[TZO-2009-1] Avira Antivir - RAR - Division by Zero & Null Pointer Dereference

From: Thierry Zoller <Thierry@Zoller.lu>
To: NTBUGTRAQ <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,bugtraq <bugtraq@securityfocus.com>,full-disclosure <full-disclosure@lists.grok.org.uk>,info@circl.etat.lu,vuln@secunia.com,cert@cert.org,nvd@nist.gov,cve@mitre.org
Subject: [TZO-2009-1] Avira Antivir - RAR - Division by Zero & Null Pointer Dereference


     Avira - RAR -Division by Zero & Null Pointer Dereference

Reference     : [TZO-2009-1]-Avira Antivir
Location      : http://blog.zoller.lu/2009/01/advisory-tzo-2009-1-avira-antivir-rar.html
Products      : Avira Antivr Free
                Avira AntiVir Premium
                Avira Premium Security Suite
                Avira AntiVir Professional
                Avira AntiVir for KEN! 4
                Avira AntiVir & AntiSpam for KEN! 4
                Avira WebProtector for KEN! 4
                Avira AntiVir SharePoint
                Avira AntiVir Virus Scan Adapter for SAP NetWeaver
                Avira AntiVir MailGate
                Avira MailGate Suite
                Avira AntiVir Exchange
                Avira AntiVir MIMEsweeper
                Avira AntiVir Domino
                Avira AntiVir WebGate
                Avira WebGate Suite
                Avira AntiVir ISA Server
                Avira AntiVir MIMEsweeper
                Avira AntiVir Mobile
                Avira SmallBusiness Suite
                Avira Business Bundle
                Avira AntiVir NetGate Bundle
                Avira AntiVir NetWork Bundle
                Avira AntiVir GateWay Bundle
                Avira AntiVir Campus (for Education)
Vendors and Products using the Avira Engine :
Important : The impact of this flaw on those devices  has  not  been
tested nor confirmed to exist, there is however  reason  to  believe
that    the    flaw    existed    in    this    products     aswell.


               AXIGEN Mail Server
               Clearswift Mimesweeper
               GeNUGate and GeNUGate Pro (optional addon)

Vendor        : http://www.avira.de

I. Background
Avira is a leading worldwide provider of  self-developed  protection
solutions for professional and private use. The company  belongs  to
the pioneers in this  sector  with  over  twenty  years  experience.

The protection experts have numerous  company  locations  throughout
Germany and cultivate partnerships in  Europe,   Asia  and  America.
Avira has more than 180 employees at their main office  in  Tettnang
near Lake Constance and is one  of  the  largest  employers  in  the
region.  There  are  around  250  people  employed  worldwide  whose
commitment is continually being confirmed by awards.  A  significant
contribution to protection is the Avira AntiVir  Personal  which  is
being  used  by   private    users    a    million    times    over.

AV-Comparatives e.V.  have  chosen  Avira  AntiVir  Premium  as  the
best anti-virus solution of 2008 

II. Description
By manipulating certain fields inside a  RAR  archive  and  attacker
might trigger division by zero and null point exceptions. The attack vector  should  be  rated as  remote  as  an  attachement  to    an    e-mail    is    enough.

*Anybody  else  noticed  that  the  amount  of  details   in    most
advisories have *become less than usefull ?*

III. Impact
In some cases the  impact  is  a  Denial  of  Service  condition  in
others to an invalid read size  of  4  bytes  which  again  in  some
cases lead to an null pointer dereference.

The RAR parser inside the  module  leads  to  various  errors  whose
exploitability index is rated "I don't have time for this now  -  so
let's say 'maybe'" also sometimes known as "I lack the  time  and/or
the skill to do so". 

0131cad9 8b10            mov     edx,dword ptr [eax]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0131cad9 (aepack!module_get_api+0x00020ed9)
   ExceptionCode: c0000005 (Access violation)
   ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000268
Attempt to read from address 00000268


PROCESS_NAME:  avscan.exe
OVERLAPPED_MODULE: Address regions for 'AVREP' and 'rcimage.dll' overlap

READ_ADDRESS:  00000268 
LAST_CONTROL_TRANSFER:  from 0131cb8c to 0131cad9


0194f5fc 0131cb8c 0115bbfc 00000003 00000100 aepack!module_get_api+0x20ed9
0194f618 01319b96 0115bbfc 074cc4f4 00000002 aepack!module_get_api+0x20f8c
0194f654 0131a45a 00000010 01157160 00000001 aepack!module_get_api+0x1df96
0194f668 0131e7e0 000000d4 00f48ba8 011530d0 aepack!module_get_api+0x1e85a
0194f68c 01318c35 01157160 00000010 011530d0 aepack!module_get_api+0x22be0
00000000 00000000 00000000 00000000 00000000 aepack!module_get_api+0x1d035

0131cad9 8b10            mov     edx,dword ptr [eax]

SYMBOL_NAME:  aepack!module_get_api+20ed9
IMAGE_NAME:  aepack.dll
STACK_COMMAND:  ~2s ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_aepack.dll!module_get_api

IV. Disclosure Timeline
The    Vulnerability    notification    policy    i    adhere    to:

17/12/2008  :  Sent  notice   to    the    correct    mail    adress
security@avira. com

17/12/2008 : Avira achknowledges receipt 

17/12/2008 : Avira sends details of  the  root  cause  on  the  same
day "The  crash  occurs  in  a  heavily  corrupted,   generated  RAR
archive while extracting the contents of the 22nd  file.   We  can't
give  any  file  names  as  they  are  non-printable  characters.  "

13/01/2009 : Avira notifies me that the  issue  was  fixed  with  an
update that shipped with AVPack  on  the  09/01/2009

14/01/2009 : Avira states  that  all  products  have  been  affected
except  "Securityy  Management  Center"  and  the  "Internet  Update
Manager". "Das bedeutet im Prinzip wirklich alle  Produkte,   ausser
Produkte wie eben das Security Management Center oder  der  Internet
Update Manager"

14/01/2009 : Release of this advisory 

Thierry Zoller

Copyright © 1995-2019 LinuxRocket.net. All rights reserved.