Flaw in antivirus web server creates overflow condition, leading to RCE

A vulnerability found in older versions of an antivirus product made by F-Secure could lead to remote code execution in the corporate networks where it is commonly deployed.

Researchers at Doyensec, a cybersecurity company with offices in San Francisco and Warsaw, posted recently (February 3) about the discovery of the bug, which affected the F-Secure Internet Gatekeeper product, versions 5.50 and below.

The issue derived from an overflow condition in the user’s web interface and was classified as ‘critical’ due to the possibility that an attacker could gain access to the Internet Gatekeeper server.

A patch was published after researchers at Doyensec reported the bug to F-Secure through its Vulnerability Rewards Program, which can pay up to €15,000 ($16,500) depending on the type of bug disclosed. A bounty of €5,000 ($5,500) was awarded for the vulnerability.

In the technical blog post, Kevin Joensen from Doyensec explained that a coding oversight meant that an attacker could send a malicious HTTP request to the Internet Gatekeeper web server.

“When analyzing the input mutated by radamsa [a general-purpose fuzzer] we could quickly see that the root cause of the vulnerability revolved around the Content-length header,” Joensen said.

“The generated test that crashed the software had the following header value: Content-Length: 21487483844.

“This suggests an overflow due to incorrect Integer math.”

The function responsible for the crash was pd_civetweb_callback_begin_request, Joensen said.

“This method is responsible for handling incoming connections and dispatching them to the relevant functions depending on which HTTP verbs, paths or cookies are used,” he added.

Memory corruption

Integer overflow vulnerabilities occur when an arithmetic operation in the program’s code exceeds the range it is initially given for storage. It is effectively a memory corruption bug that provides an attacker with a scenario where they can influence the size of the buffer and override, in this case the server’s, memory.

“For exploitation, this is a great primitive since we can stop writing bytes to the HTTP stream and the software will simply shut the connection and continue,” Joensen said.

“Under these circumstances, we have complete control over how many bytes we want to write.”

Joensen added: “Gaining RCE should definitely be possible as we can control the exact chunk size and overwrite as much data as we’d like on small chunks.

“Furthermore, the application uses multiple threads which can be leveraged to get into clean heap arenas and attempt exploitation multiple times.”

The fix has only been issued for version 5.40-5.50 of the Internet Gatekeeper application.

F-Secure Internet Gatekeeper Virtual Application versions 5.50 and below were also affected by the vulnerability – a patch for versions 5.40 and 5.50 was released in July.

F-Secure noted that there had been no evidence of attacks occurring due to the vulnerability.