search

mandiant / capa

The FLARE team's open-source tool to identify capabilities in executable files.
https://mandiant.github.io/capa/
Apache License 2.0
4.48k stars 535 forks source link

Fixed infinite loop when parsing dotnet TypeRef table #2045

Closed x9090 closed 3 months ago

x9090 commented 6 months ago

There was a TypeRef table infinite loop issue when dotnet parser parsing a crafted dotnet sample with ref index refer to each other:

problematic-dotnet   Let me know if you need the sample for testing, I could upload it here.

Checklist

google-cla[bot] commented 6 months ago

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

mike-hunhoff commented 5 months ago

There was a TypeRef table infinite loop issue when dotnet parser parsing a crafted dotnet sample with ref index refer to each other:

problematic-dotnet   Let me know if you need the sample for testing, I could upload it here.

Checklist

  • [x] No CHANGELOG update needed

  • [x] No new tests needed

  • [x] No documentation update needed

Hi @x9090 , thank you for the find and suggested fix - apologies for not getting back to you sooner! Please update the sample for testing and review the CLA requirements so we can move this PR forward.

williballenthin commented 4 months ago

@x9090 would you please sign the CLA so that we can merge this PR into capa? We'd love to get it in as part of the v7.1 release soon.

mr-tz commented 3 months ago

friendly bump, @x9090

williballenthin commented 3 months ago

Without the CLA signed, we cannot merge this PR.

I haven't been able to find the file shown in the screenshot on VT, so I can't reproduce this nor reimplement it.

Perhaps we should close this PR until @x9090 returns?

mr-tz commented 3 months ago

yes, let's wait for that or other people raising this issue

r0ny123 commented 3 months ago

I haven't been able to find the file shown in the screenshot on VT, so I can't reproduce this nor reimplement it.

Can we hunt for it on VT using a YARA rule? :)

williballenthin commented 3 months ago

I did some VTGrep searches for the random looking strings in the screenshot and didn't come up with anything. Have you had any luck?

r0ny123 commented 3 months ago

I mean crafting a YARA for that specific behaviour mentioned. Possible?

williballenthin commented 3 months ago

maybe by using the Yara .NET extension.

It might be easier to manually craft a file by hand: just tweak two bytes (the table references).