NEWS
X41 D-Sec GmbH Security Advisory: X41-2021-001 - Multiple Vulnerabilities in YARA
Highest Severity Rating: Medium
Confirmed Affected Versions: YARA v4.0.3 and earlier
Confirmed Patched Versions: YARA v4.0.4
Vendor: VirusTotal (Google Inc.)
Vendor URL: https://virustotal.github.io/yara
Credit: X41 D-Sec GmbH, Luis Merino
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2021-001-yara
Summary and Impact
An integer overflow and several buffer overflow reads in libyara/modules/macho/macho.c in YARA v4.0.3 and earlier could allow an attacker to either cause denial of service or information disclosure via a malicious Mach-O file.
Product Description
According to the official project description:
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and
classify malware samples. With YARA you can create descriptions of malware families
(or whatever you want to describe) based on textual or binary patterns. Each description,
a.k.a. rule, consists of a set of strings and a boolean expression which determine its logic.
Integer overflow in macho_parse_fat_file()
Severity Rating: Medium
Vector: Mach-O file sample
CVE: Pending
CWE: 190
Analysis
An integer overflow in macho_parse_fat_file()
while processing the fat Mach-O file header can lead to arbitrary read.
When the arch.offset
+ arch.size
result does not fit in the uint64_t type the result will wraparound and might allow to bypass the size
< arch.offset
+ arch.size
sanity check. Afterwards, macho_parse_file()
will be called with buffer
and size
values that could be invalid, resulting in an arbitrary read and plausible infoleak or denial of service.
Proof of Concept
Parse the https://github.com/x41sec/advisories/tree/master/X41-2021-001/yara-reproducers/int-overflow-macho-parse-fat-file sample via yr_rules_scan_mem().
Out-of-bounds reads in macho_parse_file() and others
Severity Rating: Medium
Vector: Mach-O file sample
CVE: Pending
CWE: 125
Analysis
Two for-loops iterate over input buffer data
to extract and process segments and other commands. Incorrect sanity checks lead to out of bounds reads in several places.
It is also recommended to perform a sanity check on command_struct.cmdsize
, discarding those values where command_struct.cmdsize
< sizeof(yr_load_command_t)
.
Please note this needs to be patched in the two similar for-loops.
Proof of Concept
Parse the https://github.com/x41sec/advisories/tree/master/X41-2021-001/yara-reproducers/oob-macho-parse-file sample via yr_rules_scan_mem().
Out-of-bounds reads in macho_handle_segment_64() and others
Severity Rating: Medium
Vector: Mach-O file sample
CVE: Pending
CWE: 125
Analysis
macho_handle_segment_64()
reads sizeof(yr_segment_command_64_t)
bytes from command
without checking if the buffer is big enough.
This results in an out of bounds read when command
is not big enough. Infoleak or denial of service could be a plausible outcome.
It is recommended to check at least sizeof(yr_segment_command_64_t)
bytes are available in command before calling
macho_handle_segment_64()`.
The same issue occurs when calling macho_handle_segment()
, macho_handle_unixthread()
and macho_handle_main()
.
Please note that we rely here on cmdsize
having a safe value, which is checked in the fix proposed for the previous finding.
Proof of Concept
Parse the https://github.com/x41sec/advisories/tree/master/X41-2021-001/yara-reproducers/oob-macho-handle-segment, [https://github.com/x41sec/advisories/tree/master/X41-2021-001/yara-reproducers/oob-macho-handle-segment-64 samples via yr_rules_scan_mem().
Several out-of-bounds reads in macho_handle_unixthread()
Severity Rating: Medium
Vector: Mach-O file sample
CVE: Pending
CWE: 125
Analysis
macho_handle_unixthread()
reads from command
buffer without checking if the buffer is big enough.
Firstly, sizeof(yr_thread_command_t)
bytes are skipped in command
,
which could result in command
pointing out of bounds and triggering invalid
reads in subsequent command
dereferences. It is recommended to check at least
sizeof(yr_thread_command_t)
bytes are available before calling
macho_handle_unixthread()
.
Secondly, when reading the entry point for the different archs, it is assumed the buffer is big enough to read the corresponding yr_*_thread_state_t
object. A not big enough buffer would lead to out of bounds reads and maybe denial of service or infoleaks. It is recommended to check at least enough bytes are available.
Please note that we rely here on cmdsize
having a safe value, which is checked in one of the fixes proposed above.
Proof of Concept
Parse the https://github.com/x41sec/advisories/tree/master/X41-2021-001/yara-reproducers/oob-macho-handle-unixthread sample via yr_rules_scan_mem().
Out-of-bounds read in macho_is_32()
Severity Rating: Medium
Vector: Mach-O file sample
CVE: Pending
CWE: 125
Analysis
macho_parse_file()
calls macho_is_32(data)
without checking that size
is at least 4 bytes. An out-of-bounds read happens when size
< 4. Depending on the initial parsed file size, data
buffer could come from a mmaped region and the OOB read could lead to a denial of service.
It is recommended to return from the function when size
< 4.
Proof of Concept
Parse the https://github.com/x41sec/advisories/tree/master/X41-2021-001/yara-reproducers/oob-macho-is-32.v2 sample via yr_rules_scan_mem().
Timeline
2021-01-16 Issues found
2021-01-20 Issues and patches reported to the vendor
2021-01-21 Vendor reply with acknowledge and final patches
2021-01-22 CVEs request (pending)
2021-01-27 Fixed release (v4.0.4)
2021-01-28 Advisory published
About X41 D-SEC GmbH
X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and IT security consulting and support services are core competencies of X41.