DataRescue IDA Pro Remote Debugger Server Authentication Bypass Vulnerability iDefense Security Advisory 03.23.07 http://labs.idefense.com/intelligence/vulnerabilities/ Mar 23, 2007 I. BACKGROUND DataRescue Inc.'s IDA Pro is a disassembler and debugger for Windows, Linux, or Macintosh. It supports multiple binary formats as well as many processor architectures. For more information about IDA Pro, visit the vendor's website at the following URL. http://www.datarescue.com/idabase/index.htm II. DESCRIPTION Remote exploitation of a password bypass vulnerability in DataRescue Inc.'s IDA Pro Remote Debugger Server allows attackers to execute arbitrary code under the context of the user who is running the remote debugger server. Since version 4.8, IDA Pro supports remote debugging of x86/AMD64 Windows PE applications and Linux ELF applications over TCP/IP networks. The IDA distribution ships with a debugger server for Windows, Linux, and (as of version 5.1) MacOS X. The IDA Pro debugger server allows a user to specify a password for authentication by supplying the -P parameter. The vulnerability specifically exists in the the processor_request() function. This function is used for the initial packet exchange as well as subsequent requests. This function did not ensure that the remote user has authenticated prior to calling the perform_request() function. As such, attacker requests sent prior to authenticating would be processed normally. III. ANALYSIS Exploitation of the described vulnerability allows attackers to execute arbitrary code under the context of the user who starts the remote debugger server. It should be noted that the debugger server does not run as a service. It must be manually executed. Additionally, the remote debugger server can only handle one debugger session at a time. As such, this vulnerability can not be exploited while the debugger server is in use. IV. DETECTION iDefense has confirmed the existence of this vulnerability in the remote debugger server for Windows and Linux from IDA Pro versions 5.0 and 5.1. It is suspected that the MacOS X version and earlier versions are also affected. V. WORKAROUND In order to reduce exposure to this vulnerability, the remote debugger server should not be left running when it is not in use. Additionally, access to the port used by the remote debugger server could be blocked with the use of a firewall. VI. VENDOR RESPONSE "Since this vulnerability is in the open part of IDA, we provide the corrected source code for the modified files." DataRescue Inc. has made the fix available at the following URL. http://www.datarescue.com/freefiles/ida_remdeb_fix_22032007.zip VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 03/20/2007 Initial vendor notification 03/20/2007 Initial vendor response 03/23/2007 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by enhalos. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@private for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
This archive was generated by hypermail 2.1.3 : Wed Mar 28 2007 - 19:40:40 PST