-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Out-of-bounds read, write in yr_execute_code #891
Comments
@bnbdr I have a question. In your write-up you say:
But you later don't explain why those validations are buggy. I guess your point is that YARA relies on the value in |
@plusvic basically, yeah. Might be nitpicking but the version check I didn't elaborate on this since It felt like bashing the code and the write-up was extremely long as is. |
The reason for not checking the actual file size is that That doesn't mean a security issue by itself, except perhaps for a denial of service by memory exhaustion. If YARA is able to allocate the size specified in the header then it's safe to read that much data from the file, if not, it will fail without reading. But a denial of service will be always possible by corrupting some pointer that make the process crash, so protecting from that is unfeasible and out-of-scope. The only secure solution for that is digitally signing the compiled rules data in order to make sure that no one has tampered with it. Regarding the version check, the full snippet is:
Which is the intended behavior because changes in the structure of compiled rules are neither forward nor backward-compatible. The error message can be misleading certainly, as it could be quite the opposite and the rules could have been compiled with an older version of YARA. |
Regarding the size in the header- maybe check the value doesn't exceed some hard-coded allocation limit? Both of these are more quality of life improvements in error reporting and validation rather than security issues. |
In #893 I introduced checks before accessing the scratch memory and some others pointed out by @jbremer. You also propose:
The first one is actually a good idea, but I don't want to introduce backward incompatible changes that could break people's scripts out there, at least not for a minor version change. So, that's something for version 4.0 probably. The second one is already done in: https://github.com/VirusTotal/yara/blob/master/libyara/arena.c#L978 It doesn't exactly check that the relocated address is within the file, but within the buffer allocated to hold the compiled rules. The fourth one is unfeasible, the compiled rules has some empty slots that are filled during scanning and must remain writable. |
You misunderstood. YARA indeed only relocates offset within the loaded buffer, however, |
Ok, now I get what you meant. I have a commit ready for fixing that too. |
I've merged this PR in the master branch. Besides the changes aimed to fix the issues reported by @bnbdr, additional measures has been taking for mitigating other attack scenarios suggested by @jbremer and involving OP_CALL, could you guy review the changes? I haven't assessed the performance impact of these changes but they are probably negligible, however they can't be easily switched-off by setting Still it's highly discouraged to accept compiled rules from un-trusty third-parties, as they can always hand-craft a rule that can crash YARA. |
This fixes issues CVE-2018-12034 & CVE-2018-12035. They are OOB read & write issues of the internal VM. Details can be retrieved at [1] & [2]. [1] VirusTotal/yara#891 [2] https://bnbdr.github.io/posts/swisscheese/
yr_execute_code
has several bugs in the implementation of the virtual machine. Two of which prove to be security issues that allow code execution by running a specially crafted binary rule:These issues have been assigned the CVE-ID's
CVE-2018-12034
andCVE-2018-12035
, respectively.Obvious ways to mitigate this:
While this might not be as critical as say, a vulnerability that can be exploited by a rule in source form, YARA will run a binary rule without explicitly being told to do so. This means any service/third-party who doesn't properly validate the user-supplied rule is susceptible.
I suggest you reject rules in binary form unless explicitly being allowed to do so.
For the ones interested, I've written a (very long) write-up and made the PoC exploit available here
The text was updated successfully, but these errors were encountered: