IDA Pro CodeView Parsing Bug

[waliedassar]

In this post i will share with you another bug that i have found in IDA. This one is different from the previous one in that:

1) It is in code responsible for parsing CodeView debug info.

2) It crashes the current IDA instance with a minidump.

While trying to figure out how IDA reads various debug info, i found that old CodeView formats are also supported by IDA (Also, the demo version). So, i decided to give it a shot and try to find anything useful inside. Understanding the CodeView format was also kept in mind.

Code responsible for reading various debug info lies within dbg.ldw, a dynamic link library that resides in the "loaders" directory.

Since the CodeView format is not clearly documented, i tried to define structures myself. If you know any good reference, please let me know.

The CodeView debug info starts with a 4-character string referring to the CodeView version e.g. "NB10", "RSDS", "NB02", "NB11", etc..

NB10 and RSDS formats are handled by loading the IDA "pdb" plugin.

NB02, NB05, NB08, NB09, and NB11 are handled by dbg.ldw.

Here, i will take the format starting with "NB02". Debugging dbg.ldw, i could understand abit about CodeView format. In the image below, you will see some of my understanding of this format (still dirty, i know).

I will divide the image above into 2 structures. The first one (still incomplete) is as follows:

1) The first 4 bytes denote the CodeView signature or version. In this case, it is "NB02".

2) The second dword is the offset to the second structure.

The second structure is as follows:

1) At offset Zero, 0x10 is always found.

2) At offset 0x2 is the size of the "CV_INFO2" structure. I refer to it as "Incrementer".

3) At offset 0x4, is the number of CV_INFO2 structures. I refer to it as "NumberOfXX".

4) At offset 0x10 is an array of CV_INFO2 structures.

At 0x6000520C, dbg.ldw tries to make sure that the offset to the second structure is less than the size of the whole CodeView debug info (as found in the "IMAGE_DEBUG_DIRECTORY" structure).

If the check succeeds, dbg.ldw continues parsing CodeView debug info and reads members of the second structure e.g. it makes sure that the first word of the structure is 0x10.

I have noticed that code is vulnerable to "read beyond boundary" errors when reading members of the second structure. You can try this demo.

At 0x60005240, dbg.ldw has a loop that iterates through a number of CV_INFO2 structures equal to the "NumberOfXX" value. Each time, it increments the pointer to the current CV_INFO2 structure by the "Incrementer" value. It looks something like this in C code:

You can easily conclude from the two images above that if we set the "NumberOfXX" field to e.g. 0xFFFFFFFF and the "Incrementer" field to e.g. 0xFFFF, we can cause IDA to access violate.

Here you can find a demo tested on IDA 6.2 demo.

Any ideas or comments are very welcome.

You can follow me on Twitter @waleedassar