lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <693d4751-99cb-6b3f-ef3f-ee9bef5912a8@rofl.cat> Date: Mon, 6 Mar 2017 20:07:27 +0100 From: fulldisclosure@...l.cat To: fulldisclosure@...lists.org Subject: Re: [FD] Executable installers are defective^WEVIL (case 2): innosetup-5.5.9.exe and innosetup-5.5.9-unicode.exe Hi, does this actually result in any vulnerability? If not, I feel like this is the wrong place for posting "bug reports". If this leads to security issues, some sort of PoC would be interesting. You also might consider to publish a *generic* advisory for your innosetup related findings. I do not see any additional information for the specific targets. It seems to be the very same finding for each advisory. This feels more like a personal crusade/rant/nameithoweveryouwant against innosetup than actual security research. Your dll-sideloading vulns are valid findings for sure - but a generic advisory would have been enough. What do you think? Kind regards, Matthias On 03/06/2017 01:00 PM, Stefan Kanthak wrote: > Hi @ll, > > InnoSetup is BROKEN, it creates DEFECTIVE "portable executable" > image files, for example innosetup-5.5.9.exe itself. > > JFTR: unfortunately Windows' module loader covers these bugs and > loads such defective PE image files. > > DEFECTS: > ~~~~~~~~ > > 1. all (8) IMAGE_IMPORT_DESCRIPTOR entries in the IMPORT directory > are INVALID: their Characteristics/OriginalFirstThunk fields > contain 0 instead of the RVA of the import lookup table! > > See the PE/COFF specification, available via > <https://www.microsoft.com/en-us/download/details.aspx?id=19509>, > or <https://msdn.microsoft.com/en-us/magazine/ms809762.aspx>, > "Table 8. IMAGE_IMPORT_DESCRIPTOR": > > | Offset Size Field Description > | 0 4 Import Lookup The RVA of the import lookup table. > | Table RVA This table contains a name or ordinal > | (Characteristics) for each import. (The name > | "Characteristics" is used in Winnt.h, > | but no longer describes this field.) > > > 2. the IMPORT directory holds 2 IMAGE_IMPORT_DESCRIPTOR entries for > each of "kernel32.dll", "user32.dll" and "advapi32.dll", even with > duplicate names (WriteFile, ReadFile, VirtualAlloc for example). > > It should but have only 1 IMAGE_IMPORT_DESCRIPTOR for each DLL! > > From the PE/COFF specification (see above): > > | Import Directory Table > ... > | The import directory table consists of an array of import directory > | entries, one entry for each DLL to which the image refers. > > > 3. The "DLL characteristics" 0x8140 in the IMAGE_OPTIONAL_HEADER > (see <https://msdn.microsoft.com/en-us/library/ms680339.aspx>) > specifies IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE, but the image > file has no VALID relocation info: > > 3.a) both RVA and size of the IMAGE_DIRECTORY_ENTRY_BASERELOC > entry are 0! > > 3.b) a ".reloc" section is present with (virtual) size 0x091C, > but its file offset and size are both 0! > > 3.c) the "PE characteristics" 0x818F specifies "relocations > stripped"! > > > Minor bugs: > ~~~~~~~~~~~ > > 4. the ".rsrc" section contains 4 icons for language id 0x0413 > "nl-NL", but the icon group specifies language id 0x0409 "en-US". > > Icons and icon groups should but all have the language id 0x0000, > i.e. NEUTRAL! > Icons referenced in icon groups should have the same language id > as their icon group. > > > 5. all STRING resources have the language id 0x0000, although the > strings are available in english only! > > > 6. both the MANIFEST and the VERSIONINFO resource have language id > 0x0409 "en-US". > > Both should but have the language id 0x0000, i.e. NEUTRAL! > > For VERSIONINFO resources, the language of its entries is > specified WITHIN the resource itself, not in its header! > > The language id within the VERSIONINFO resource is 0x0000, > despite the english only strings > "This installation was built with Inno Setup." in "Comments", > "Inno Setup Setup" in "FileDescription" etc. > > > 7. the timestamp in the PE header of innosetup-5.5.9.exe is > 0x2A425E19, which is "Friday, 1992-06-19 22:22:17 UTC". > > > innosetup-5.5.9-unicode.exe has the defect 2 and the bugs 4, 5 and 6. > > > stay tuned > Stefan