This forum is read-only. Please post new topics in our Q&A forum.

Some Restorator Bugs

General discussion about using Restorator.

Moderator: florian

Locked
waliedassar
New User
Posts: 2
Joined: Thu May 31, 2012 10:51 am

Some Restorator Bugs

Post by waliedassar » Thu May 31, 2012 11:40 pm

Version Affected: 3.70 Build 1747

1) A minor security issue when parsing .res files.

Demo:
http://www.4shared.com/file/yRtP77bP/Off_by_two.html

2) The size of the "IMAGE_OPTIONAL_HEADER" structure is assumed to be SizeOf(IMAGE_OPTIONAL_HEADER), 0xE0 in hex, while it can even be greater. Having the size to be of a greater value causes Restorator to discard the whole PE file.

Demo:
http://code.google.com/p/ollytlscatch/d ... x15DDs.exe

3) Restorator uses The "NumberOfRvaAndSizes" field, which can easily be forged to 0xFFFFFFFF. This causes Restorator to discard the whole PE file.

Demo:
http://code.google.com/p/ollytlscatch/d ... FFFFFF.exe

4) The section name can easily be changed from ".rsrc" to anything else. This causes Restorator to discard the whole PE.

Demo:
http://code.google.com/p/ollytlscatch/d ... o.rsrc.exe

5) Sections with the "Characteristics" field set to IMAGE_SCN_CNT_UNINITIALIZED_DATA among other characteristics are discarded by Restorator while parsed normally by PE loader.

Demo:
http://code.google.com/p/ollytlscatch/d ... IniSec.exe

N.B. Demo executables above are seen by Windows as valid ones.

User avatar
florian
Bome Software: Founder
Posts: 2435
Joined: Thu Apr 28, 2005 10:09 pm
Location: Munich, Germany
Contact:

Re: Some Restorator Bugs

Post by florian » Fri Jun 01, 2012 12:42 pm

Hi, thank you very much! interesting test cases, though I'm not sure you'll see many of such exe files "in the wild". I'll see to fix those issues for the next version.

Regards,
Florian

PS: I have trouble downloading the .res file (issue 1). Could you attach it to this forum? thanks.

waliedassar
New User
Posts: 2
Joined: Thu May 31, 2012 10:51 am

Re: Some Restorator Bugs

Post by waliedassar » Fri Jun 01, 2012 1:00 pm

There you go.
Attachments
Off_by_two.rar
POC .res file.
(124 Bytes) Downloaded 1015 times

Locked