Hi, Everyone on this list: Please find http://members.rogers.com/exurity/pdf/PE.pdf a research paper on the vulnerabilities of PE File Format For Win32 Architecture (especially x86). These vulnerabilities are probably well known. Some might have been used or exploited by many. The main concept of this research article is about the fact that the free virtual space between sections is the hiding place for embedded code and a launching pad for bigger mobile code, let's not forget to mention, and security risks. Actually, for more sophisticated embedded code, it is possible in theory to shift code around within an executable to embed even without the free virtual space reported in this paper. In summary, this paper addresses a few vulnerabilities in Win32 architecture (x86 in particular) as follows: * The explicit linking of Dynamic Link Library executables into a process, especially the GetProcAddress and LoadLibrary API functions, has far more consequences than it facilitates normal program developers the flexibility in linking to their libraries dynamically. These two API functions make the exploit code, embedded code, and other highly mobile code possible. * The intact PE header information, including import and export library info, left in RAM for a process provides the strong "vines" to be followed up for GetProcAddress and Kernel32ModuleBase from many climbing points. * The virtual address gap between two sequential sections of one executable, either .exe or .dll, is wide enough to harbor a few "mice that carry elephants with them through the gap". * Lack of checking, or weak checking mechanism, for the integrity of executables on the operating system (and/or anti-virus programs) during the preparation for launching executables enables the modification of executable files and execution of new mobile code relatively easy. It seems a lot of components fail to detect the modification of executables at all. * Executables, once compiled, linked and delivered, are prone to be modified by other programs and most of them do not have run-time self-protection mechanism implemented. This weakness is not only limited to Win32 application programs. Many executable files for other operating systems fail to check on themselves during the run-time as well. But the dynamic linking functionalities provided on Win32 make the embedding of mobile code especially dangerous. Microsoft and CERT were submitted with this report before. Since these vulnerabilities are quite fundamental, it probably will take a while to get things fixed. However, these vulnerabilities are probably not that new and are not first-layer vulnerabilities as buffer overflow ones. Therefore, we release this report as background research paper and warn the public about the security risks. For your convenience, the EmbedMe.c source file is attached as well. Peter Huang
This archive was generated by hypermail 2b30 : Wed Apr 09 2003 - 22:21:13 PDT