IDA Pro COFF Debug Info Parsing Bug

[waliedassar]

In this post i will share something that may be considered as a bug in IDA. The bug is as follows:

If we manipulate the value of the "NumberOfSymbols" field in the "IMAGE_COFF_SYMBOLS_HEADER" structure, we can force IDA to abort processing the whole PE and quickly terminate.

When manipulating this field, just make sure to set a compatible value for the "SizeOfData" field in the "IMAGE_DEBUG_DIRECTORY" structure and also have a compatible file size by appending null bytes to the file end.

When calculating the required memory size for symbol entries using the spoofed value, IDA detects an overflow.

After clicking the ok button in the image above, IDA quickly terminates.

You can find a demo

here. It has the "NumberOfSymbols" field set to 0xE38EEDB5 and the "SizeOfData" fied set to 0xFFFFF. It has been tested on IDA 6.2 Demo version and IDA 6.3.

A quick workaround is to temporarily disable the "loaders\dbg.ldw" module.

Any comments or ideas are very welcome.

You can follow me @waleedassar

[deepzero]

nice, and i really like your blog! keep it up.

btw, iirc hexrays offers a bounty program for vulnerabilities in IDA...this may not be one, just a general note.

[waliedassar]

Thanks, deepzero. Nice note, i did not know that.