New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Compiled rules can execute malicious code regardless of PARANOID_EXEC #999
Comments
|
I more detailed explanation of your exploit would be helpful. I guess your idea is using |
Yes. My PoC uses a fake function object and then executes code using
I have written a technical write-up that delves into the VM architecture and explains said PoC. I can publish it shortly. |
|
@plusvic |
|
Very good job in finding and explaining this issue. You have done an impressive job in understanding YARA's internals. This commit should solve the problem with OP_COUNT: 6acc08d Regarding the initialization of |
|
Thanks.
Yeah, among other things. |
* Add additional check in OP_COUNT for making sure that the string pointer is not a fake one. * Initialize scratch memory in order to avoid maliciously crafted YARA rules from reading values left in the stack.
A malicious compiled rule file could escape YARA's virtual machine and execute arbitrary code despite the added checks introduced by
PARANOID_EXEC.This is possible due to the design of the virtual machine, which stores and operates on pointers to
YR_OBJECTs from the virtual stack, as well as the following bugs:OP_COUNTcan be used to read a DWORD from any arbitrary address.These were assigned the following IDs, respectively:
The text was updated successfully, but these errors were encountered: