Talos Vulnerability Report

TALOS-2022-1682

ESTsoft Alyac NT header out of bounds read

February 2, 2023
CVE Number

CVE-2022-43665

SUMMARY

A denial of service vulnerability exists in the malware scan functionality of ESTsoft Alyac 2.5.8.645. A specially-crafted PE file can lead to killing target process. An attacker can provide a malicious file to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

ESTsoft Alyac 2.5.8.645

PRODUCT URLS

Alyac - https://www.estsecurity.com/public/product/alyac

CVSSv3 SCORE

5.0 - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

CWE

CWE-823 - Use of Out-of-range Pointer Offset

DETAILS

Alyac is an antivirus program for Microsoft Windows, developed by ESTsecurity, which is part of ESTsoft.

When coen.aym receives a path to the file to scan, it figures out what type of file it is and selects appropriate scanning strategy.

In the case of the crashing file, it scans using DefaultScanStrategy.

While scanning, it calls utility function esc::engine::FileTool::GetTextSectionRange(...) which like the name, tries to locate the .text section inside the scanning PE file.

It internally calls sub_1800809b0 which checks magic value MZ and locates NT header by referencing e_lfanew field in the DOS header.

1800809ce  b84d5a0000         mov     eax, 'MZ'
1800809d3  4c894150           mov     qword [rcx+0x50], r8
1800809d7  48895108           mov     qword [rcx+0x8], rdx
1800809db  663902             cmp     word [rdx], ax
1800809de  0f8503010000       jne     0x180080ae7

1800809e4  4863423c           movsxd  rax, dword [rdx+0x3c] ; e_lfanew
1800809e8  493bc0             cmp     rax, r8    ; check with file size
1800809eb  0f87f6000000       ja      0x180080ae7

1800809f1  488d0c10           lea     rcx, [rax+rdx]        ; oob
1800809f5  48894b10           mov     qword [rbx+0x10], rcx
1800809f9  813950450000       cmp     dword [rcx], 'PE'

However, it incorrectly only checks whether e_lfanew is larger than the file size. Providing value which is same as the file size to e_lfanew will pass the check but the file will not be large enough to store NT header.

Therefore it will try to read memory out of bounds when trying to validate NT headers, crashing the malware scanning process.

Crash Information

1:016> ub
coen!Coen_Clean+0x6ca47:
00007ff8`f9f709d7 48895108        mov     qword ptr [rcx+8],rdx
00007ff8`f9f709db 663902          cmp     word ptr [rdx],ax
00007ff8`f9f709de 0f8503010000    jne     coen!Coen_Clean+0x6cb57 (00007ff8`f9f70ae7)
00007ff8`f9f709e4 4863423c        movsxd  rax,dword ptr [rdx+3Ch]
00007ff8`f9f709e8 493bc0          cmp     rax,r8
00007ff8`f9f709eb 0f87f6000000    ja      coen!Coen_Clean+0x6cb57 (00007ff8`f9f70ae7)
00007ff8`f9f709f1 488d0c10        lea     rcx,[rax+rdx]
00007ff8`f9f709f5 48894b10        mov     qword ptr [rbx+10h],rcx
1:016> r
rax=0000000000001000 rbx=0000004babdfdf60 rcx=000001f8c9c51000
rdx=000001f8c9c50000 rsi=00007ff8fa266bb8 rdi=0000004babdfe1b0
rip=00007ff8f9f709f9 rsp=0000004babdfdef0 rbp=0000004babdfe020
r8=0000000000001000  r9=0000000000001000 r10=00007ff8fa2606c0
r11=000001f894f3ab20 r12=0000000000000000 r13=00007ff8fa306e68
r14=0000000000001000 r15=000001f8c9c50000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
coen!Coen_Clean+0x6ca69:
00007ff8`f9f709f9 813950450000    cmp     dword ptr [rcx],4550h ds:000001f8`c9c51000=????????
1:016> k
Child-SP          RetAddr               Call Site
0000004b`abdfdef0 00007ff8`f9f2fa5c     coen!Coen_Clean+0x6ca69
0000004b`abdfdf20 00007ff8`f9f6a577     coen!Coen_Clean+0x2bacc
0000004b`abdfe0f0 00007ff8`f9f69e96     coen!Coen_Clean+0x665e7
0000004b`abdfe3b0 00007ff8`f9f538c4     coen!Coen_Clean+0x65f06
0000004b`abdfe550 00007ff8`f9f09192     coen!Coen_Clean+0x4f934
0000004b`abdfe7f0 00007ff8`f9ef5f45     coen!Coen_Clean+0x5202
0000004b`abdfe970 00007ff8`f9f03c24     coen+0x5f45
0000004b`abdfead0 00000001`8006f6c1     coen!Coen_ScanSharedMemory+0xc4
0000004b`abdfeb40 00000001`800563a3     ecm!GetModuleConfigValue+0x8771
0000004b`abdfebf0 00000001`8008bf2e     ecm+0x563a3
0000004b`abdfedc0 00000001`800666b0     ecm!GetModuleConfigValue+0x24fde
0000004b`abdfeea0 00007ff7`d046de9e     ecm!ScanFile+0x40
0000004b`abdfeee0 00007ff7`d04707d0     AYCon+0x2de9e
0000004b`abdfefc0 00007ff9`3f1c6c0c     AYCon+0x307d0
0000004b`abdffab0 00007ff9`40c854e0     ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x4c
0000004b`abdffae0 00007ff9`41cc485b     KERNEL32!BaseThreadInitThunk+0x10
0000004b`abdffb10 00000000`00000000     ntdll!RtlUserThreadStart+0x2b
TIMELINE

2022-12-13 - Vendor Disclosure
2023-02-01 - Vendor Patch Release
2023-02-02 - Public Release

Credit

Discovered by Jaewon Min of Cisco Talos.