search

avast / authenticode-parser

Authenticode-parser is a simple C library for Authenticode format parsing using OpenSSL.
MIT License
16 stars 8 forks source link

Crash when parsing malformed PE file #2

Closed retpoline closed 2 years ago

retpoline commented 2 years ago

Hi folks,

A crash was found while fuzz testing of the authenticode_dumper binary which can be triggered via a malformed PE file. Although this malformed file only crashes the program as-is, it could potentially be crafted further and create a security issue where these kinds of files would be able compromise the process's memory through taking advantage of affordances given by memory corruption. It's recommend to harden the code to prevent these kinds of bugs as it could greatly mitigate such this issue and even future bugs.

crash.exe debug log

Repro file: https://ufile.io/6qwkgvkm

$ authenticode_dumper crash.exe
Segmentation fault (core dumped)

(gdb) r crash.exe
Starting program: authenticode_dumper crash.exe
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000555555559b2b in parse_authenticode ()

(gdb) i r
rax            0x555556563490      93825009071248
rbx            0x55555555c660      93824992265824
rcx            0x1                 1
rdx            0x1000000           16777216
rsi            0xe5                229
rdi            0x555555563490      93824992294032
rbp            0x7fffffffe2d0      0x7fffffffe2d0
rsp            0x7fffffffe270      0x7fffffffe270
r8             0x0                 0
r9             0x7c                124
r10            0x0                 0
r11            0x202               514
r12            0x555555557e20      93824992247328
r13            0x7fffffffe410      140737488348176
r14            0x0                 0
r15            0x0                 0
rip            0x555555559b2b      0x555555559b2b <parse_authenticode+277>
eflags         0x10206             [ PF IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

(gdb) x/i $rip
=> 0x555555559b2b <parse_authenticode+277>: mov    (%rax),%eax

(gdb) bt
#0  0x0000555555559b2b in parse_authenticode ()
#1  0x00005555555586e6 in main ()

(gdb) exploitable
Description: Access violation on source operand
Short description: SourceAv (19/22)
Hash: 78e41302c7e8e2098689aa57462889e0.78e41302c7e8e2098689aa57462889e0
Exploitability Classification: UNKNOWN
Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation.
Other tags: AccessViolation (21/22)
HoundThe commented 2 years ago

Thank you for the report! The issue is now fixed within #3