Crash on Authenticode X509 certificate's ASN.1 integer set for cert_info->version

[d3v1l401]

If we scan a Microsoft's PE file with Authenticode signature, Yara will crash when setting the cert_info->version integer field from the X509 certificate; specifically, this line (I expanded the code out of the macros manually, as you can see):

    void _parse_pkcs7( PE* pe, PKCS7* pkcs7, int* counter) 
    {
    // [...]
    set_string(buffer, pe->object, "signatures[%i].subject", *counter);

    // Original code:
    //set_integer(
    //    X509_get_version(cert) + 1, // Versions are zero based, so add one.
    //    pe->object,
    //    "signatures[%i].version", *counter);

    long inter = ASN1_INTEGER_get((cert)->cert_info->version) + 1; // <---- here it crashes
    yr_object_set_integer(inter, pe->object, "signatures[%i].version", *counter);

Here are the crash details: Exception thrown at 0x00007FF6C64CFE4C in yara64.exe: 0xC0000005: Access violation reading location 0x0000000200000005.

Here the dump of the X509 content:

Yara version:

yara -v 
4.0.2

This is happening only with a specific Microsoft's library, that I have found in Rockstar's launcher: api-ms-win-core-processenvironment-l1-1-0.dll

I don't know exactly how you can find this file, but I attached it into this report. api-ms-win-core-processenvironment-l1-1-0.zip

[wxsBSD]

I’ll take a look at this tonight.

[wxsBSD]

I can't replicate this crash on MacOS with latest master, nor on Windows with 4.0.2.

[wxsBSD]

The fact that some of the values in the struct are 0xfdfdfdfd is interesting (although possibly a red herring). Isn't that the value MSFT uses for guard pages in a debug build? Can you replicate the bug in a release build?

[d3v1l401]

I tried to replicate in Release mode and it doesn't happen.

I attach here the compiled binary of rules and the text ones, to allow you perhaps to replicate the problem if coming from the rules.

Release.zip

[wxsBSD]

The compiled binary rules or the source for the rules is not going to make a difference. The crash you observed indicates it is in the OpenSSL code but only when built for Windows and only when in debug mode. I know nothing about how the Windows build for YARA works so I can't really debug further here. I can try and get a build environment setup on Windows but it might take me some time...

A minimal repro would be a debug build on Windows and a rule of import "pe" rule a { condition: false }.

[plusvic]

I tried to replicate this issue without success. I built YARA with Visual Studio 2015 both for 64 and 32 bits in debug mode and it didn't crashed. The pre-built binaries for version 4.0.2 also work fine. Can you provide more information about how did you built the binaries that you're using?

[d3v1l401]

I built it using Visual Studio 2019 toolset (v142), converted the project to ISO C++17 instead of C.

My modifications to the program did not change the core functionalities of Yara, I simply added C++ code (a class) to download compiled binaries of rules from a remote host via HTTPS with cUrl.

If the problem relies on OpenSSL, then I can tell you I downloaded the OpenSSL NuGet package embedded within the VS Project in the %YARA%\windows\vs2017\ directory after conversion to 2019 project solution:

YARA.OpenSSL.x64 (1.1.1)

I really don't know what else it can be, let me know if I can give you more information.