Another vuln, this time its PEiD.

Possible code execution vulnerability.

http://secunia.com/advisories/13984/

I have said it before, be careful with wich binarys you crack / debug.

Cheers
ghalen

[NimDa2k]

Code:

 TITLE:
PEiD Import Library Name Handling Buffer Overflow

SECUNIA ADVISORY ID:
SA13984

RELEASE DATE:
2005-01-28

VERIFY ADVISORY:
http://secunia.com/advisories/13984/

CRITICAL:
Moderately critical

WHERE:
From remote

IMPACT:
System access

SOFTWARE:
PEiD 0.x

DESCRIPTION:
A vulnerability has been reported in PEiD, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the parsing of the PE (Portable Executable) import directory. This can be exploited to cause a buffer overflow via a specially crafted PE file containing overly long import library names.

Successful exploitation may allow execution of arbitrary code when a malicious PE file is opened.


SOLUTION:
Use another product.

Do not process untrusted files unless in a test environment.


REPORTED BY CREDITS:
Lord Yup


ORIGINAL ADVISORY:
iDEFENSE:
http://idefense.com/application/...?id=189&type=vulnerabilities

I Think This Bug Work's Only When I Connected To The Internet And i Use PEiD

[codeX]

Is it can be used for crashing my system when a proggie is scanned with PEiD?

Yes it is possible to crash your system, even run arbitrary code.
But only if you debug a specially crafted binary.

Cheers
ghalen

well an exploit can make it crash your system or if thier intentions are malicous they can install backdoors own your system make you system
a denial of service bot make it a server what ever it all depends on the
code that is executed once the vulnerability yields control to malicious code

for example you open an exe that is crafted maliciously
in any of the vulnerable app
an exe call Dothis Function ()
looking like this in assembly
0x 401000 call 0x401028
0x401005 test eax,eax

now in stack you will see a pointer to the return value viz return to
401005 from 401000
now if they change the 401005 to 401278 where the malicious code exist
the app will return to 401278 not 401005
and will execute the code that is there in 401278
now what one codes there is upto the wierdest dreams and imagination of the coder

i hope i made it a little clear

[Cobi]

Sure it can, but you can't implement this as an Protection because the Exploit would make the PE-File invalid.

[MarcElBichon]

Already fixed with anothers undocumented vuln : PEiD v0.93

h**p://www.secretashell.com/PEiD/viewtopic.php?t=150

h**p://www.secretashell.com/codomain/peid/files/PEiD-0.93-20050130.zip

cobi, i dunno if you read the idefense advisory or not they have stated that they have crafted a pe which exploits this vulnerabilty withouy ending up as invalid pe in ida and the great ppl of ida has issued a patch so i would assume that they are not bullshitting and ilfak guilfanov wouldnt be so lame to accede to any of that bullshit
if it were bullshit which obviously would have punctured the egos and issue a patch which puportedly would patch this vulnerability

or as marc posted snaker,jibz and the others who are behind peid wont issue the patch unless i assume they saw that it was working

or bengaly wouldnt revise pvdasm edition

anyway there is no offense in the above comment it is only a view point
and i neither use ida or wdsam
if i require a packer version i use kaspersky online scan which offers more info on packer than peid would and i dont have to execute malicious binaries in my system

[Cobi]

Whops, sorry, i've just read the iDEFENSE statement

Quote:

Although simple modification of an import library name is sufficient to
exploit this vulnerability, the Windows loader will fail to recognize it
as a valid PE file. This will result in a non-executable malicious
binary.

Next time i'll read further.