Disclosure date
===============
July 22, 2010

Summary
=======
Program: Zbot trojan
Vector: Network traffic
Type: Stack read/write overflow and heap read overflow
Impact: Critical (remote code execution)

Reporters
=========
Pongsin Poosankam
 http://www.andrew.cmu.edu/user/juanca/
Edward Xuejun Wu
 http://edwardxwu.com/
Juan Caballero
 http://www.ece.cmu.edu/~juanca/

Pongsin Poosankam and Juan Caballero are Ph.D. students working with
the BitBlaze group at UC Berkeley.
Edward Xuejun Wu is an undergraduate researcher in the Bitblaze group.
http://bitblaze.cs.berkeley.edu/

Program description
===================
The program that contains the vulnerability is a Zbot trojan.
Other aliases for this trojan are: Zeus and Wsnpoem.

The vulnerability is present on multiple Zbot binaries.
We have verified the vulnerability on the below binaries, but
other bot binaries could also be affected.

Binary #1
MD5: 0bf2df853c4980cce4bcfb0859337f65
SHA1: 4ca194a629742f80d8fee61e1f21e6f28c7f518f
SHA256: 24734eb64c5e8652ab51a58a009bd87433c8c57d88a1ddb25484f42f70a4a8e2

Binary #2
MD5: 1c9d16db8fa7a1064aab88a14b0c7fc8
SHA1: a0a2067a02a42504d52cb6b063e2ec119ec0e7d8
SHA256: 349cd42f10f41f3a476870af15431a295512683ca5fac4d3cff9bdabf9a0b7f4

Binary #3
MD5: 7a4b9ceb247aa0e82296f2fd60b777d6
SHA1: d4b687a18282af74e9da8f267182c60400b29d79
SHA256: ccc243b9d4c961a918e29e0043ebce14f26e73c6d197902b59ff6e9cc6536d5a

Platforms affected
==================
The bug has been tested using the above binaries on a Windows XP SP3
platform.

Vulnerable function
===================
In process: svchost.exe
Function entry point: sub_0xe752af (unpacked binary module starts at
0xe70000)

Impact
======
Critical (remote code execution)

Reproducible
============
The bug is reproducible.
We have an input that will exploit the process and hijack execution
when sent to the bot.

Vulnerability description
=========================
The vulnerability is a stack read/write overflow and heap read overflow.

The network input message comprises of a sequence of blocks. Each block
has a header and a payload. One of the header flags determines whether
the block payload is compressed or not. If the payload is compressed,
the trojan program calls the decompression function (sub_0xe752af) to process
the payload. The decompression function returns when it observes a specific
trailing signature in the payload. It does not perform any check on the
size of the compressed input nor the expected size of the decompressed output.
The decompressed output is stored in a fixed-size buffer located on the stack.
Thus, when the length of the decompressed payload is large enough,
the decompression function will write-overflow the fixed-size buffer.
In addition, when the compressed input is ill-formed, the decompression
function may find the trailing signature and may read beyond the input buffer.

Setup
=====
In order to exploit this vulnerability the bot needs to connect to the
server that will hand the input (the bot starts the connection to target
port tcp/80).


More information
================
More information on this malware bug finding project can be found at:
http://bitblaze.cs.berkeley.edu/bugfinding.html

More information about the Zbot trojan can be found at:
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf
http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99
http://blog.threatexpert.com/2009_09_01_archive.html