Vulnerabilities in Portable Executable (PE) File Format For Win32 Architecture

From: Exurity Inc. (
Date: 04/09/03

  • Next message: Over_G: "Admin access in GuestBook r4"
    From: "Exurity Inc." <>
    To: <>
    Date: Wed, 9 Apr 2003 09:51:36 -0400

    Hi, Everyone on this list:

    Please find a research paper on
    the vulnerabilities of PE File Format For Win32 Architecture (especially
    x86). These vulnerabilities are probably well known. Some might have been
    used or exploited by many. The main concept of this research article is
    about the fact that the free virtual space between sections is the hiding
    place for embedded code and a launching pad for bigger mobile code, let's
    not forget to mention, and security risks. Actually, for more sophisticated
    embedded code, it is possible in theory to shift code around within an
    executable to embed even without the free virtual space reported in this

    In summary, this paper addresses a few vulnerabilities in Win32 architecture
    (x86 in particular) as follows:

    * The explicit linking of Dynamic Link Library executables into a process,
    especially the GetProcAddress and LoadLibrary API functions, has far more
    consequences than it facilitates normal program developers the flexibility
    in linking to their libraries dynamically. These two API functions make the
    exploit code, embedded code, and other highly mobile code possible.
    * The intact PE header information, including import and export library
    info, left in RAM for a process provides the strong "vines" to be followed
    up for GetProcAddress and Kernel32ModuleBase from many climbing points.
    * The virtual address gap between two sequential sections of one executable,
    either .exe or .dll, is wide enough to harbor a few "mice that carry
    elephants with them through the gap".
    * Lack of checking, or weak checking mechanism, for the integrity of
    executables on the operating system (and/or anti-virus programs) during the
    preparation for launching executables enables the modification of executable
    files and execution of new mobile code relatively easy. It seems a lot of
    components fail to detect the modification of executables at all.
    * Executables, once compiled, linked and delivered, are prone to be modified
    by other programs and most of them do not have run-time self-protection
    mechanism implemented. This weakness is not only limited to Win32
    application programs. Many executable files for other operating systems fail
    to check on themselves during the run-time as well. But the dynamic linking
    functionalities provided on Win32 make the embedding of mobile code
    especially dangerous.

    Microsoft and CERT were submitted with this report before. Since these
    vulnerabilities are quite fundamental, it probably will take a while to get
    things fixed.
    However, these vulnerabilities are probably not that new and are not
    first-layer vulnerabilities as buffer overflow ones. Therefore, we release
    this report as background research paper and warn the public about the
    security risks. For your convenience, the EmbedMe.c source file is attached
    as well.

    Peter Huang


  • Next message: Over_G: "Admin access in GuestBook r4"