COMMAND
PAV
SYSTEMS AFFECTED
PAV prior to 6.23.00
PROBLEM
Vladimir Kraljevic found following. PAV handles in an insecure
way UPX exe-packer information; this behavior occurs when PAV
scans an malformed UPX-packed exe file (in our case "loader.exe",
part of sglue teflon-like packageing program). Included sglue
with this letter, please find it attached, password is "panda".
PAV recognizes properly such executable, but when user tries to
perform an action, here is the table of behaviors:
- On rename - PAV crashes, but renames
- On move - PAV crashes, but moves the file
- On ignore - PAV crashes, but ignores :)
- On delete - PAV never crashes (not affected)
It is very likely that attacker can tamper an executable in such
way that he/she can execute arbitrary code exactly where he/she
needs it. UPX shows similar message when tries to process
"loader.exe", as well.
Disassembly of PAVDLL follows, you will be able to find the line
in the source code by following the reference bytes in this
listing (crash point is traced back to the pavdll.dll at address
0x0005EA51 in binary image). Crash point is marked with
">>>>>>>>>>>>>" in the listing file.
0174F421 55 push ebp
0174F422 8B EC mov ebp,esp
0174F424 53 push ebx
0174F425 56 push esi
0174F426 57 push edi
0174F427 33 F6 xor esi,esi
0174F429 8B 45 0C mov eax,dword ptr [ebp+0Ch]
0174F42C 8B 18 mov ebx,dword ptr [eax]
0174F42E EB 21 jmp 0174F451
0174F430 80 3B F0 cmp byte ptr [ebx],0F0h
0174F433 72 1A jb 0174F44F
0174F435 80 3B F0 cmp byte ptr [ebx],0F0h
0174F438 75 12 jne 0174F44C
0174F43A 8D 43 01 lea eax,[ebx+1]
0174F43D 50 push eax
0174F43E E8 69 EA FF FF call 0174DEAC
0174F443 59 pop ecx
0174F444 66 85 C0 test ax,ax
0174F447 75 03 jne 0174F44C
0174F449 83 C3 04 add ebx,4
0174F44C 83 C3 02 add ebx,2
0174F44F 43 inc ebx
0174F450 46 inc esi
PAVDLL>>>>>>>>>> 0174F451 80 3B 00 cmp byte ptr [ebx],0
(EBX here is an invalid address [0x5259A8D8] that caused unhandled access
violation exception; for information about other registers, please take a
look at the bottom of the page)
0174F454 75 DA jne 0174F430
0174F456 6A 00 push 0
0174F458 C1 E6 02 shl esi,2
0174F45B 83 C6 04 add esi,4
0174F45E 56 push esi
0174F45F E8 BC 39 FA FF call 016F2E20
0174F464 83 C4 08 add esp,8
0174F467 8B 55 08 mov edx,dword ptr [ebp+8]
0174F46A 89 02 mov dword ptr [edx],eax
0174F46C 8B 4D 08 mov ecx,dword ptr [ebp+8]
0174F46F 83 39 00 cmp dword ptr [ecx],0
0174F472 75 07 jne 0174F47B
0174F474 33 C0 xor eax,eax
0174F476 E9 96 00 00 00 jmp 0174F511
0174F47B 8B 55 08 mov edx,dword ptr [ebp+8]
0174F47E 8B 3A mov edi,dword ptr [edx]
0174F480 BE FC FF FF FF mov esi,0FFFFFFFCh
0174F485 8B 45 0C mov eax,dword ptr [ebp+0Ch]
0174F488 8B 18 mov ebx,dword ptr [eax]
0174F48A EB 69 jmp 0174F4F5
0174F48C 80 3B F0 cmp byte ptr [ebx],0F0h
0174F48F 73 08 jae 0174F499
0174F491 33 C0 xor eax,eax
0174F493 8A 03 mov al,byte ptr [ebx]
0174F495 03 F0 add esi,eax
0174F497 EB 2F jmp 0174F4C8
0174F499 8D 53 01 lea edx,[ebx+1]
0174F49C 52 push edx
0174F49D E8 0A EA FF FF call 0174DEAC
0174F4A2 59 pop ecx
0174F4A3 0F B7 C0 movzx eax,ax
0174F4A6 33 D2 xor edx,edx
0174F4A8 8A 13 mov dl,byte ptr [ebx]
0174F4AA 83 E2 0F and edx,0Fh
0174F4AD C1 E2 10 shl edx,10h
0174F4B0 03 C2 add eax,edx
0174F4B2 83 C3 02 add ebx,2
0174F4B5 85 C0 test eax,eax
0174F4B7 75 0D jne 0174F4C6
0174F4B9 8D 4B 01 lea ecx,[ebx+1]
0174F4BC 51 push ecx
0174F4BD E8 25 EA FF FF call 0174DEE7
0174F4C2 59 pop ecx
0174F4C3 83 C3 04 add ebx,4
0174F4C6 03 F0 add esi,eax
0174F4C8 89 37 mov dword ptr [edi],esi
0174F4CA 83 C7 04 add edi,4
0174F4CD 83 7D 14 00 cmp dword ptr [ebp+14h],0
0174F4D1 74 21 je 0174F4F4
0174F4D3 83 7D 10 00 cmp dword ptr [ebp+10h],0
0174F4D7 74 1B je 0174F4F4
0174F4D9 8B 45 10 mov eax,dword ptr [ebp+10h]
0174F4DC 03 C6 add eax,esi
0174F4DE 50 push eax
0174F4DF E8 03 EA FF FF call 0174DEE7
0174F4E4 59 pop ecx
0174F4E5 50 push eax
0174F4E6 8B 55 10 mov edx,dword ptr [ebp+10h]
0174F4E9 03 D6 add edx,esi
0174F4EB 52 push edx
0174F4EC E8 6D EA FF FF call 0174DF5E
0174F4F1 83 C4 08 add esp,8
0174F4F4 43 inc ebx
0174F4F5 80 3B 00 cmp byte ptr [ebx],0
0174F4F8 75 92 jne 0174F48C
0174F4FA 43 inc ebx
0174F4FB 8B 45 0C mov eax,dword ptr [ebp+0Ch]
0174F4FE 89 18 mov dword ptr [eax],ebx
0174F500 8B 55 08 mov edx,dword ptr [ebp+8]
0174F503 8B C7 mov eax,edi
0174F505 2B 02 sub eax,dword ptr [edx]
0174F507 85 C0 test eax,eax
0174F509 79 03 jns 0174F50E
0174F50B 83 C0 03 add eax,3
0174F50E C1 F8 02 sar eax,2
0174F511 5F pop edi
0174F512 5E pop esi
0174F513 5B pop ebx
0174F514 5D pop ebp
0174F515 C3 ret
EAX = 068AB750 EBX = 5259A8D8 ECX = 01A0FB00 EDX = 068AB740 ESI = 00000000 EDI = 01A0FA89
EIP = 0174F451 ESP = 068AB6BC EBP = 068AB6C8 EFL = 00000246
MM0 = 00D4D0C800D4D0C8 MM1 = 0000000000000000 MM2 = 000000D300CF00C7 MM3 = 000000D300CF00C7
MM4 = 00D4D0C800D4D0C8 MM5 = 000000D400D000C8 MM6 = 0000000000000000 MM7 = 0080008000800080
XMM0 = 0013799000137E6000130C5877FCB1BE XMM1 = 00137D68008F2898002BDA9F00137D68
XMM2 = 544E4E49575C3A430000000000000001 XMM3 = 001379C801005C320013017800130178
XMM4 = 00130000000000100000000000130640 XMM5 = 00130168001384480013845000000158
XMM6 = 00000000002DD4540000001F002DD400 XMM7 = 000000000000001E017FFC5000406218
CS = 001B DS = 0023 ES = 0023 SS = 0023 FS = 003B GS = 0000 OV=0 UP=0 EI=1
PL=0 ZR=1 AC=0 PE=1 CY=0
5259A8D8 = ??
SOLUTION
With the latest Platinum version (6.23.00) the problem is solved.
This version is available since February 2001, if you are a
registered customer of Panda Software you can upgrade it to this
version.