[NEWS] IDA Pro Format String Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 03/17/05
- Previous message: SecuriTeam: "[NT] GoodTech Telnet Server Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 17 Mar 2005 10:34:10 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IDA Pro Format String Vulnerability
------------------------------------------------------------------------
SUMMARY
"The <http://www.datarescue.com/> IDA Pro Disassembler and Debugger is an
interactive, programmable, extensible, muti-processor disassembler hosted
on Windows or on Linux". IDA Pro is vulnerable to format string
vulnerability parsing a loaded DLL name.
DETAILS
Vulnerable Systems:
* IDA Pro version 4.7.0.830
The problem exist when IDA Debugger tries to write informations about
loaded dynamic link library (when LOAD_DLL_DEBUG_EVENT /
UNLOAD_DLL_DEBUG_EVENT occurs)
Lets look at following sample code to get a better view:
call a
db "KERNEL32.DLL",0
a:
call LoadLibraryA
int 3
The code above should return KERNEL32.DLL base stored in EAX register. IDA
Debugger shows EAX as: "EAX=77E60000 -> kernel32.dll:77E60000" (general
registers window) - this is one of the examples. However when loaded
library name includes special format specifiers the vulnerability takes
place, here is the vulnerable code:
(disassembly of ida.wll)
.text:012563F8 mov esi, [ebp+arg_0]
.text:012563FB push [ebp+arg_C]
.text:012563FE push dword_12A27C4
.text:01256404 push 0
.text:01256406 push ebx ; format string
.text:01256407 lea eax, [ebp+arg_0]
.text:0125640A push eax
.text:0125640B push offset sub_12562C0
.text:01256410 call sub_011D1C78 ; parser
Where EBX contains format specifier supplied by attacker.
This vulnerability after successful exploitation can allow the attacker to
run arbitrary code in context of current user. Of course if the
exploitation was not successful IDA Debugger will fault or IDA can freeze
(100% CPU - database corruption).Note that an attacker can drop "baddll"
on the fly, there are few variants.
Proof of Concept:
A proof of concept code for this vulnerability can be found at
<http://pb.specialised.info/all/adv/POC/IdaPOC.zip>
http://pb.specialised.info/all/adv/POC/IdaPOC.zip.
ADDITIONAL INFORMATION
The information has been provided by <mailto:bania.piotr@gmail.com> Piotr
Bania.
The original article can be found at:
<http://pb.specialised.info/all/adv/ida-debugger-adv.txt>
http://pb.specialised.info/all/adv/ida-debugger-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] GoodTech Telnet Server Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NEWS] @Mail Web Interface Multiple Security Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... attacker to point it to
mailbox of any registered user in @Mail system. ... Vulnerability 2: SQL database
install - Multiple SQL Injection ... (Securiteam) - [NT] EMC Legato Networker DoS and Multiple Buffer Overflows
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... EMC Legato Networker DoS
and Multiple Buffer Overflows ... The vulnerability specifically exists due to improper
handling of ... is sent by an attacker, it is possible to overwrite portions of heap ...
(Securiteam) - [UNIX] IBM Informix Dynamic Server DBLANG Directory Traversal Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... IBM Informix Dynamic Server
DBLANG Directory Traversal Vulnerability ... Local exploitation of a directory traversal
vulnerability in IBM Corp.'s ... attacker can cause set-uid binaries to use Native
Language Support ... (Securiteam) - [NEWS] IBM Lotus Domino IMAP Buffer Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... IBM Lotus Domino IMAP Buffer
Overflow Vulnerability ... Remote exploitation of a buffer overflow vulnerability within
IBM Corp.'s ... This allows an attacker to take complete control of the compromised ...
(Securiteam) - [UNIX] Apache MyFaces Tomahawk JSF Framework Cross-Site Scripting (XSS)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Apache MyFaces Tomahawk JSF
Framework Cross-Site Scripting (XSS) ... Remote exploitation of an input validation vulnerability
... an attacker to perform a cross-site scripting attack. ... (Securiteam)
