About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

ASProtect Windows Antivirus Parsing Flaw- 551

Tavis Ormandy - Project Zero (P0) Posted 4 Years Ago
  • Windows Defender Antivirus is an Antivirus that runs on Windows by default. Windows Defender parses lots of input, such as files, coming in. Because of how much data it processes, and it run as SYSTEM, it is an awesome target for attackers.
  • One of the file formats it tries ot unpack is ASProtected binaries. ASProtect is a complicated multi-stage exepacker designed to make reverse engineering very difficult. One of the unpacking stages involves executing some bytecode embedded in the executable. In order to interpret that bytecode, the packer encrypts and embeds a DLL that contains the virtual machine.
  • Instead of trying to interpret and parse this weird file format, Microsoft uses a clever trick: they simply run the packed executable in an emulator and allow it to unpack itself. The parsing has disappeared but the file can now be viewed!
  • The packer itself comes with the file. This is so, naturally, the file can be unpacked. However, what if the packer itself was malicious? While Microsoft treats the packed binary as malicious, they do not treat the packer/unpacker as malicious when running the emulation step.
  • Because of this oversight, the parsing of the ASProtect DLL (to setup the emulator) has almost no sanity checks. The vulnerability occurs within the parsing of the file headers. When viewing the RelativeVirtualAddress (RVA) of the header, it blindly trusted to use as on offset into a buffer in the emulator.
  • This leads to a controlled value going to a controlled relative offset of the binary. Using this, the author was able to overwrite RIP to control the flow of execution but did not go down the full exploitation yet. To make matters worse, vulnerability occurs in the startup of the emulator, resulting in the compromise of a SYSTEM process.
  • The author adds a POC. But, they make sure to encrypt the zip file because they know Windows Defender will extract the Zip and crash otherwise. In order to find weird exploits (like this one), we need to think like a developer. What assumptions would the developing team make while making this product on security? This is where lots of weird attack scenarios arise from.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed