LIEF icon indicating copy to clipboard operation
LIEF copied to clipboard

Published 20 hours ago verified publisher icon lief-project

PE: Possible invalid value for security_cookie

Open Wenzel opened this issue 4 years ago • 3 comments
trafficstars

Describe the bug requesting the load_configuration.security_cookie can return an invalid value.

To Reproduce Steps to reproduce the behavior:

  • download cmd.zip and uncompress it to get cmd.exe (winxp executable
  • load it with lief in python
  • get the security cookie
In [1]: import lief

In [2]: pe = lief.parse("/home/wenzel/local/cmd.exe")
Unable to find the section associated with BOUND_IMPORT

In [3]: pe.load_configuration.security_cookie
Out[3]: 1255357304

Expected behavior The issue is that winchecksec is telling me that cmd.exe doesn't have a stack cookie:

$ winchecksec cmd.exe
Dynamic Base    : "NotPresent"
ASLR            : "NotPresent"
High Entropy VA : "NotPresent"
Force Integrity : "NotPresent"
Isolation       : "Present"
NX              : "NotPresent"
SEH             : "Present"
CFG             : "NotPresent"
RFG             : "NotPresent"
SafeSEH         : "NotPresent"
GS              : "NotPresent"
Authenticode    : "NotPresent"
.NET            : "NotPresent"

And winchecksec GS check is implemented here, by verifying that the security cookie is != 0. So, assuming that winchecksec is correct, lief should return 0 and not 1255357304

Environment (please complete the following information):

  • System and Version : Ubuntu 20.04
  • Target format PE
  • LIEF commit version: 0.11.0-f58605f but also reproductible with 0.10.0

Thanks !

Wenzel avatar Jan 26 '21 16:01 Wenzel

I looked at this issue. I used pefile as a reference since I have used it in the past

In [1]: import pefile

In [2]: pe = pefile.PE("/tmp/cmd.exe")

In [3]: hex(pe.DIRECTORY_ENTRY_LOAD_CONFIG.struct.SecurityCookie)
Out[3]: '0x4ad33b78'

pestudio says the file had

image

Looking at this I looked at other implementations and libraries I have looked at in the past - https://github.com/saferwall/pe/blob/main/loadconfig.go#L118 matches the size 0x48 identified by the pestudio and it has a SecurityCookie field and building a sample program like such also prints the same cookie

package main

import (
        "log"

        peparser "github.com/saferwall/pe"
)

func main() {
        filename := "/tmp/cmd.exe"
        pe, err := peparser.New(filename, nil)
        if err != nil {
                log.Fatalf("Error while opening file: %s, reason: %v", filename, err)
        }

        err = pe.Parse()
        if err != nil {
                log.Fatalf("Error while parsing file: %s, reason: %v", filename, err)
        }

        log.Printf("%x\n", pe.LoadConfig.LoadCfgStruct.(peparser.ImageLoadConfigDirectory32v2).SecurityCookie)
}

(test3) [petest] ./petest
2021/11/30 13:52:50 4ad33b78

I don't know what to use as a source of truth maybe @Wenzel can help?

sudhackar avatar Nov 30 '21 08:11 sudhackar

Also are you sure you ran winchecksec with this attached file?

[build] ./winchecksec -j /tmp/cmd.exe | jq -r ".[].mitigations.gs.presence"
Present
[build] ./winchecksec /tmp/cmd.exe
Results for: /tmp/cmd.exe
Dynamic Base    : "NotPresent"
ASLR            : "NotPresent"
High Entropy VA : "NotPresent"
Force Integrity : "NotPresent"
Isolation       : "Present"
NX              : "NotPresent"
SEH             : "Present"
CFG             : "NotPresent"
RFG             : "NotPresent"
SafeSEH         : "Present"
GS              : "Present"
Authenticode    : "NotPresent"
.NET            : "NotPresent"
[build] md5sum /tmp/cmd.exe
eeb024f2c81f0d55936fb825d21a91d6  /tmp/cmd.exe

sudhackar avatar Nov 30 '21 09:11 sudhackar

This is what IDA thinks as well image image

sudhackar avatar Nov 30 '21 15:11 sudhackar

I guess this is fixed now.

romainthomas avatar Jun 04 '23 08:06 romainthomas