Posts /

Panda Dome Antivirus - Heap-Based Buffer Overflow Vulnerability

Twitter Facebook Google+
08 Sep 2021


Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime. PANDA DOME brings together Panda’s best protection, privacy and performance features into a single solution. This high-end, cross-platform antivirus product allows you to enjoy all your devices with complete peace of mind. Panda Dome’s packages also have:

Panda Dome version prone to vulnerable with heap-based buffer overflow vulnerability. An exploitable heap corruption exists in the OLE2_DeleteStreamID function of psksys.dll version when parsing specially crafted 7zip file that leads to a heap corruption, resulting in direct code execution. This vulnerability was found via file format fuzzing. The vulnerability has been fixed by Panda Security Team with the release version 20.01.00.

Vulnerability Description

Specially crafted 7z files declare a specific number of substreams. However, when scanned by Panda Dome, more substreams than the declared ones are detected. This leads to a dynamic buffer overload that later causes a PSKSYS heap-based overflow when trying to free the heap that was previously corrupted. Here’s how the specially crafted 7zip file looks like :)


This vulnerability is present in the PSKSYS DLL, which is part of file format parsing. There is a vulnerability in the OLE2_DeleteStreamID function that used for parsing of the OLE2 stream. A specially crafted 7zip file can lead to a heap corruption and remote code execution. The vulnerability triggers even on the simplest operations performed on malformed 7z file because its related to file format parsing. Observation of stack trace:


The initial cause was happened at the function psksys!ANALYZER_Analyze. The function responsible to analyze each of the files it tries to processing and parsing. Each processed file will has its own pointer. Example:


Then it will call the other function psksys!ANALYZER_GetConfig to perform recognition of the file types / formats it tries to process. We can see EAX is responsible to store all of the valuable value (including pointers).


Screenshot above shows that [ebp+10h] pointer were stored in EAX and then it copy back to another register which is EBX. This operation is performed in the memory. The execution continue to the last path where the main root cause happened at the function psksys!OLE2_DeleteStreamID. This function is responsible to free the object store in the memory after parsing a file. The implementation of the stream deletion failed to free all of the object except for the EAX. This is where the heap corruption happened where it failed to free the object store in EBX. We can see this in the disassembly below:


The heap corruption can be observed using debugger and we can see the failed freed object. If we see the stack trace below, the main root cause psksys!OLE2_DeleteStreamID can help us to track down the heap value. We can tell the OLE2_DeleteStreamID didn’t perform a proper check of the file it parse.


Free heap from previously corrupted:


This situation leads to a fully controllable heap corruption, and can be turned into remote code execution by an attacker.

0:075> !analyze -v
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *


    Key  : Analysis.CPU.Sec
    Value: 1

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on DESKTOP-PIDABN7

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 15

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 108

    Key  : Analysis.System
    Value: CreateObject

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 41291

    Key  : Timeline.Process.Start.DeltaSec
    Value: 5540

ExceptionAddress: 77180dec (ntdll!RtlReportCriticalFailure+0x0000004b)
   ExceptionCode: 80000003 (Break instruction exception)
  ExceptionFlags: 00000000
NumberParameters: 1
   Parameter[0]: 00000000



ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.



ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

00000000 00000000 heap_corruption!PSANHost.exe+0x0

SYMBOL_NAME:  heap_corruption!PSANHost.exe

MODULE_NAME: heap_corruption

IMAGE_NAME:  heap_corruption

STACK_COMMAND:  !heap ; ** Pseudo Context ** ManagedPseudo ** Value: e1181f0 ** ; kb

FAILURE_BUCKET_ID:  BREAKPOINT_80000003_heap_corruption!PSANHost.exe

OS_VERSION:  10.0.17763.1

BUILDLAB_STR:  rs5_release


OSNAME:  Windows 10

FAILURE_ID_HASH:  {839ca667-cbd7-fe00-99bf-e10ad5bb35a1}

Followup:     MachineOwner

Disclosure timeline

The vulnerability was reported back in December 2019. Here’s the timeline of disclosure:

Twitter Facebook Google+