[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Executable installers are defective^WEVIL (case 2): innosetup-5.5.9.exe and innosetup-5.5.9-unicode.exe
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: Re: [FD] Executable installers are defective^WEVIL (case 2): innosetup-5.5.9.exe and innosetup-5.5.9-unicode.exe
- From: fulldisclosure@xxxxxxxx
- Date: Mon, 6 Mar 2017 20:07:27 +0100
Hi,
does this actually result in any vulnerability? If not, I feel like this
is the wrong place for posting "bug reports". If this leads to security
issues, some sort of PoC would be interesting.
You also might consider to publish a *generic* advisory for your
innosetup related findings. I do not see any additional information for
the specific targets. It seems to be the very same finding for each
advisory.
This feels more like a personal crusade/rant/nameithoweveryouwant
against innosetup than actual security research. Your dll-sideloading
vulns are valid findings for sure - but a generic advisory would have
been enough.
What do you think?
Kind regards,
Matthias
On 03/06/2017 01:00 PM, Stefan Kanthak wrote:
> Hi @ll,
>
> InnoSetup is BROKEN, it creates DEFECTIVE "portable executable"
> image files, for example innosetup-5.5.9.exe itself.
>
> JFTR: unfortunately Windows' module loader covers these bugs and
> loads such defective PE image files.
>
> DEFECTS:
> ~~~~~~~~
>
> 1. all (8) IMAGE_IMPORT_DESCRIPTOR entries in the IMPORT directory
> are INVALID: their Characteristics/OriginalFirstThunk fields
> contain 0 instead of the RVA of the import lookup table!
>
> See the PE/COFF specification, available via
> <https://www.microsoft.com/en-us/download/details.aspx?id=19509>,
> or <https://msdn.microsoft.com/en-us/magazine/ms809762.aspx>,
> "Table 8. IMAGE_IMPORT_DESCRIPTOR":
>
> | Offset Size Field Description
> | 0 4 Import Lookup The RVA of the import lookup table.
> | Table RVA This table contains a name or ordinal
> | (Characteristics) for each import. (The name
> | "Characteristics" is used in Winnt.h,
> | but no longer describes this field.)
>
>
> 2. the IMPORT directory holds 2 IMAGE_IMPORT_DESCRIPTOR entries for
> each of "kernel32.dll", "user32.dll" and "advapi32.dll", even with
> duplicate names (WriteFile, ReadFile, VirtualAlloc for example).
>
> It should but have only 1 IMAGE_IMPORT_DESCRIPTOR for each DLL!
>
> From the PE/COFF specification (see above):
>
> | Import Directory Table
> ...
> | The import directory table consists of an array of import directory
> | entries, one entry for each DLL to which the image refers.
>
>
> 3. The "DLL characteristics" 0x8140 in the IMAGE_OPTIONAL_HEADER
> (see <https://msdn.microsoft.com/en-us/library/ms680339.aspx>)
> specifies IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE, but the image
> file has no VALID relocation info:
>
> 3.a) both RVA and size of the IMAGE_DIRECTORY_ENTRY_BASERELOC
> entry are 0!
>
> 3.b) a ".reloc" section is present with (virtual) size 0x091C,
> but its file offset and size are both 0!
>
> 3.c) the "PE characteristics" 0x818F specifies "relocations
> stripped"!
>
>
> Minor bugs:
> ~~~~~~~~~~~
>
> 4. the ".rsrc" section contains 4 icons for language id 0x0413
> "nl-NL", but the icon group specifies language id 0x0409 "en-US".
>
> Icons and icon groups should but all have the language id 0x0000,
> i.e. NEUTRAL!
> Icons referenced in icon groups should have the same language id
> as their icon group.
>
>
> 5. all STRING resources have the language id 0x0000, although the
> strings are available in english only!
>
>
> 6. both the MANIFEST and the VERSIONINFO resource have language id
> 0x0409 "en-US".
>
> Both should but have the language id 0x0000, i.e. NEUTRAL!
>
> For VERSIONINFO resources, the language of its entries is
> specified WITHIN the resource itself, not in its header!
>
> The language id within the VERSIONINFO resource is 0x0000,
> despite the english only strings
> "This installation was built with Inno Setup." in "Comments",
> "Inno Setup Setup" in "FileDescription" etc.
>
>
> 7. the timestamp in the PE header of innosetup-5.5.9.exe is
> 0x2A425E19, which is "Friday, 1992-06-19 22:22:17 UTC".
>
>
> innosetup-5.5.9-unicode.exe has the defect 2 and the bugs 4, 5 and 6.
>
>
> stay tuned
> Stefan Kanthak
>
>
> Timeline:
> ~~~~~~~~~
>
> 2017-02-25 report sent to authors of InnoSetup
>
> NO reply, not even an acknowledgement of receipt.
>
> 2017-03-06 report published
>
>
> Evidence:
> ~~~~~~~~~
>
> X:\>link.exe /dump /headers /imports innosetup-5.5.9.exe
>
> Microsoft (R) COFF/PE Dumper Version 8.00.50727.762
> Copyright (C) Microsoft Corporation. All rights reserved.
>
>
> Dump of file innosetup-5.5.9.exe
>
> PE signature found
>
> File Type: EXECUTABLE IMAGE
>
> FILE HEADER VALUES
> 14C machine (x86)
> 8 number of sections
> 2A425E19 time date stamp Sat Jun 20 00:22:17 1992
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 0 file pointer to symbol table
> 0 number of symbols
> E0 size of optional header
> 818F characteristics
> Relocations stripped
> ~~~~~~~~~~~~~~~~~~~~
> Executable
> Line numbers stripped
> Symbols stripped
> Bytes reversed
> 32 bit word machine
>
> OPTIONAL HEADER VALUES
> 10B magic # (PE32)
> 2.25 linker version
> A200 size of code
> 4600 size of initialized data
> 0 size of uninitialized data
> AA98 entry point (0040AA98)
> 1000 base of code
> C000 base of data
> 400000 image base (00400000 to 00414FFF)
> 1000 section alignment
> 200 file alignment
> 1.00 operating system version
> 6.00 image version
> 4.00 subsystem version
> 0 Win32 version
> 15000 size of image
> 400 size of headers
> 1E9FB8 checksum
> 2 subsystem (Windows GUI)
> 8140 DLL characteristics
> Dynamic base
> ~~~~~~~~~~~~
> NX compatible
> Terminal Server Aware
> 100000 size of stack reserve
> 4000 size of stack commit
> 100000 size of heap reserve
> 1000 size of heap commit
> 0 loader flags
> 10 number of directories
> 0 [ 0] RVA [size] of Export Directory
> E000 [ 97C] RVA [size] of Import Directory
> 12000 [ 2C00] RVA [size] of Resource Directory
> 0 [ 0] RVA [size] of Exception Directory
> 1E1338 [ 2AA8] RVA [size] of Certificates Directory
> 0 [ 0] RVA [size] of Base Relocation Directory
> ~~~~~~~~~~~~~~~~~
> 0 [ 0] RVA [size] of Debug Directory
> 0 [ 0] RVA [size] of Architecture Directory
> 0 [ 0] RVA [size] of Global Pointer Directory
> 10000 [ 18] RVA [size] of Thread Storage Directory
> 0 [ 0] RVA [size] of Load Configuration Directory
> 0 [ 0] RVA [size] of Bound Import Directory
> 0 [ 0] RVA [size] of Import Address Table Directory
> 0 [ 0] RVA [size] of Delay Import Directory
> 0 [ 0] RVA [size] of COM Descriptor Directory
> 0 [ 0] RVA [size] of Reserved Directory
>
>
> SECTION HEADER #1
> CODE name
> A1D0 virtual size
> 1000 virtual address (00401000 to 0040B1CF)
> A200 size of raw data
> 400 file pointer to raw data (00000400 to 0000A5FF)
> 0 file pointer to relocation table
> 0 file pointer to line numbers
> 0 number of relocations
> 0 number of line numbers
> 60000020 flags
> Code
> Execute Read
>
> SECTION HEADER #2
> DATA name
> 250 virtual size
> C000 virtual address (0040C000 to 0040C24F)
> 400 size of raw data
> A600 file pointer to raw data (0000A600 to 0000A9FF)
> 0 file pointer to relocation table
> 0 file pointer to line numbers
> 0 number of relocations
> 0 number of line numbers
> C0000040 flags
> Initialized Data
> Read Write
>
> SECTION HEADER #3
> BSS name
> E94 virtual size
> D000 virtual address (0040D000 to 0040DE93)
> 0 size of raw data
> AA00 file pointer to raw data
> 0 file pointer to relocation table
> 0 file pointer to line numbers
> 0 number of relocations
> 0 number of line numbers
> C0000000 flags
> Read Write
>
> SECTION HEADER #4
> .idata name
> 97C virtual size
> E000 virtual address (0040E000 to 0040E97B)
> A00 size of raw data
> AA00 file pointer to raw data (0000AA00 to 0000B3FF)
> 0 file pointer to relocation table
> 0 file pointer to line numbers
> 0 number of relocations
> 0 number of line numbers
> C0000040 flags
> Initialized Data
> Read Write
>
> Section contains the following imports:
>
> kernel32.dll
> 40E0B4 Import Address Table
> 0 Import Name Table
> ~~~~~~
> 0 time date stamp
> 0 Index of first forwarder reference
>
> 0 DeleteCriticalSection
> 0 LeaveCriticalSection
> 0 EnterCriticalSection
> 0 InitializeCriticalSection
> 0 VirtualFree
> 0 VirtualAlloc
> 0 LocalFree
> 0 LocalAlloc
> 0 WideCharToMultiByte
> 0 TlsSetValue
> 0 TlsGetValue
> 0 MultiByteToWideChar
> 0 GetModuleHandleA
> 0 GetLastError
> 0 GetCommandLineA
> 0 WriteFile
> 0 SetFilePointer
> 0 SetEndOfFile
> 0 RtlUnwind
> 0 ReadFile
> 0 RaiseException
> 0 GetStdHandle
> 0 GetFileSize
> 0 GetSystemTime
> 0 GetFileType
> 0 ExitProcess
> 0 CreateFileA
> 0 CloseHandle
>
> user32.dll
> 40E128 Import Address Table
> 0 Import Name Table
> ~~~~~~
> 0 time date stamp
> 0 Index of first forwarder reference
>
> 0 MessageBoxA
>
> oleaut32.dll
> 40E130 Import Address Table
> 0 Import Name Table
> ~~~~~~
> 0 time date stamp
> 0 Index of first forwarder reference
>
> 0 VariantChangeTypeEx
> 0 VariantCopyInd
> 0 VariantClear
> 0 SysStringLen
> 0 SysAllocStringLen
>
> advapi32.dll
> 40E148 Import Address Table
> 0 Import Name Table
> ~~~~~~
> 0 time date stamp
> 0 Index of first forwarder reference
>
> 0 RegQueryValueExA
> 0 RegOpenKeyExA
> 0 RegCloseKey
> 0 OpenProcessToken
> 0 LookupPrivilegeValueA
>
> kernel32.dll
> ~~~~~~~~~~~~
> 40E160 Import Address Table
> 0 Import Name Table
> ~~~~~~
> 0 time date stamp
> 0 Index of first forwarder reference
>
> 0 WriteFile
> 0 VirtualQuery
> 0 VirtualProtect
> 0 VirtualFree
> 0 VirtualAlloc
> 0 Sleep
> 0 SizeofResource
> 0 SetLastError
