SmadAV 9.1 Null Pointer Dereference Vulnerability

SmadAV antivirus 9.1 is susceptible to null pointer exploitation. The application does not properly filter the scanner input that processed into smadengine.dll. The successful exploitation of this vulnerability could potentially result a crash on the application, since it will refer to a null pointer, EAX = 0000000.

The vulnerable function itself lay on the smadengine.dll file.

.text:100051B2 mov [ebp+var_414], ebx
.text:100051B8 cmp word ptr [ebp+var_3DC], 0
.text:100051C0 jbe loc_1000530D
.text:100051C6 call sub_100060C0
.text:100051CB push 4 ; ucb
.text:100051CD lea ecx, [ebp+var_3C8]
.text:100051D3 push ecx ; lp
.text:100051D4 call ds:IsBadReadPtr
.text:100051DA cmp eax, 1
.text:100051DD jz loc_1000530D
.text:100051E3 mov esi, [ebp+var_3C8]
.text:100051E9 mov eax, [esi+0Ch]
.text:100051EC cmp [ebp+var_404], eax
.text:100051F2 jb short loc_100051FF
.text:100051F4 mov ecx, eax
.text:100051F6 sub ecx, [esi+14h]
.text:100051F9 mov [ebp+var_3E8], ecx

Call by

.text:10005574 inc ebx
.text:10005575 add esi, 28h
.text:10005578 mov [ebp+var_3C8], esi
.text:1000557E add [ebp+var_3DC], 0FFFFh
.text:10005588 jmp loc_100051B2


The application will be crash and forced to close. It is possible to an attacker to make a virus/malware that have a function to crash the antivirus and when the application forced to closed, it will infect the system.


No solution from vendor.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Spentera

We are specializing in penetration test, vulnerability assessment, computer forensics, as well as intrusion analyst and malware analysis. Customers can contact us directly at contact[at]spentera[dot]id, or use Contact Our Team menu on the sidebar.