We, Architect (@CitadelArcho) and me, discovered this bug and dug a bit into it.
It is caused by malformed IMAGE_DIRECTORY_ENTRY_SECURITY containing an OID which is different to 0x6.
The cause of this bug is this function (in radare2/libr/util/x509.c):
if the following condition isn't satisfied if (object->list.objects[0] && object->list.objects[0]->klass == CLASS_UNIVERSAL && object->list.objects[0]->tag == TAG_OID) (if object->list.objects[0]->tag != TAG_OID in our example, with TAG_OID equals to 0x6), then ai->algorithm stills NULL, which is why
Work environment
Expected behavior
radare2 test_crash.exe opens the file in radare2 and displays the r2 shell to the user.
Actual behavior
Steps to reproduce the behavior
We, Architect (@CitadelArcho) and me, discovered this bug and dug a bit into it.
It is caused by malformed IMAGE_DIRECTORY_ENTRY_SECURITY containing an OID which is different to 0x6.
The cause of this bug is this function (in radare2/libr/util/x509.c):
if the following condition isn't satisfied
if (object->list.objects[0] && object->list.objects[0]->klass == CLASS_UNIVERSAL && object->list.objects[0]->tag == TAG_OID)(if object->list.objects[0]->tag != TAG_OID in our example, with TAG_OID equals to 0x6), then ai->algorithm stills NULL, which is whychar *hashtype = strdup (bin->spcinfo->messageDigest.digestAlgorithm.algorithm->string);in the fuction Pe32_bin_pe_compute_authentihash segfaults.
So we wrote a small PoC script which turns any PE into a binary which makes radare2 crash.
Additional Logs, screenshots, source-code, configuration dump, ...
The text was updated successfully, but these errors were encountered: