Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-5005 PoC — Quick Heal Internet Security、Total Security和AntiVirus Pro on OS X 缓冲区错误漏洞

Source
https://github.com/payatu/QuickHeal
Associated Vulnerability
Title:Quick Heal Internet Security、Total Security和AntiVirus Pro on OS X 缓冲区错误漏洞 (CVE-2017-5005)
Description:Quick Heal Internet Security、Total Security和AntiVirus Pro on OS X都是基于OS X平台的杀毒软件。 基于OS X平台的Quick Heal Internet Security 10.1.0.316及之前的版本、Total Security 10.1.0.316及之前的版本和AntiVirus Pro 10.1.0.316及之前的版本中存在基于栈的缓冲区溢出漏洞。远程攻击者可借助Mach-O文件中特制的LC_UNIXTHREAD.cmdsize
Description
CVE-2017-5005 for Quick Heal Antivirus
Readme
QuickHeal
=========
CVE-2017-5005 for Quick Heal Antivirus


Advisory
--------
**Improper Restriction of Operations** within the **Bounds of a Memory Buffer** vulnerability.

The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.


Vulnerability Description
-------------------------
We found that the **Quick Heal Internet Security** is vulnerable to **Out of Bound Write on Stack Buffer** due to improper validation of `LC_UNIXTHREAD.cmdsize` (**Mach-O**).

This vulnerability can be exploited to gain **Remote Code Execution** as well as **Privilege Escalation**.


Proof of Concept
----------------
[![Quick Heal Exploit Demo](https://img.youtube.com/vi/h9LOsv4XE00/0.jpg)](https://www.youtube.com/watch?v=h9LOsv4XE00)


Vendor
------
[http://www.quickheal.co.in/](http://www.quickheal.co.in/)


Products
--------
 * Quick Heal Internet Security 10.1.0.316 and prior
 * Quick Heal Total Security 10.1.0.316 and prior
 * Quick Heal AntiVirus Pro 10.1.0.316 and prior


Disclosure Timeline
-------------------
 * 09 June 2016 – Reported to vendor
 * 11 June 2016 – Received acknowledgement from vendor & Patch released


Author
------
> **Ashfaq Ansari**

> ashfaq[at]payatu[dot]com

> **[@HackSysTeam](https://twitter.com/HackSysTeam) | [Blog](http://hacksys.vfreaks.com/ "HackSys Team") | [null](http://null.co.in/profile/411-ashfaq-ansari)**

> ![Payatu Technologies](http://www.payatu.com/wp-content/uploads/2015/04/Payatu_Logo.png "Payatu Technologies Pvt. Ltd.")

> [http://www.payatu.com/](http://www.payatu.com/ "Payatu Technologies Pvt. Ltd.")


License
-------
Please see the file `LICENSE` for copying permission


------------------------------------------------------------------------
[http://hacksys.vfreaks.com](http://hacksys.vfreaks.com)

![HackSys Team](http://hacksys.vfreaks.com/wp-content/themes/Polished/images/logo.png)
File Snapshot

 [4.0K]  /data/pocs/9f6418004512d5def278a227449d3180a69fffba
├── [4.4K]  CVE-2017-5005.mach
├── [ 34K]  LICENSE
├── [ 16K]  Non-ASLR-Modules.csv
├── [ 19M]  Quick Heal Exploit Demo.avi
├── [ 50K]  Quick Heal Exploit Demo.png
└── [1.9K]  README.md

0 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.