ADVISORY: DataRescue Interactive Disassembler Pro Debugger Format String Vulnerability
DataRescue Interactive Disassembler Pro Debugger Format String
Vulnerability
by Piotr Bania <bania.piotr@xxxxxxxxx>
http://pb.specialised.info
Severity: High / Medium - code execution.
Versions affected: Probably all versions, however tested on
4.7.0.830.
I. BACKGROUND
"The IDA Pro Disassembler and Debugger is an interactive,
programmable, extendible,
muti-processor disassembler hosted on Windows or on Linux. IDA
Pro has become the
de-facto standard for the analysis of hostile code, vulnerability
research and COTS
validation (...) IDA supports debugging of x86 Windows PE files,
AMD64 Windows PE
files, and x86 Linux ELF files, either locally or remotely."
MORE AT: http://www.datarescue.com
II. DESCRIPTION
The problem exist when IDA Debugger tries to write informations about
loaded dynamic link library (when LOAD_DLL_DEBUG_EVENT /
UNLOAD_DLL_DEBUG_EVENT
occurs)
Lets look at following sample code to get a better view:
-- snip --
call a
db "KERNEL32.DLL",0
a:
call LoadLibraryA
int 3
-- snip --
Following code should return KERNEL32.DLL base stored in EAX
register.
IDA Debugger shows EAX as: "EAX=77E60000 -> kernel32.dll:77E60000"
(general registers window) - this is one of the examples.
However when loaded library name includes special format
specifiers the
vulnerability takes place, here is the vulnerable code:
(disassembly of ida.wll)
.text:012563F8 mov esi, [ebp+arg_0]
.text:012563FB push [ebp+arg_C]
.text:012563FE push dword_12A27C4
.text:01256404 push 0
.text:01256406 push ebx ; format
string
.text:01256407 lea eax, [ebp+arg_0]
.text:0125640A push eax
.text:0125640B push offset sub_12562C0
.text:01256410 call sub_011D1C78 ; parser
Where EBX contains format specifier supplied by attacker.
III. IMPACT
This vulnerability after successful exploitation can allow the
attacker to run arbitrary code in context of current user.
Of course if the exploitation was not successful IDA Debugger
will fault or IDA can freeze (100% cpu - database corruption).
Note that potencial attacker can drop "baddll" on the fly, there
are few variants.
IV. POC CODE
The POC code was released for vendor.
--
--------------------------------------------------------------------
Piotr Bania - <bania.piotr@xxxxxxxxx> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33
http://pb.specialised.info - Key ID: 0xBE43AC33
--------------------------------------------------------------------