[NEWS] IDA Pro Format String Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 03/17/05
- Previous message: SecuriTeam: "[NT] GoodTech Telnet Server Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 17 Mar 2005 10:34:10 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IDA Pro Format String Vulnerability
------------------------------------------------------------------------
SUMMARY
"The <http://www.datarescue.com/> IDA Pro Disassembler and Debugger is an
interactive, programmable, extensible, muti-processor disassembler hosted
on Windows or on Linux". IDA Pro is vulnerable to format string
vulnerability parsing a loaded DLL name.
DETAILS
Vulnerable Systems:
* IDA Pro version 4.7.0.830
The problem exist when IDA Debugger tries to write informations about
loaded dynamic link library (when LOAD_DLL_DEBUG_EVENT /
UNLOAD_DLL_DEBUG_EVENT occurs)
Lets look at following sample code to get a better view:
call a
db "KERNEL32.DLL",0
a:
call LoadLibraryA
int 3
The code above should return KERNEL32.DLL base stored in EAX register. IDA
Debugger shows EAX as: "EAX=77E60000 -> kernel32.dll:77E60000" (general
registers window) - this is one of the examples. However when loaded
library name includes special format specifiers the vulnerability takes
place, here is the vulnerable code:
(disassembly of ida.wll)
.text:012563F8 mov esi, [ebp+arg_0]
.text:012563FB push [ebp+arg_C]
.text:012563FE push dword_12A27C4
.text:01256404 push 0
.text:01256406 push ebx ; format string
.text:01256407 lea eax, [ebp+arg_0]
.text:0125640A push eax
.text:0125640B push offset sub_12562C0
.text:01256410 call sub_011D1C78 ; parser
Where EBX contains format specifier supplied by attacker.
This vulnerability after successful exploitation can allow the attacker to
run arbitrary code in context of current user. Of course if the
exploitation was not successful IDA Debugger will fault or IDA can freeze
(100% CPU - database corruption).Note that an attacker can drop "baddll"
on the fly, there are few variants.
Proof of Concept:
A proof of concept code for this vulnerability can be found at
<http://pb.specialised.info/all/adv/POC/IdaPOC.zip>
http://pb.specialised.info/all/adv/POC/IdaPOC.zip.
ADDITIONAL INFORMATION
The information has been provided by <mailto:bania.piotr@gmail.com> Piotr
Bania.
The original article can be found at:
<http://pb.specialised.info/all/adv/ida-debugger-adv.txt>
http://pb.specialised.info/all/adv/ida-debugger-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] GoodTech Telnet Server Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
