SmadAV: Null Pointer Dereference Vulnerability

We discovered that SmadAV antivirus 9.1 is susceptible to null pointer exploitation. The application does not properly filter the scanner input that is processed into smadengine.dll. The successful exploitation of this vulnerability could potentially result a crash on the application, since it will refer to a null pointer, EAX = 0000000.

The vulnerable function itself lay on the smadengine.dll file.

.text:100051B2 mov [ebp+var_414], ebx
.text:100051B8 cmp word ptr [ebp+var_3DC], 0
.text:100051C0 jbe loc_1000530D
.text:100051C6 call sub_100060C0
.text:100051CB push 4 ; ucb
.text:100051CD lea ecx, [ebp+var_3C8]
.text:100051D3 push ecx ; lp
.text:100051D4 call ds:IsBadReadPtr
.text:100051DA cmp eax, 1
.text:100051DD jz loc_1000530D
.text:100051E3 mov esi, [ebp+var_3C8]
.text:100051E9 mov eax, [esi+0Ch]
.text:100051EC cmp [ebp+var_404], eax
.text:100051F2 jb short loc_100051FF
.text:100051F4 mov ecx, eax
.text:100051F6 sub ecx, [esi+14h]
.text:100051F9 mov [ebp+var_3E8], ecx

Called by

.text:10005574 inc ebx
.text:10005575 add esi, 28h
.text:10005578 mov [ebp+var_3C8], esi
.text:1000557E add [ebp+var_3DC], 0FFFFh
.text:10005588 jmp loc_100051B2

Impact

The application will be crash and forced to close. It is possible to an attacker to make a virus/malware that have a function to crash the antivirus and when the application forced to closed, it will infect the system.

Solution

No solution from vendor.

References

http://www.exploit-db.com/exploits/22653

Leave a Reply

Your email address will not be published. Required fields are marked *