Re: iDEFENSE Security Advisory 01.24.05: DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerability

• Previous message: Black Dot: "Re: Winamp Exploit (POC) 5.08 Stack Overflow"
• In reply to: iDefense Customer Service: "iDEFENSE Security Advisory 01.24.05: DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 31 Jan 2005 00:07:29 +0000
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org

A fixed version of PEiD has been released.
http://peid.tk/

On Mon, 24 Jan 2005 15:13:39 -0500, iDefense Customer Service
<customerservice@idefense.com> wrote:
> DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerability
>
> iDEFENSE Security Advisory 01.24.05
> www.idefense.com/application/poi/display?id=189&type=vulnerabilities
> January 24, 2005
>
> I. BACKGROUND
>
> DataRescue Inc.'s IDA Pro is a Windows or Linux hosted multi-processor
> disassembler and debugger providing a multitude of features. More
> information is available at:
>
> http://www.datarescue.com/idabase/
>
> II. DESCRIPTION
>
> Exploitation of a buffer overflow vulnerability in DataRescue Inc.'s
> Interactive Disassembler Pro (IDA Pro) allows attackers to execute
> arbitrary code under the context of the logged on user.
>
> The problem specifically exists in the code responsible for parsing the
> Portable Executable import directory. The import directory lists all the
> symbols imported by the PE file and is stored as an array of data
> structures. Each data structure contains the name of the imported
> library and a list of function pointers, known as the Import Address
> Table. A stack-based buffer overflow occurs when parsing long import
> library names in the following snippet of assembly from ida.wll
> (IDA Pro v4.7):
>
> 0x100838BB LEA EDX, [EBP-30C]
> 0x100838C1 PUSH DWORD PTR [EBP+8]
> 0x100838C4 PUSH EDX
> 0x100838C5 CALL ida.#835
>
> "EBP+8" from above represents the attacker-supplied source buffer and
> "EBP-30C" represents the static stack-based destination buffer of
> approximately 800 bytes. The "ida_835" procedure performs an unchecked
> string copy overwriting a stored return address and allowing an attacker
> to redirect CPU flow to eventually execute arbitrary code.
>
> III. ANALYSIS
>
> Exploitation of the described vulnerability allows attackers to execute
> arbitrary code under the context of the logged in user. Exploitation
> requires that an attacker convince a target user to open a malicious
> Portable Executable file with a vulnerable version of IDA Pro. IDA Pro
> is the primary disassembler used by many security researchers. As such,
> the severity of this issue is exacerbated when considering the impact of
> a fast spreading worm combined with an exploit for this vulnerability.
>
> Although simple modification of an import library name is sufficient to
> exploit this vulnerability, the Windows loader will fail to recognize it
> as a valid PE file. This will result in a non-executable malicious
> binary. iDEFENSE has discovered a method for exploiting this
> vulnerability in a fashion that is undetectable via PE import table
> entry analysis, and that is affective against IDA Pro and will load and
> execute as a regular binary without error.
>
> It should be noted that other applications designed to analyze PE
> executables may also be vulnerable. PEiD is a freely available PE
> analysis tool and is also susceptible to attack.
>
> IV. DETECTION
>
> iDEFENSE has confirmed the existence of this vulnerability in IDA Pro
> versions 4.6 Service Pack 1 and 4.7 on both the Microsoft Windows and
> Linux platforms. It is suspected that earlier versions are also
> affected.
>
> V. WORKAROUND
>
> Prior to opening unknown files with vulnerable versions of IDA Pro,
> examine the PE import table entries for long or abnormal strings. There
> are a number of tools available for analyzing the PE file format. It is
> important to note that this method will not catch all exploit vectors.
>
> VI. VENDOR RESPONSE
>
> "A temporary fix is available here
>
> http://www.datarescue.com/cgi-local/ultimatebb.cgi?/forum/2.html
>
> A more generic fix will be available in the next IDA Pro release."
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> names CAN-2005-0115 to these issues. This is a candidate for inclusion
> in the CVE list (http://cve.mitre.org), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 01/12/2005 Initial vendor notification
> 01/12/2005 Initial vendor response
> 01/24/2005 Coordinated public disclosure
>
> IX. CREDIT
>
> Lord Yup is credited with this discovery.
>
> Get paid for vulnerability research
> http://www.idefense.com/poi/teams/vcp.jsp
>
> X. LEGAL NOTICES
>
> Copyright (c) 2005 iDEFENSE, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDEFENSE. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically, please
> email customerservice@idefense.com for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS condition.
>
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
>

• Previous message: Black Dot: "Re: Winamp Exploit (POC) 5.08 Stack Overflow"
• In reply to: iDefense Customer Service: "iDEFENSE Security Advisory 01.24.05: DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]