Kanthak > > > Timeline: > ~~~~~~~~~ > > 2017-02-25 report sent to authors of InnoSetup > > NO reply, not even an acknowledgement of receipt. > > 2017-03-06 report published > > > Evidence: > ~~~~~~~~~ > > X:\>link.exe /dump /headers /imports innosetup-5.5.9.exe > > Microsoft (R) COFF/PE Dumper Version 8.00.50727.762 > Copyright (C) Microsoft Corporation. All rights reserved. > > > Dump of file innosetup-5.5.9.exe > > PE signature found > > File Type: EXECUTABLE IMAGE > > FILE HEADER VALUES > 14C machine (x86) > 8 number of sections > 2A425E19 time date stamp Sat Jun 20 00:22:17 1992 > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > 0 file pointer to symbol table > 0 number of symbols > E0 size of optional header > 818F characteristics > Relocations stripped > ~~~~~~~~~~~~~~~~~~~~ > Executable > Line numbers stripped > Symbols stripped > Bytes reversed > 32 bit word machine > > OPTIONAL HEADER VALUES > 10B magic # (PE32) > 2.25 linker version > A200 size of code > 4600 size of initialized data > 0 size of uninitialized data > AA98 entry point (0040AA98) > 1000 base of code > C000 base of data > 400000 image base (00400000 to 00414FFF) > 1000 section alignment > 200 file alignment > 1.00 operating system version > 6.00 image version > 4.00 subsystem version > 0 Win32 version > 15000 size of image > 400 size of headers > 1E9FB8 checksum > 2 subsystem (Windows GUI) > 8140 DLL characteristics > Dynamic base > ~~~~~~~~~~~~ > NX compatible > Terminal Server Aware > 100000 size of stack reserve > 4000 size of stack commit > 100000 size of heap reserve > 1000 size of heap commit > 0 loader flags > 10 number of directories > 0 [ 0] RVA [size] of Export Directory > E000 [ 97C] RVA [size] of Import Directory > 12000 [ 2C00] RVA [size] of Resource Directory > 0 [ 0] RVA [size] of Exception Directory > 1E1338 [ 2AA8] RVA [size] of Certificates Directory > 0 [ 0] RVA [size] of Base Relocation Directory > ~~~~~~~~~~~~~~~~~ > 0 [ 0] RVA [size] of Debug Directory > 0 [ 0] RVA [size] of Architecture Directory > 0 [ 0] RVA [size] of Global Pointer Directory > 10000 [ 18] RVA [size] of Thread Storage Directory > 0 [ 0] RVA [size] of Load Configuration Directory > 0 [ 0] RVA [size] of Bound Import Directory > 0 [ 0] RVA [size] of Import Address Table Directory > 0 [ 0] RVA [size] of Delay Import Directory > 0 [ 0] RVA [size] of COM Descriptor Directory > 0 [ 0] RVA [size] of Reserved Directory > > > SECTION HEADER #1 > CODE name > A1D0 virtual size > 1000 virtual address (00401000 to 0040B1CF) > A200 size of raw data > 400 file pointer to raw data (00000400 to 0000A5FF) > 0 file pointer to relocation table > 0 file pointer to line numbers > 0 number of relocations > 0 number of line numbers > 60000020 flags > Code > Execute Read > > SECTION HEADER #2 > DATA name > 250 virtual size > C000 virtual address (0040C000 to 0040C24F) > 400 size of raw data > A600 file pointer to raw data (0000A600 to 0000A9FF) > 0 file pointer to relocation table > 0 file pointer to line numbers > 0 number of relocations > 0 number of line numbers > C0000040 flags > Initialized Data > Read Write > > SECTION HEADER #3 > BSS name > E94 virtual size > D000 virtual address (0040D000 to 0040DE93) > 0 size of raw data > AA00 file pointer to raw data > 0 file pointer to relocation table > 0 file pointer to line numbers > 0 number of relocations > 0 number of line numbers > C0000000 flags > Read Write > > SECTION HEADER #4 > .idata name > 97C virtual size > E000 virtual address (0040E000 to 0040E97B) > A00 size of raw data > AA00 file pointer to raw data (0000AA00 to 0000B3FF) > 0 file pointer to relocation table > 0 file pointer to line numbers > 0 number of relocations > 0 number of line numbers > C0000040 flags > Initialized Data > Read Write > > Section contains the following imports: > > kernel32.dll > 40E0B4 Import Address Table > 0 Import Name Table > ~~~~~~ > 0 time date stamp > 0 Index of first forwarder reference > > 0 DeleteCriticalSection > 0 LeaveCriticalSection > 0 EnterCriticalSection > 0 InitializeCriticalSection > 0 VirtualFree > 0 VirtualAlloc > 0 LocalFree > 0 LocalAlloc > 0 WideCharToMultiByte > 0 TlsSetValue > 0 TlsGetValue > 0 