Compiled rules can execute malicious code regardless of PARANOID_EXEC #999
Comments
I more detailed explanation of your exploit would be helpful. I guess your idea is using |
Yes. My PoC uses a fake function object and then executes code using
I have written a technical write-up that delves into the VM architecture and explains said PoC. I can publish it shortly. |
@plusvic |
Very good job in finding and explaining this issue. You have done an impressive job in understanding YARA's internals. This commit should solve the problem with OP_COUNT: 6acc08d Regarding the initialization of |
Thanks.
Yeah, among other things. |
A malicious compiled rule file could escape YARA's virtual machine and execute arbitrary code despite the added checks introduced by
PARANOID_EXEC
.This is possible due to the design of the virtual machine, which stores and operates on pointers to
YR_OBJECT
s from the virtual stack, as well as the following bugs:OP_COUNT
can be used to read a DWORD from any arbitrary address.These were assigned the following IDs, respectively:
The text was updated successfully, but these errors were encountered: