Immunity Debugger - Crash - exploit.company

vendor:

Immunity Debugger

by:

Arsyntex

7.5

CVSS

HIGH

Crash

476

CWE

Product Name: Immunity Debugger

Affected Version From: v1.85

Affected Version To: v1.85

Patch Exists: NO

Related CWE:

CPE: cpe:2.3:a:immunity:immunity_debugger:1.85:*:*:*:*:*:*:*

Metasploit:

Other Scripts:

Platforms Tested: Windows 8.1 Pro

2015

Immunity Debugger – Crash

The vulnerability exists in Immunity Debugger v1.85. It is caused by incorrect path/file extension parsing. By creating a folder with the name .exe.exe and placing any program inside, or by trying to debug an executable with the name test.exe.exe or lib.exe.dll, it is possible to trigger a crash. This is due to the 'OpenEXEfile' function not checking if the return value of strchr() is zero.

Mitigation:

The vendor should update Immunity Debugger to properly handle path/file extension parsing and validate return values from functions like strchr(). Users should also ensure they are using the latest version of Immunity Debugger and exercise caution when debugging executable files with unusual names.

Source

Exploit-DB raw data:

# Title: Immunity Debugger - Crash
# Date: 08/07/2015
# Author: Arsyntex
# Vendor Homepage: http://www.immunityinc.com/products/debugger/
# Version: v1.85
# Tested on: Windows 8.1 Pro

Incorrect path/file EXtEnsion parsing.

-Create folder with the name: .exe.exe and put any program inside and try debug it.
-Try to debug an executable with the name: test.exe.exe or lib.exe.dll

The "OpenEXEfile" function does not check if the return value of strchr() is zero.
----------------------------------------------------------------------------------
 loc_4B8182:

      mov     [esp+10h+var_10], edi
      add     edi, 4
      mov     [esp+10h+var_C], 20h
      mov     [esp+10h+arg_24], eax
      call    strchr                 ; return EAX= 0
      mov     [esp+10h+var_10], eax
      mov     [esp+10h+arg_28], eax  ; (!)
      call    strlen                 ; ntdll.strlen(s)

---------------------------------------------------------------------
ntdll.strlen(s) - NULL parameter
---------------------------------------------------------------------
ntdll_strlen:

      mov     ecx, [esp+4]           ; [esp+4] = 0  NULL pointer
      test    ecx, 3                 ; ...
      jz      short loc_77C77510     ; jump
      ...

 loc_77C77510:

      mov     eax, [ecx]             ; Access Violation
---------------------------------------------------------------------