Version Affected: 3.70 Build 1747
1) A minor security issue when parsing .res files.
Demo:
http://www.4shared.com/file/yRtP77bP/Off_by_two.html
2) The size of the "IMAGE_OPTIONAL_HEADER" structure is assumed to be SizeOf(IMAGE_OPTIONAL_HEADER), 0xE0 in hex, while it can even be greater. Having the size to be of a greater value causes Restorator to discard the whole PE file.
Demo:
http://code.google.com/p/ollytlscatch/d ... x15DDs.exe
3) Restorator uses The "NumberOfRvaAndSizes" field, which can easily be forged to 0xFFFFFFFF. This causes Restorator to discard the whole PE file.
Demo:
http://code.google.com/p/ollytlscatch/d ... FFFFFF.exe
4) The section name can easily be changed from ".rsrc" to anything else. This causes Restorator to discard the whole PE.
Demo:
http://code.google.com/p/ollytlscatch/d ... o.rsrc.exe
5) Sections with the "Characteristics" field set to IMAGE_SCN_CNT_UNINITIALIZED_DATA among other characteristics are discarded by Restorator while parsed normally by PE loader.
Demo:
http://code.google.com/p/ollytlscatch/d ... IniSec.exe
N.B. Demo executables above are seen by Windows as valid ones.
This forum is read-only. Please post new topics in our Q&A forum.
Some Restorator Bugs
Moderator: florian
- florian
- Bome Software: Founder
- Posts: 2436
- Joined: Thu Apr 28, 2005 10:09 pm
- Location: Munich, Germany
- Contact:
Re: Some Restorator Bugs
Hi, thank you very much! interesting test cases, though I'm not sure you'll see many of such exe files "in the wild". I'll see to fix those issues for the next version.
Regards,
Florian
PS: I have trouble downloading the .res file (issue 1). Could you attach it to this forum? thanks.
Regards,
Florian
PS: I have trouble downloading the .res file (issue 1). Could you attach it to this forum? thanks.
-
- New User
- Posts: 2
- Joined: Thu May 31, 2012 10:51 am
Re: Some Restorator Bugs
There you go.
- Attachments
-
- Off_by_two.rar
- POC .res file.
- (124 Bytes) Downloaded 1080 times