> 0 SetFilePointer
> 0 SetErrorMode
> 0 SetEndOfFile
> 0 RemoveDirectoryA
> 0 ReadFile
> 0 LockResource
> 0 LoadResource
> 0 LoadLibraryA
> 0 IsDBCSLeadByte
> 0 GetWindowsDirectoryA
> 0 GetVersionExA
> 0 GetVersion
> 0 GetUserDefaultLangID
> 0 GetSystemInfo
> 0 GetSystemDirectoryA
> 0 GetSystemDefaultLCID
> 0 GetProcAddress
> 0 GetModuleHandleA
> 0 GetModuleFileNameA
> 0 GetLocaleInfoA
> 0 GetLastError
> 0 GetFullPathNameA
> 0 GetFileSize
> 0 GetFileAttributesA
> 0 GetExitCodeProcess
> 0 GetEnvironmentVariableA
> 0 GetCurrentProcess
> 0 GetCommandLineA
> 0 GetACP
> 0 InterlockedExchange
> 0 FormatMessageA
> 0 FindResourceA
> 0 DeleteFileA
> 0 CreateProcessA
> 0 CreateFileA
> 0 CreateDirectoryA
> 0 CloseHandle
>
> user32.dll
> ~~~~~~~~~~
> 40E218 Import Address Table
> 0 Import Name Table
> ~~~~~~
> 0 time date stamp
> 0 Index of first forwarder reference
>
> 0 TranslateMessage
> 0 SetWindowLongA
> 0 PeekMessageA
> 0 MsgWaitForMultipleObjects
> 0 MessageBoxA
> 0 LoadStringA
> 0 ExitWindowsEx
> 0 DispatchMessageA
> 0 DestroyWindow
> 0 CreateWindowExA
> 0 CallWindowProcA
> 0 CharPrevA
>
> comctl32.dll
> 40E24C Import Address Table
> 0 Import Name Table
> ~~~~~~
> 0 time date stamp
> 0 Index of first forwarder reference
>
> 0 InitCommonControls
>
> advapi32.dll
> ~~~~~~~~~~~~
> 40E254 Import Address Table
> 0 Import Name Table
> ~~~~~~
> 0 time date stamp
> 0 Index of first forwarder reference
>
> 0 AdjustTokenPrivileges
>
> SECTION HEADER #5
> .tls name
> 8 virtual size
> F000 virtual address (0040F000 to 0040F007)
> 0 size of raw data
> B400 file pointer to raw data
> 0 file pointer to relocation table
> 0 file pointer to line numbers
> 0 number of relocations
> 0 number of line numbers
> C0000000 flags
> Read Write
>
> SECTION HEADER #6
> .rdata name
> 18 virtual size
> 10000 virtual address (00410000 to 00410017)
> 200 size of raw data
> B400 file pointer to raw data (0000B400 to 0000B5FF)
> 0 file pointer to relocation table
> 0 file pointer to line numbers
> 0 number of relocations
> 0 number of line numbers
> 50000040 flags
> Initialized Data
> Shared
> Read Only
>
> SECTION HEADER #7
> .reloc name
> 91C virtual size
> 11000 virtual address (00411000 to 0041191B)
> 0 size of raw data
> ~~~~~
> 0 file pointer to raw data
> ~~~~~
> 0 file pointer to relocation table
> 0 file pointer to line numbers
> 0 number of relocations
> 0 number of line numbers
> 50000040 flags
> Initialized Data
> Shared
> Read Only
>
> SECTION HEADER #8
> .rsrc name
> 2C00 virtual size
> 12000 virtual address (00412000 to 00414BFF)
> 2C00 size of raw data
> B600 file pointer to raw data (0000B600 to 0000E1FF)
> 0 file pointer to relocation table
> 0 file pointer to line numbers
> 0 number of relocations
> 0 number of line numbers
> 50000040 flags
> Initialized Data
> Shared
> Read Only
>
> Summary
>
> 1000 .idata
> 1000 .rdata
> 1000 .reloc
> 3000 .rsrc
> 1000 .tls
> 1000 BSS
> B000 CODE
> 1000 DATA
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/