A fixed version of PEiD has been released. http://peid.tk/ On Mon, 24 Jan 2005 15:13:39 -0500, iDefense Customer Service <customerservice@xxxxxxxxxxxx> wrote: > DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerability > > iDEFENSE Security Advisory 01.24.05 > www.idefense.com/application/poi/display?id=189&type=vulnerabilities > January 24, 2005 > > I. BACKGROUND > > DataRescue Inc.'s IDA Pro is a Windows or Linux hosted multi-processor > disassembler and debugger providing a multitude of features. More > information is available at: > > http://www.datarescue.com/idabase/ > > II. DESCRIPTION > > Exploitation of a buffer overflow vulnerability in DataRescue Inc.'s > Interactive Disassembler Pro (IDA Pro) allows attackers to execute > arbitrary code under the context of the logged on user. > > The problem specifically exists in the code responsible for parsing the > Portable Executable import directory. The import directory lists all the > symbols imported by the PE file and is stored as an array of data > structures. Each data structure contains the name of the imported > library and a list of function pointers, known as the Import Address > Table. A stack-based buffer overflow occurs when parsing long import > library names in the following snippet of assembly from ida.wll > (IDA Pro v4.7): > > 0x100838BB LEA EDX, [EBP-30C] > 0x100838C1 PUSH DWORD PTR [EBP+8] > 0x100838C4 PUSH EDX > 0x100838C5 CALL ida.#835 > > "EBP+8" from above represents the attacker-supplied source buffer and > "EBP-30C" represents the static stack-based destination buffer of > approximately 800 bytes. The "ida_835" procedure performs an unchecked > string copy overwriting a stored return address and allowing an attacker > to redirect CPU flow to eventually execute arbitrary code. > > III. ANALYSIS > > Exploitation of the described vulnerability allows attackers to execute > arbitrary code under the context of the logged in user. Exploitation > requires that an attacker convince a target user to open a malicious > Portable Executable file with a vulnerable version of IDA Pro. IDA Pro > is the primary disassembler used by many security researchers. As such, > the severity of this issue is exacerbated when considering the impact of > a fast spreading worm combined with an exploit for this vulnerability. > > Although simple modification of an import library name is sufficient to > exploit this vulnerability, the Windows loader will fail to recognize it > as a valid PE file. This will result in a non-executable malicious > binary. iDEFENSE has discovered a method for exploiting this > vulnerability in a fashion that is undetectable via PE import table > entry analysis, and that is affective against IDA Pro and will load and > execute as a regular binary without error. > > It should be noted that other applications designed to analyze PE > executables may also be vulnerable. PEiD is a freely available PE > analysis tool and is also susceptible to attack. > > IV. DETECTION > > iDEFENSE has confirmed the existence of this vulnerability in IDA Pro > versions 4.6 Service Pack 1 and 4.7 on both the Microsoft Windows and > Linux platforms. It is suspected that earlier versions are also > affected. > > V. WORKAROUND > > Prior to opening unknown files with vulnerable versions of IDA Pro, > examine the PE import table entries for long or abnormal strings. There > are a number of tools available for analyzing the PE file format. It is > important to note that this method will not catch all exploit vectors. > > VI. VENDOR RESPONSE > > "A temporary fix is available here > > http://www.datarescue.com/cgi-local/ultimatebb.cgi?/forum/2.html > > A more generic fix will be available in the next IDA Pro release." > > VII. CVE INFORMATION > > The Common Vulnerabilities and Exposures (CVE) project has assigned the > names CAN-2005-0115 to these issues. This is a candidate for inclusion > in the CVE list (http://cve.mitre.org), which standardizes names for > security problems. > > VIII. DISCLOSURE TIMELINE > > 01/12/2005 Initial vendor notification > 01/12/2005 Initial vendor response > 01/24/2005 Coordinated public disclosure > > IX. CREDIT > > Lord Yup is credited with this discovery. > > Get paid for vulnerability research > http://www.idefense.com/poi/teams/vcp.jsp > > X. LEGAL NOTICES > > Copyright (c) 2005 iDEFENSE, Inc. > > Permission is granted for the redistribution of this alert > electronically. It may not be edited in any way without the express > written consent of iDEFENSE. If you wish to reprint the whole or any > part of this alert in any other medium other than electronically, please > email customerservice@xxxxxxxxxxxx for permission. > > Disclaimer: The information in the advisory is believed to be accurate > at the time of publishing based on currently available information. Use > of the information constitutes acceptance for use in an AS IS condition. > > There are no warranties with regard to this information. Neither the > author nor the publisher accepts any liability for any direct, indirect, > or consequential loss or damage arising from use of, or reliance on, > this information. >
