<<< Date Index >>>     <<< Thread Index >>>

Re: iDEFENSE Security Advisory 01.24.05: DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerability



A fixed version of PEiD has been released.
http://peid.tk/

On Mon, 24 Jan 2005 15:13:39 -0500, iDefense Customer Service
<customerservice@xxxxxxxxxxxx> wrote:
> DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerability
> 
> iDEFENSE Security Advisory 01.24.05
> www.idefense.com/application/poi/display?id=189&type=vulnerabilities
> January 24, 2005
> 
> I. BACKGROUND
> 
> DataRescue Inc.'s IDA Pro is a Windows or Linux hosted multi-processor
> disassembler and debugger providing a multitude of features. More
> information is available at:
> 
>     http://www.datarescue.com/idabase/
> 
> II. DESCRIPTION
> 
> Exploitation of a buffer overflow vulnerability in DataRescue Inc.'s
> Interactive Disassembler Pro (IDA Pro) allows attackers to execute
> arbitrary code under the context of the logged on user.
> 
> The problem specifically exists in the code responsible for parsing the
> Portable Executable import directory. The import directory lists all the
> symbols imported by the PE file and is stored as an array of data
> structures. Each data structure contains the name of the imported
> library and a list of function pointers, known as the Import Address
> Table. A stack-based buffer overflow occurs when parsing long import
> library names in the following snippet of assembly from ida.wll
> (IDA Pro v4.7):
> 
>     0x100838BB LEA EDX, [EBP-30C]
>     0x100838C1 PUSH DWORD PTR [EBP+8]
>     0x100838C4 PUSH EDX
>     0x100838C5 CALL ida.#835
> 
> "EBP+8" from above represents the attacker-supplied source buffer and
> "EBP-30C" represents the static stack-based destination buffer of
> approximately 800 bytes. The "ida_835" procedure performs an unchecked
> string copy overwriting a stored return address and allowing an attacker
> to redirect CPU flow to eventually execute arbitrary code.
> 
> III. ANALYSIS
> 
> Exploitation of the described vulnerability allows attackers to execute
> arbitrary code under the context of the logged in user. Exploitation
> requires that an attacker convince a target user to open a malicious
> Portable Executable file with a vulnerable version of IDA Pro. IDA Pro
> is the primary disassembler used by many security researchers. As such,
> the severity of this issue is exacerbated when considering the impact of
> a fast spreading worm combined with an exploit for this vulnerability.
> 
> Although simple modification of an import library name is sufficient to
> exploit this vulnerability, the Windows loader will fail to recognize it
> as a valid PE file. This will result in a non-executable malicious
> binary. iDEFENSE has discovered a method for exploiting this
> vulnerability in a fashion that is undetectable via PE import table
> entry analysis, and that is affective against IDA Pro and will load and
> execute as a regular binary without error.
> 
> It should be noted that other applications designed to analyze PE
> executables may also be vulnerable. PEiD is a freely available PE
> analysis tool and is also susceptible to attack.
> 
> IV. DETECTION
> 
> iDEFENSE has confirmed the existence of this vulnerability in IDA Pro
> versions 4.6 Service Pack 1 and 4.7 on both the Microsoft Windows and
> Linux platforms. It is suspected that earlier versions are also
> affected.
> 
> V. WORKAROUND
> 
> Prior to opening unknown files with vulnerable versions of IDA Pro,
> examine the PE import table entries for long or abnormal strings. There
> are a number of tools available for analyzing the PE file format. It is
> important to note that this method will not catch all exploit vectors.
> 
> VI. VENDOR RESPONSE
> 
> "A temporary fix is available here
> 
>    http://www.datarescue.com/cgi-local/ultimatebb.cgi?/forum/2.html
> 
> A more generic fix will be available in the next IDA Pro release."
> 
> VII. CVE INFORMATION
> 
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> names CAN-2005-0115 to these issues. This is a candidate for inclusion
> in the CVE list (http://cve.mitre.org), which standardizes names for
> security problems.
> 
> VIII. DISCLOSURE TIMELINE
> 
> 01/12/2005      Initial vendor notification
> 01/12/2005      Initial vendor response
> 01/24/2005      Coordinated public disclosure
> 
> IX. CREDIT
> 
> Lord Yup is credited with this discovery.
> 
> Get paid for vulnerability research
> http://www.idefense.com/poi/teams/vcp.jsp
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2005 iDEFENSE, Inc.
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDEFENSE. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically, please
> email customerservice@xxxxxxxxxxxx for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS condition.
> 
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
>