MultiByteToWideChar > 0 GetModuleHandleA > 0 GetLastError > 0 GetCommandLineA > 0 WriteFile > 0 SetFilePointer > 0 SetEndOfFile > 0 RtlUnwind > 0 ReadFile > 0 RaiseException > 0 GetStdHandle > 0 GetFileSize > 0 GetSystemTime > 0 GetFileType > 0 ExitProcess > 0 CreateFileA > 0 CloseHandle > > user32.dll > 40E128 Import Address Table > 0 Import Name Table > ~~~~~~ > 0 time date stamp > 0 Index of first forwarder reference > > 0 MessageBoxA > > oleaut32.dll > 40E130 Import Address Table > 0 Import Name Table > ~~~~~~ > 0 time date stamp > 0 Index of first forwarder reference > > 0 VariantChangeTypeEx > 0 VariantCopyInd > 0 VariantClear > 0 SysStringLen > 0 SysAllocStringLen > > advapi32.dll > 40E148 Import Address Table > 0 Import Name Table > ~~~~~~ > 0 time date stamp > 0 Index of first forwarder reference > > 0 RegQueryValueExA > 0 RegOpenKeyExA > 0 RegCloseKey > 0 OpenProcessToken > 0 LookupPrivilegeValueA > > kernel32.dll > ~~~~~~~~~~~~ > 40E160 Import Address Table > 0 Import Name Table > ~~~~~~ > 0 time date stamp > 0 Index of first forwarder reference > > 0 WriteFile > 0 VirtualQuery > 0 VirtualProtect > 0 VirtualFree > 0 VirtualAlloc > 0 Sleep > 0 SizeofResource > 0 SetLastError > 0 SetFilePointer > 0 SetErrorMode > 0 SetEndOfFile > 0 RemoveDirectoryA > 0 ReadFile > 0 LockResource > 0 LoadResource > 0 LoadLibraryA > 0 IsDBCSLeadByte > 0 GetWindowsDirectoryA > 0 GetVersionExA > 0 GetVersion > 0 GetUserDefaultLangID > 0 GetSystemInfo > 0 GetSystemDirectoryA > 0 GetSystemDefaultLCID > 0 GetProcAddress > 0 GetModuleHandleA > 0 GetModuleFileNameA > 0 GetLocaleInfoA > 0 GetLastError > 0 GetFullPathNameA > 0 GetFileSize > 0 GetFileAttributesA > 0 GetExitCodeProcess > 0 GetEnvironmentVariableA > 0 GetCurrentProcess > 0 GetCommandLineA > 0 GetACP > 0 InterlockedExchange > 0 FormatMessageA > 0 FindResourceA > 0 DeleteFileA > 0 CreateProcessA > 0 CreateFileA > 0 CreateDirectoryA > 0 CloseHandle > > user32.dll > ~~~~~~~~~~ > 40E218 Import Address Table > 0 Import Name Table > ~~~~~~ > 0 time date stamp > 0 Index of first forwarder reference > > 0 TranslateMessage > 0 SetWindowLongA > 0 PeekMessageA > 0 MsgWaitForMultipleObjects > 0 MessageBoxA > 0 LoadStringA > 0 ExitWindowsEx > 0 DispatchMessageA > 0 DestroyWindow > 0 CreateWindowExA > 0 CallWindowProcA > 0 CharPrevA > > comctl32.dll > 40E24C Import Address Table > 0 Import Name Table > ~~~~~~ > 0 time date stamp > 0 Index of first forwarder reference > > 0 InitCommonControls > > advapi32.dll > ~~~~~~~~~~~~ > 40E254 Import Address Table > 0 Import Name Table > ~~~~~~ > 0 time date stamp > 0 Index of first forwarder reference > > 0 AdjustTokenPrivileges > > SECTION HEADER #5 > .tls name > 8 virtual size > F000 virtual address (0040F000 to 0040F007) > 0 size of raw data > B400 file pointer to raw data > 0 file pointer to relocation table > 0 file pointer to line numbers > 0 number of relocations > 0 number of line numbers > C0000000 flags > Read Write > > SECTION HEADER #6 > .rdata name > 18 virtual size > 10000 virtual address (00410000 to 00410017) > 200 size of raw data > B400 file pointer to raw data (0000B400 to 0000B5FF) > 0 file pointer to relocation table > 0 file pointer to line numbers > 0 number of relocations > 0 number of line numbers > 50000040 flags > Initialized Data > Shared > Read Only > > SECTION HEADER #7 > .reloc name > 91C virtual size > 11000 virtual address (00411000 to 0041191B) > 0 size of raw data > ~~~~~ > 0 file pointer to raw data > ~~~~~ > 0 file pointer to relocation table > 0 file pointer to line numbers > 0 number of relocations > 0 number of line numbers > 50000040 flags > Initialized Data > Shared > Read Only > > SECTION HEADER #8 > .rsrc name > 2C00 virtual size > 12000 virtual address (00412000 to 00414BFF) > 2C00 size of raw data > B600 file pointer to raw data (0000B600 to 0000E1FF) > 0 file pointer to relocation table > 0 file pointer to line numbers > 0 number of relocations > 0 number of line numbers > 50000040 flags > Initialized Data > Shared > Read Only > > Summary > > 1000 .idata > 1000 .rdata > 1000 .reloc > 3000 .rsrc > 1000 .tls > 1000 BSS > B000 CODE > 1000 DATA > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists