Fatal Error Internal CLR Error when Calling Get Authenticode on ARM binaries

[gfs]

When attempting to fetch authenticode info from the attached ARM binary (a native runtime of System.Data.Sqlite) causes an unrecoverable crash.

Here's the file that causes the crash: e_sqlite3.dll.zip.

Here's the stack trace

Fatal error. Internal CLR error. (0x80131506)
   at System.Buffer._Memmove(Byte ByRef, Byte ByRef, UInt64)
   at System.Buffer.Memmove(Byte ByRef, Byte ByRef, UInt64)
   at System.Span`1[[System.Byte, System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].ToArray()
   at PeNet.Header.Authenticode.ContentInfo..ctor(System.Span`1<Byte>)
   at PeNet.Header.Authenticode.AuthenticodeInfo..ctor(PeNet.PeFile)
   at PeNet.HeaderParser.Authenticode.AuthenticodeParser.ParseTarget()
   at PeNet.PeFile.get_Authenticode()
   at AttackSurfaceAnalyzer.Collectors.WindowsFileSystemUtils.GetSignatureStatus(System.String)

Here's GetSignatureStatus https://github.com/microsoft/AttackSurfaceAnalyzer/blob/7e77e4d81a344f26ee474155bedcd57330046441/Lib/Collectors/WindowsFileSystemUtils.cs#L20

public static Signature? GetSignatureStatus(string Path)
{
    if (Path is null || !NeedsSignature(Path))
    {
        return null;
    }
    try
    {
        if (PeFile.IsPeFile(Path))
        {
            using var mmf = new PeNet.FileParser.MMFile(Path);
            var peHeader = new PeFile(mmf);
            if (peHeader.Authenticode is AuthenticodeInfo ai)
            {
                var sig = new Signature(ai);
                return sig;
            }
        }
    }
    catch (Exception)
    {
        Log.Debug("Failed to get signature for {0}.",Path);
    }
    return null;
}

[secana]

Hi @gfs! That's an interesting case. I'll have a look at it, thx for reporting the bug.

[secana]

Release a fix in v2.2.1 Should be available soon on NuGet. It not detects that there is no signature information without crashing.

[gfs]

Thanks for the quick fix!