Jump to content
Tuts 4 You

IDA Pro CodeView Parsing Bug


waliedassar

Recommended Posts

waliedassar

In this post i will share with you another bug that i have found in IDA. This one is different from the previous one in that:

1) It is in code responsible for parsing CodeView debug info.

2) It crashes the current IDA instance with a minidump.

While trying to figure out how IDA reads various debug info, i found that old CodeView formats are also supported by IDA (Also, the demo version). So, i decided to give it a shot and try to find anything useful inside. Understanding the CodeView format was also kept in mind.

Code responsible for reading various debug info lies within dbg.ldw, a dynamic link library that resides in the "loaders" directory.

Since the CodeView format is not clearly documented, i tried to define structures myself. If you know any good reference, please let me know.

The CodeView debug info starts with a 4-character string referring to the CodeView version e.g. "NB10", "RSDS", "NB02", "NB11", etc..

NB10 and RSDS formats are handled by loading the IDA "pdb" plugin.

NB02, NB05, NB08, NB09, and NB11 are handled by dbg.ldw.

1dbg.jpg
1src.jpg

Here, i will take the format starting with "NB02". Debugging dbg.ldw, i could understand abit about CodeView format. In the image below, you will see some of my understanding of this format (still dirty, i know).

struct.jpg

I will divide the image above into 2 structures. The first one (still incomplete) is as follows:

1) The first 4 bytes denote the CodeView signature or version. In this case, it is "NB02".

2) The second dword is the offset to the second structure.

The second structure is as follows:

1) At offset Zero, 0x10 is always found.

2) At offset 0x2 is the size of the "CV_INFO2" structure. I refer to it as "Incrementer".

3) At offset 0x4, is the number of CV_INFO2 structures. I refer to it as "NumberOfXX".

4) At offset 0x10 is an array of CV_INFO2 structures.

At 0x6000520C, dbg.ldw tries to make sure that the offset to the second structure is less than the size of the whole CodeView debug info (as found in the "IMAGE_DEBUG_DIRECTORY" structure).

check.jpg

If the check succeeds, dbg.ldw continues parsing CodeView debug info and reads members of the second structure e.g. it makes sure that the first word of the structure is 0x10.

I have noticed that code is vulnerable to "read beyond boundary" errors when reading members of the second structure. You can try this demo.

4444.jpg

At 0x60005240, dbg.ldw has a loop that iterates through a number of CV_INFO2 structures equal to the "NumberOfXX" value. Each time, it increments the pointer to the current CV_INFO2 structure by the "Incrementer" value. It looks something like this in C code:

5555.jpg

You can easily conclude from the two images above that if we set the "NumberOfXX" field to e.g. 0xFFFFFFFF and the "Incrementer" field to e.g. 0xFFFF, we can cause IDA to access violate.

studsS.jpg
err.jpg

Here you can find a demo tested on IDA 6.2 demo.

Any ideas or comments are very welcome.

You can follow me on Twitter @waleedassar

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...