capa icon indicating copy to clipboard operation
capa copied to clipboard

Published 20 hours ago verified publisher icon mandiant

Fixed infinite loop when parsing dotnet TypeRef table

Open x9090 opened this issue 10 months ago • 2 comments

There was a TypeRef table infinite loop issue when dotnet parser parsing a crafted dotnet sample with ref index refer to each other:

problematic-dotnet   Let me know if you need the sample for testing, I could upload it here.

Checklist

  • [x] No CHANGELOG update needed
  • [x] No new tests needed
  • [x] No documentation update needed

x9090 avatar Apr 02 '24 08:04 x9090

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

google-cla[bot] avatar Apr 02 '24 08:04 google-cla[bot]

There was a TypeRef table infinite loop issue when dotnet parser parsing a crafted dotnet sample with ref index refer to each other:

problematic-dotnet   Let me know if you need the sample for testing, I could upload it here.

Checklist

  • [x] No CHANGELOG update needed

  • [x] No new tests needed

  • [x] No documentation update needed

Hi @x9090 , thank you for the find and suggested fix - apologies for not getting back to you sooner! Please update the sample for testing and review the CLA requirements so we can move this PR forward.

mike-hunhoff avatar Apr 15 '24 16:04 mike-hunhoff

@x9090 would you please sign the CLA so that we can merge this PR into capa? We'd love to get it in as part of the v7.1 release soon.

williballenthin avatar Jun 07 '24 08:06 williballenthin

friendly bump, @x9090

mr-tz avatar Jun 11 '24 12:06 mr-tz

Without the CLA signed, we cannot merge this PR.

I haven't been able to find the file shown in the screenshot on VT, so I can't reproduce this nor reimplement it.

Perhaps we should close this PR until @x9090 returns?

williballenthin avatar Jun 13 '24 08:06 williballenthin

yes, let's wait for that or other people raising this issue

mr-tz avatar Jun 13 '24 09:06 mr-tz

I haven't been able to find the file shown in the screenshot on VT, so I can't reproduce this nor reimplement it.

Can we hunt for it on VT using a YARA rule? :)

r0ny123 avatar Jun 13 '24 09:06 r0ny123

I did some VTGrep searches for the random looking strings in the screenshot and didn't come up with anything. Have you had any luck?

williballenthin avatar Jun 13 '24 09:06 williballenthin

I mean crafting a YARA for that specific behaviour mentioned. Possible?

r0ny123 avatar Jun 13 '24 09:06 r0ny123

maybe by using the Yara .NET extension.

It might be easier to manually craft a file by hand: just tweak two bytes (the table references).

williballenthin avatar Jun 13 '24 11:06 williballenthin