| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1B8FD26E1137405FBD685ED3842F5750@W340>
Date: Mon, 6 Mar 2017 13:00:17 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Executable installers are defective^WEVIL (case 2):
innosetup-5.5.9.exe and innosetup-5.5.9-unicode.exe
Hi @ll,
InnoSetup is BROKEN, it creates DEFECTIVE "portable executable"
image files, for example innosetup-5.5.9.exe itself.
JFTR: unfortunately Windows' module loader covers these bugs and
loads such defective PE image files.
DEFECTS:
~~~~~~~~
1. all (8) IMAGE_IMPORT_DESCRIPTOR entries in the IMPORT directory
are INVALID: their Characteristics/OriginalFirstThunk fields
contain 0 instead of the RVA of the import lookup table!
See the PE/COFF specification, available via
<https://www.microsoft.com/en-us/download/details.aspx?id=19509>,
or <https://msdn.microsoft.com/en-us/magazine/ms809762.aspx>,
"Table 8. IMAGE_IMPORT_DESCRIPTOR":
| Offset Size Field Description
| 0 4 Import Lookup The RVA of the import lookup table.
| Table RVA This table contains a name or ordinal
| (Characteristics) for each import. (The name
| "Characteristics" is used in Winnt.h,
| but no longer describes this field.)
2. the IMPORT directory holds 2 IMAGE_IMPORT_DESCRIPTOR entries for
each of "kernel32.dll", "user32.dll" and "advapi32.dll", even with
duplicate names (WriteFile, ReadFile, VirtualAlloc for example).
It should but have only 1 IMAGE_IMPORT_DESCRIPTOR for each DLL!
From the PE/COFF specification (see above):
| Import Directory Table
...
| The import directory table consists of an array of import directory
| entries, one entry for each DLL to which the image refers.
3. The "DLL characteristics" 0x8140 in the IMAGE_OPTIONAL_HEADER
(see <https://msdn.microsoft.com/en-us/library/ms680339.aspx>)
specifies IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE, but the image
file has no VALID relocation info:
3.a) both RVA and size of the IMAGE_DIRECTORY_ENTRY_BASERELOC
entry are 0!
3.b) a ".reloc" section is present with (virtual) size 0x091C,
but its file offset and size are both 0!
3.c) the "PE characteristics" 0x818F specifies "relocations
stripped"!
Minor bugs:
~~~~~~~~~~~
4. the ".rsrc" section contains 4 icons for language id 0x0413
"nl-NL", but the icon group specifies language id 0x0409 "en-US".
Icons and icon groups should but all have the language id 0x0000,
i.e. NEUTRAL!
Icons referenced in icon groups should have the same language id
as their icon group.
5. all STRING resources have the language id 0x0000, although the
strings are available in english only!
6. both the MANIFEST and the VERSIONINFO resource have language id
0x0409 "en-US".
Both should but have the language id 0x0000, i.e. NEUTRAL!
For VERSIONINFO resources, the language of its entries is
specified WITHIN the resource itself, not in its header!
The language id within the VERSIONINFO resource is 0x0000,
despite the english only strings
"This installation was built with Inno Setup." in "Comments",
"Inno Setup Setup" in "FileDescription" etc.
7. the timestamp in the PE header of innosetup-5.5.9.exe is
0x2A425E19, which is "Friday, 1992-06-19 22:22:17 UTC".
innosetup-5.5.9-unicode.exe has the defect 2 and the bugs 4, 5 and 6.
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2017-02-25 report sent to authors of InnoSetup
NO reply, not even an acknowledgement of receipt.
2017-03-06 report published
Evidence:
~~~~~~~~~
X:\>link.exe /dump /headers /imports innosetup-5.5.9.exe
Microsoft (R) COFF/PE Dumper Version 8.00.50727.762
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file innosetup-5.5.9.exe
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (x86)
8 number of sections
2A425E19 time date stamp Sat Jun 20 00:22:17 1992
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
818F characteristics
Relocations stripped
~~~~~~~~~~~~~~~~~~~~
Executable
Line numbers stripped
Symbols stripped
Bytes reversed
32 bit word machine
OPTIONAL HEADER VALUES
10B magic # (PE32)
2.25 linker version
A200 size of code
4600 size of initialized data
0 size of uninitialized data
AA98 entry point (0040AA98)
1000 base of code
C000 base of data
400000 image base (00400000 to 00414FFF)
1000 section alignment
200 file alignment
1.00 operating system version
6.00 image version
4.00 subsystem version
0 Win32 version
15000 size of image
400 size of headers
1E9FB8 checksum
2 subsystem (Windows GUI)
8140 DLL characteristics
Dynamic base
~~~~~~~~~~~~
NX compatible
Terminal Server Aware
100000 size of stack reserve
4000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [ 0] RVA [size] of Export Directory
E000 [ 97C] RVA [size] of Import Directory
12000 [ 2C00] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
1E1338 [ 2AA8] RVA [size] of Certificates Directory
0 [ 0] RVA [size] of Base Relocation Directory
~~~~~~~~~~~~~~~~~
0 [ 0] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
10000 [ 18] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
0 [ 0] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
SECTION HEADER #1
CODE name
A1D0 virtual size
1000 virtual address (00401000 to 0040B1CF)
A200 size of raw data
400 file pointer to raw data (00000400 to 0000A5FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
SECTION HEADER #2
DATA name
250 virtual size
C000 virtual address (0040C000 to 0040C24F)
400 size of raw data
A600 file pointer to raw data (0000A600 to 0000A9FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write
SECTION HEADER #3
BSS name
E94 virtual size
D000 virtual address (0040D000 to 0040DE93)
0 size of raw data
AA00 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000000 flags
Read Write
SECTION HEADER #4
.idata name
97C virtual size
E000 virtual address (0040E000 to 0040E97B)
A00 size of raw data
AA00 file pointer to raw data (0000AA00 to 0000B3FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write
Section contains the following imports:
kernel32.dll
40E0B4 Import Address Table
0 Import Name Table
~~~~~~
0 time date stamp
0 Index of first forwarder reference
0 DeleteCriticalSection
0 LeaveCriticalSection
0 EnterCriticalSection
0 InitializeCriticalSection
0 VirtualFree
0 VirtualAlloc
0 LocalFree
0 LocalAlloc
0 WideCharToMultiByte
0 TlsSetValue
0 TlsGetValue
0 MultiByteToWideChar
0 GetModuleHandleA
0 GetLastError
0 GetCommandLineA
0 WriteFile
0 SetFilePointer
0 SetEndOfFile
0 RtlUnwind
0 ReadFile
0 RaiseException
0 GetStdHandle
0 GetFileSize
0 GetSystemTime
0 GetFileType
0 ExitProcess
0 CreateFileA
0 CloseHandle
user32.dll
40E128 Import Address Table
0 Import Name Table
~~~~~~
0 time date stamp
0 Index of first forwarder reference
0 MessageBoxA
oleaut32.dll
40E130 Import Address Table
0 Import Name Table
~~~~~~
0 time date stamp
0 Index of first forwarder reference
0 VariantChangeTypeEx
0 VariantCopyInd
0 VariantClear
0 SysStringLen
0 SysAllocStringLen
advapi32.dll
40E148 Import Address Table
0 Import Name Table
~~~~~~
0 time date stamp
0 Index of first forwarder reference
0 RegQueryValueExA
0 RegOpenKeyExA
0 RegCloseKey
0 OpenProcessToken
0 LookupPrivilegeValueA
kernel32.dll
~~~~~~~~~~~~
40E160 Import Address Table
0 Import Name Table
~~~~~~
0 time date stamp
0 Index of first forwarder reference
0 WriteFile
0 VirtualQuery
0 VirtualProtect
0 VirtualFree
0 VirtualAlloc
0 Sleep
0 SizeofResource
0 SetLastError
0 SetFilePointer
0 SetErrorMode
0 SetEndOfFile
0 RemoveDirectoryA
0 ReadFile
0 LockResource
0 LoadResource
0 LoadLibraryA
0 IsDBCSLeadByte
0 GetWindowsDirectoryA
0 GetVersionExA
0 GetVersion
0 GetUserDefaultLangID
0 GetSystemInfo
0 GetSystemDirectoryA
0 GetSystemDefaultLCID
0 GetProcAddress
0 GetModuleHandleA
0 GetModuleFileNameA
0 GetLocaleInfoA
0 GetLastError
0 GetFullPathNameA
0 GetFileSize
0 GetFileAttributesA
0 GetExitCodeProcess
0 GetEnvironmentVariableA
0 GetCurrentProcess
0 GetCommandLineA
0 GetACP
0 InterlockedExchange
0 FormatMessageA
0 FindResourceA
0 DeleteFileA
0 CreateProcessA
0 CreateFileA
0 CreateDirectoryA
0 CloseHandle
user32.dll
~~~~~~~~~~
40E218 Import Address Table
0 Import Name Table
~~~~~~
0 time date stamp
0 Index of first forwarder reference
0 TranslateMessage
0 SetWindowLongA
0 PeekMessageA
0 MsgWaitForMultipleObjects
0 MessageBoxA
0 LoadStringA
0 ExitWindowsEx
0 DispatchMessageA
0 DestroyWindow
0 CreateWindowExA
0 CallWindowProcA
0 CharPrevA
comctl32.dll
40E24C Import Address Table
0 Import Name Table
~~~~~~
0 time date stamp
0 Index of first forwarder reference
0 InitCommonControls
advapi32.dll
~~~~~~~~~~~~
40E254 Import Address Table
0 Import Name Table
~~~~~~
0 time date stamp
0 Index of first forwarder reference
0 AdjustTokenPrivileges
SECTION HEADER #5
.tls name
8 virtual size
F000 virtual address (0040F000 to 0040F007)
0 size of raw data
B400 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000000 flags
Read Write
SECTION HEADER #6
.rdata name
18 virtual size
10000 virtual address (00410000 to 00410017)
200 size of raw data
B400 file pointer to raw data (0000B400 to 0000B5FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
50000040 flags
Initialized Data
Shared
Read Only
SECTION HEADER #7
.reloc name
91C virtual size
11000 virtual address (00411000 to 0041191B)
0 size of raw data
~~~~~
0 file pointer to raw data
~~~~~
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
50000040 flags
Initialized Data
Shared
Read Only
SECTION HEADER #8
.rsrc name
2C00 virtual size
12000 virtual address (00412000 to 00414BFF)
2C00 size of raw data
B600 file pointer to raw data (0000B600 to 0000E1FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
50000040 flags
Initialized Data
Shared
Read Only
Summary
1000 .idata
1000 .rdata
1000 .reloc
3000 .rsrc
1000 .tls
1000 BSS
B000 CODE
1000 DATA
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists