 4 + 436 wraps to 0x3b0.
0d8944589584ffd6f19521f74f3b05e3ba9308f6e066d7502ae4420ba2f83b4c
Comodo Antivirus includes a full x86 emulator that is used to unpack executables that are being scanned. Files read from disk or received over the network, including email, browser cache and so on can all trigger emulation. The emulator itself uses a sequence of nested lookup tables to translate opcodes to the routines that emulate them. The xmm/ymm registers are used like a union in C. For example, the registers can be treated as 4 floats, 2 doubles, 2 dwords, 8 shorts and so on - whatever is appropriate. The comodo emulator uses a union to represent these registers, and then each emulated instruction uses whichever union member matches it's function. For example, PUNPCKLBW would use regs->words, PSRLQ would use regs->qwords and so on. The code for PSUBUSB incorrectly uses the wrong union member (words instead of bytes), meaning it will clobber double the space allocated by CPU::MMX_OPCODE(). The fix for this vulnerability is to use the bytes member of the union instead.
65a2860985334c929241500c3eec6733661c6d157ba7ce5980acbe5b0395bc08
A major component of Comodo Antivirus is the x86 emulator, which includes a number of shims for win32 API routines so that common API calls work in emulated programs (CreateFile, LoadLibrary, etc). The emulator itself is located in MACH32.DLL, which is compiled without /DYNAMICBASE, and runs as NT AUTHORITY\SYSTEM. These API routines access memory from the emulated virtual machine, perform the requested operation, and then poke the result back into the emulator. Because these emulated routines are all native code, they must take care not to trust values extracted from the emulator, which is running attacker controlled code. Browsing through the list of emulated routines, MSVBVM60!rtcLowerCaseVar jumped out as an obvious case of integer overflow due to trusting attacker-provided parameters.
8d147c54c65aab4d2452bd4eb9517303915856455def848dcb10b51b25e3f9d5
Lzx_Decoder::init() initializes the vector Lzx_Decoder->window to a fixed size of 2^method bytes, which is then used during Lzx_Decoder::Extract(). It's possible for LZX compressed streams to exceed this size. Writes to the window buffer are bounds checked, but only after the write is completed.
839695e6d83e2e3da8e7895210ee30106fa6966de6fc5fbd59853d59883fab72
Avira suffers from a heap underflow vulnerability when parsing PE section headers.
ea61070846baddcbb28d0f5d8e2027b479bd9eb7b9a66c93cc181a9f30a48ac3
This archive includes a PE file that causes memory corruption in Avast and it looks related to authenticode parsing.
d27ccfd40a77226d4c5585eba95e9e09a9305de20bb80289d319a5fdf9d9225d
ESET NOD32 is affected by a heap overflow vulnerability while unpacking EPOC installation files. By creating a file record with type SIS_FILE_MULTILANG (meaning a different file is provided for every supported language), and then claiming to support a very large number of languages, a 16-bit calculation overflows. This leads to a nice clean heap overflow.
2ddb32b00ad827a94327941703ae9b58ae4291fd5a72a65024a689e350a62ff5
Comodo Internet Security installs GeekBuddy which installs a weakly secure exposed VNC server.
3d2e073c1d6d171f88727d9420abce1904c883acad79c0452fffab5ce7a41451
When you install Comodo Internet Security, by default a new browser called Chromodo is installed and set as the default browser. Additionally, all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices.
bdbaab613e70202de64329e92a0aa11a5a23b6198f82463ba4715fdd151dcb53
This one is complicated, but allows an attacker to read any file on the filesystem by clicking a link. You don't even have to know the name or path of the file, because you can also retrieve directory listings using this attack. Additionally, you can send arbitrary authenticated HTTP requests, and read the responses. This allows an attacker to read cookies, email, interact with online banking and so on.
4bad7ddfedceb6f7b409d84aac5aa90382f66d898044ad874bda143180fe3992
MalwareBytes fetches their signature updates over HTTP, permitting a man in the middle attack.
3db7f35f2173b8f4b93e582cd2e3ad38fac889bb0120b08617db5d68d39ac26b
Avast Sandbox/Autosandbox message filtering suffers from a flaw that allows for privilege escalation.
11123d8f04f7157f84cdc92816ac901eeb5aa4e1ff0b49448154baf59b27196c
When you install TrendMicro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup. This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests. It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute().
53073638c8c75e9a351656a4dcd7d53e7dbf2acdea0e8d44f29494b8f842d950