Vulnerabilities in Portable Executable (PE) File Format For Win32 Architecture

["Exurity Inc." <exurity () rogers com>]

Hi, Everyone on this list:

Please find http://members.rogers.com/exurity/pdf/PE.pdf a research paper on
the vulnerabilities of PE File Format For Win32 Architecture (especially
x86). These vulnerabilities are probably well known. Some might have been
used or exploited by many. The main concept of this research article is
about the fact that the free virtual space between sections is the hiding
place for embedded code and a launching pad for bigger mobile code, let's
not forget to mention, and security risks. Actually, for more sophisticated
embedded code, it is possible in theory to shift code around within an
executable to embed even without the free virtual space reported in this
paper.

In summary, this paper addresses a few vulnerabilities in Win32 architecture
(x86 in particular) as follows:

* The explicit linking of Dynamic Link Library executables into a process,
especially the GetProcAddress and LoadLibrary API functions, has far more
consequences than it facilitates normal program developers the flexibility
in linking to their libraries dynamically. These two API functions make the
exploit code, embedded code, and other highly mobile code possible.
* The intact PE header information, including import and export library
info, left in RAM for a process provides the strong "vines" to be followed
up for GetProcAddress and Kernel32ModuleBase from many climbing points.
* The virtual address gap between two sequential sections of one executable,
either .exe or .dll, is wide enough to harbor a few "mice that carry
elephants with them through the gap".
* Lack of checking, or weak checking mechanism, for the integrity of
executables on the operating system (and/or anti-virus programs) during the
preparation for launching executables enables the modification of executable
files and execution of new mobile code relatively easy. It seems a lot of
components fail to detect the modification of executables at all.
* Executables, once compiled, linked and delivered, are prone to be modified
by other programs and most of them do not have run-time self-protection
mechanism implemented. This weakness is not only limited to Win32
application programs. Many executable files for other operating systems fail
to check on themselves during the run-time as well. But the dynamic linking
functionalities provided on Win32 make the embedding of mobile code
especially dangerous.

Microsoft and CERT were submitted with this report before. Since these
vulnerabilities are quite fundamental, it probably will take a while to get
things fixed.
However, these vulnerabilities are probably not that new and are not
first-layer vulnerabilities as buffer overflow ones. Therefore, we release
this report as background research paper and warn the public about the
security risks. For your convenience, the EmbedMe.c source file is attached
as well.

Peter Huang

Attachment: EmbedMe.c
Description: