lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4238054D.9020801@gmail.com>
From: bania.piotr at gmail.com (Piotr Bania)
Subject: ADVISORY: DataRescue Interactive Disassembler Pro
 Debugger Format String Vulnerability


      DataRescue Interactive Disassembler Pro Debugger Format String 
Vulnerability
      by Piotr Bania <bania.piotr@...il.com>
      http://pb.specialised.info

	
      Severity: 		 High / Medium - code execution.
      Versions affected:  Probably all versions, however tested on 
4.7.0.830.


      I. BACKGROUND

      "The IDA Pro Disassembler and Debugger is an interactive, 
programmable, extendible,
       muti-processor disassembler hosted on Windows or on Linux. IDA 
Pro has become the
       de-facto standard for the analysis of hostile code, vulnerability 
research and COTS
       validation (...) IDA supports debugging of x86 Windows PE files, 
AMD64 Windows PE
       files, and x86 Linux ELF files, either locally or remotely."

       MORE AT: http://www.datarescue.com


      II. DESCRIPTION

       The problem exist when IDA Debugger tries to write informations about
       loaded dynamic link library (when LOAD_DLL_DEBUG_EVENT / 
UNLOAD_DLL_DEBUG_EVENT
       occurs)

       Lets look at following sample code to get a better view:

       -- snip --
       call a
       db "KERNEL32.DLL",0
       a:
       call LoadLibraryA
       int 3
       -- snip --

       Following code should return KERNEL32.DLL base stored in EAX 
register.
       IDA Debugger shows EAX as: "EAX=77E60000 -> kernel32.dll:77E60000"
       (general registers window) - this is one of the examples.
       However when loaded library name includes special format 
specifiers the
       vulnerability takes place, here is the vulnerable code:

       (disassembly of ida.wll)
       .text:012563F8                 mov     esi, [ebp+arg_0]
       .text:012563FB                 push    [ebp+arg_C]
       .text:012563FE                 push    dword_12A27C4
       .text:01256404                 push    0
       .text:01256406                 push    ebx             ; format 
string
       .text:01256407                 lea     eax, [ebp+arg_0]
       .text:0125640A                 push    eax
       .text:0125640B                 push    offset sub_12562C0
       .text:01256410                 call    sub_011D1C78    ; parser

       Where EBX contains format specifier supplied by attacker.


      III. IMPACT

      This vulnerability after successful exploitation can allow the
      attacker to run arbitrary code in context of current user.
      Of course if the exploitation was not successful IDA Debugger
      will fault or IDA can freeze (100% cpu - database corruption).

      Note that potencial attacker can drop "baddll" on the fly, there
      are few variants.

      IV. POC CODE

      The POC code was released for vendor.


-- 
--------------------------------------------------------------------
Piotr Bania - <bania.piotr@...il.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33
http://pb.specialised.info  - Key ID: 0xBE43AC33
--------------------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