Big Batch of Bugs Fixed in Various Versions of IDA

The makers of the popular IDA disassembly and debugging tool have fixed more than a dozen security vulnerabilities in a variety of versions. Some of the vulnerabilities are a couple of years old, and patches are provided for versions from 6.1 up through 6.6.

IDA is a tool used by malware analysts, security researchers and a variety of others to dig into the innards of binaries and see how they work. It will show the execution paths of binaries and help show hidden and potentially malicious behaviors. The tool also includes a debugger that can step through the code and can run in virtualized environments.

On Friday, the makers of IDA announced a major set of security updates for numerous versions of the product that repair a series of potentially critical flaws. One of the flaws is a vulnerability in the IDA kernel.

“Vulnerability in the kernel triggered by a specially malformed database. The TIL part of the malformed database could be used to trigger the vulnerability,” the IDA advisory says.

That vulnerability was patched in versions 6.5 and 6.6. There’s also a vulnerability in the mach-o loader triggered by a specially crafted input file that’s fixed in IDA 6.4. The oldest vulnerability is a flaw in the WinDbg debugger module that was disclosed in April 2011. There’s also a potential vulnerability in qrealloc() and qrealloc_or_throw() that is fixed in version 6.1.

Here’s the full list of fixes in IDA:

  1. Vulnerability in the WinDbg debugger module, reported by –undisclosed– on 2011-04-10 at 01:58. A specially crafted idb file could lead to launching debugger on any file. This affects early copies of 6.1 running on MS Windows.
  2. Potential vulnerability in qrealloc() and qrealloc_or_throw(), reported by Masaaki Chida on 2011-04-20 at 17:58. We provide a fix for v6.1
  3. Vulnerability in idapython, reported by Greg MacManus on 2012-03-19 at 19:50. IDA could load some scripts with predetermined names from the directory with the input file. We provide fixes for both 6.1 and 6.2
  4. Vulnerability in the btree database engine triggered by a specially malformed database. We do not have POC code and it is not very likely that the vulnerability is exploitable, but we publish this fix anyway. The vulnerability was reported by Corey Kallenberg on 2012-04-09 at 18:44. We provide fixes for all versions >= 6.1 (we updated this fix on 2013-05-29; it would erroneously complain about some databases)
  5. Vulnerability in the .net processor module triggered by a specially crafted database. The vulnerability was reported by Masaaki Chida on 2013-07-07 at 01:33. We provide a fix for v6.3 and v6.4
  6. Vulnerability in the windbg plugin triggered by a specially crafted database. The vulnerability was reported by Masaaki Chida on 2013-07-15 at 19:14. We provide a fix for v6.4
  7. Vulnerability in the hint calculation triggered by a specially crafted database. The vulnerability was reported by Masaaki Chida on 2013-07-21 at 11:13. We provide a fix for v6.4
  8. Vulnerability in the mach-o loader triggered by a specially crafted input file. The vulnerability was reported by George Hotz on 2014-01-05 at 01:07. We provide a fix for IDA version v6.4. IDA v6.5 build 140115 includes the fix, so there is no need in a separate fix for it.
  9. Vulnerability in the kernel triggered by a specially malformed database. The TIL part of the malformed database could be used to trigger the vulnerability. The vulnerability was reported by Tadashi Kobayashi on 2014-06-09 at 17:52. We provide a fix for v6.5 and v6.6.
  10. qrealloc() could manage to allocate 0xDEADBEEF bytes on Linux64. This value was used to force a std:bad_alloc() exception, and a successful memory allocation was not what other parts of IDA were excepting. The bug was reported by Mateusz Jurczyk on 2014-09-06 at 12:54. We provide a fix for v6.5 and v6.6.
  11. COFF: maliciously truncated symbol table could lead to a memory corruption. The bug was reported by Mateusz Jurczyk on 2014-09-06 at 12:54. We provide a fix for v6.5 and v6.6.
  12. EPOC: a specially crafted input file could lead to a memory corruption. The bug was reported by Mateusz Jurczyk on 2014-09-06 at 12:54. We provide a fix for v6.5 and v6.6.
  13. DEX: a specially crafted input file could lead to a memory corruption. The bug was reported by Mateusz Jurczyk on 2014-09-06 at 12:54. We provide a fix for v6.5 and v6.6.
  14. PEF: a specially crafted input file could lead to a memory corruption. The bug was reported by Mateusz Jurczyk on 2014-09-06 at 12:54. We provide a fix for v6.5 and v6.6.
  15. Also the archive includes fixes for other bugs (not necessarily security bugs) discovered and fixed so far.

Suggested articles