While reading one of Peter Ferrie's wonderful papers, i came across an interesting OllyDbg bug. It is so interesting that i decided to analyze and write a proof of concept for it.
The bug is triggered when parsing the export table of debuggees. First, the NumberOfFunctions member of the IMAGE_EXPORT_DIRECTORY structure is extracted.
This value is then left shifted by two bits (multiplied by 0x4). So, if this value is 0x40000000, it will be truncated to zero. Finally, heap memory of this size is allocated.
Now, it is clear that an overflow will definitely occur when it comes to copying RVAs into the newly allocated memory since 0x40000000 bytes will be copied to memory of size Zero.
A POC can be found here.
You can follow me on Twitter @waleedassar
The bug is triggered when parsing the export table of debuggees. First, the NumberOfFunctions member of the IMAGE_EXPORT_DIRECTORY structure is extracted.
This value is then left shifted by two bits (multiplied by 0x4). So, if this value is 0x40000000, it will be truncated to zero. Finally, heap memory of this size is allocated.
Now, it is clear that an overflow will definitely occur when it comes to copying RVAs into the newly allocated memory since 0x40000000 bytes will be copied to memory of size Zero.
A POC can be found here.
You can follow me on Twitter @waleedassar
Interesting! I thought this was the same old bug rehashed again, but it isn't. This is the third publicly disclosed security vulnerability affecting OllyDbg.
ReplyDeleteOdd. there must be extra conditions, as I wasn't able to trigger the crash, yet I believe I used the same export structure as you did.
ReplyDeletemy (incorrect) PoC: http://xchg.info/corkami/ollyexp.exe (.asm available)
Fix the export table such that:
Delete1) It has a smaller size e.g. 0x140.
2) The "Base" in the IMAGE_EXPORT_DIRECTORY structure is set to 1.
3) The RVAs of "AddressOfNames", "AddressOfFunctions", and "AddressOfNameOrdinals" are set to reasonable values.
Here is a modified version of your PoC
http://ollytlscatch.googlecode.com/files/ollyexp.exe
thanks - I guess I should have tried just a little harder - in the end, all that was required was setting a smaller but non null export size.
Deletehttp://code.google.com/p/corkami/source/browse/trunk/asm/tricks/ollyexp.asm
Interesting one!
ReplyDeleteHow can I implement this trick in a C code?..Can you explain me more about this?
ReplyDeleteUse a PE Editor.
DeletePersonally, i prefer Stud_PE.
If you are designing a packer or protector, then you can use C-Code.
All you have to do is play with the "NumberOfFunctions" field of the "_IMAGE_EXPORT_DIRECTORY" structure of the generated file's export table.