Jump to content
Tuts 4 You

IDA Pro COFF Debug Info Parsing Bug


waliedassar

Recommended Posts

waliedassar

In this post i will share something that may be considered as a bug in IDA. The bug is as follows:

If we manipulate the value of the "NumberOfSymbols" field in the "IMAGE_COFF_SYMBOLS_HEADER" structure, we can force IDA to abort processing the whole PE and quickly terminate.

1.jpg

When manipulating this field, just make sure to set a compatible value for the "SizeOfData" field in the "IMAGE_DEBUG_DIRECTORY" structure and also have a compatible file size by appending null bytes to the file end.

2.jpg

When calculating the required memory size for symbol entries using the spoofed value, IDA detects an overflow.

3.jpg
4.jpg
5.jpg

After clicking the ok button in the image above, IDA quickly terminates.

You can find a demo

here. It has the "NumberOfSymbols" field set to 0xE38EEDB5 and the "SizeOfData" fied set to 0xFFFFF. It has been tested on IDA 6.2 Demo version and IDA 6.3.

A quick workaround is to temporarily disable the "loaders\dbg.ldw" module.

Any comments or ideas are very welcome.

You can follow me @waleedassar

Link to comment

nice, and i really like your blog! :) keep it up.

btw, iirc hexrays offers a bounty program for vulnerabilities in IDA...this may not be one, just a general note. ;)

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...