Hi @ll,
although puTTY finally offers MSI packages as primary installers on
<http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html>,
they still provide an executable installer putty-0.68-installer.exe
(see <http://seclists.org/fulldisclosure/2016/Mar/12>), still
created with InnoSetup.
putty-0.68-installer.exe is but a DEFECTIVE "portable executable"
image (see DUMPBIN output below)!
JFTR: unfortunately Windows' module loader covers these bugs and
loads such defective PE image files.
DEFECTS:
~~~~~~~~
1. all (here: 8) IMAGE_IMPORT_DESCRIPTOR entries in the IMPORT
directory are INVALID: their Characteristics/OriginalFirstThunk
fields contain 0 instead of the RVA of the import lookup table!
From the PE/COFF specification, available via
<https://www.microsoft.com/en-us/download/details.aspx?id=19509>,
or <https://msdn.microsoft.com/en-us/magazine/ms809762.aspx>,
"Table 8. IMAGE_IMPORT_DESCRIPTOR":
| Offset Size Field Description
| 0 4 Import Lookup The RVA of the import lookup table.
| Table RVA This table contains a name or ordinal
| (Characteristics) for each import. (The name
| "Characteristics" is used in Winnt.h,
| but no longer describes this field.)
2. the IMPORT directory holds 2 IMAGE_IMPORT_DESCRIPTOR entries for
each of "kernel32.dll", "user32.dll" and "advapi32.dll", even with
duplicate names (WriteFile, ReadFile, VirtualAlloc for example).
It should but have only 1 IMAGE_IMPORT_DESCRIPTOR for each DLL!
From the PE/COFF specification (see above):
| Import Directory Table
...
| The import directory table consists of an array of import directory
| entries, one entry for each DLL to which the image refers.
3. The "DLL characteristics" 0x8140 in the IMAGE_OPTIONAL_HEADER
(see <https://msdn.microsoft.com/en-us/library/ms680339.aspx>)
specifies IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE, but the image
file has no VALID relocation info:
3.a) both RVA and size of the IMAGE_DIRECTORY_ENTRY_BASERELOC
entry are 0!
3.b) a ".reloc" section is present with (virtual) size 0x091C,
but its file offset and size are both 0!
3.c) the "PE characteristics" 0x818F specifies "relocations
stripped"!
Minor bugs:
~~~~~~~~~~~
4. the ".rsrc" section contains different icons for language id
0x0409 "en-US" and 0x0413 "nl-NL", but only for the icons 1 to 4,
not for the icons 5 to 9.
Icons should but all have the language id 0x0000, i.e. NEUTRAL!
5. all STRING resources have the language id 0x0000, although the
strings are available in english only!
6. both the MANIFEST and the VERSIONINFO resource have language id
0x0409 "en-US".
Both should but have the language id 0x0000, i.e. NEUTRAL!
For VERSIONINFO resources, the language of its entries is
specified WITHIN the resource itself, not in its header!
The language id within the VERSIONINFO resource of
putty-0.68-installer.exe is 0x0000, despite the english only
strings "This installation was built with Inno Setup." in
"Comments", "PuTTY Setup" in "FileDescription" and "Release 0.68"
in "FileVersion".
7. the timestamp in the PE header of putty-0.68-installer.exe is
0x2A425E19, which is "Friday, 1992-06-19 22:22:17 UTC".
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2017-02-24 report sent to authors of puTTY and InnoSetup
2017-02-25 reply from puTTY:
"Unfortunately we have no interest in your intemperate
tirade. Please bother InnoSetup's author about it
rather than us."
NO reply from InnoSetup, not even an acknowledgement
of receipt.
2017-03-04 report published
Evidence:
~~~~~~~~~
X:\>link.exe /dump /headers /imports putty-0.68-installer.exe
Microsoft (R) COFF/PE Dumper Version 8.00.50727.762
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file putty-0.68-installer.exe
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (x86)
8 number of sections
2A425E19 time date stamp Sat Jun 20 00:22:17 1992
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
818F characteristics
Relocations stripped
~~~~~~~~~~~~~~~~~~~~
Executable
Line numbers stripped
Symbols stripped
Bytes reversed
32 bit word machine
OPTIONAL HEADER VALUES
10B magic # (PE32)
2.25 linker version
A200 size of code
6A00 size of initialized data
0 size of uninitialized data
AA98 entry point (0040AA98)
1000 base of code
C000 base of data
400000 image base (00400000 to 00417FFF)
1000 section alignment
200 file alignment
1.00 operating system version
6.00 image version
4.00 subsystem version
0 Win32 version
18000 size of image
400 size of headers
241218 checksum
2 subsystem (Windows GUI)
8140 DLL characteristics
Dynamic base
~~~~~~~~~~~~
NX compatible
Terminal Server Aware
100000 size of stack reserve
4000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [ 0] RVA [size] of Export Directory
E000 [ 97C] RVA [size] of Import Directory
12000 [ 5970] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
237760 [ 37A0] RVA [size] of Certificates Directory
0 [ 0] RVA [size] of Base Relocation Directory
~~~~~~~~~~~~
0 [ 0] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
10000 [ 18] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
0 [ 0] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
SECTION HEADER #1
CODE name
A1D0 virtual size
1000 virtual address (00401000 to 0040B1CF)
A200 size of raw data
400 file pointer to raw data (00000400 to 0000A5FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
SECTION HEADER #2
DATA name
250 virtual size
C000 virtual address (0040C000 to 0040C24F)
400 size of raw data
A600 file pointer to raw data (0000A600 to 0000A9FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write
SECTION HEADER #3
BSS name
E94 virtual size
D000 virtual address (0040D000 to 0040DE93)
0 size of raw data
AA00 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000000 flags
Read Write
SECTION HEADER #4
.idata name
97C virtual size
E000 virtual address (0040E000 to 0040E97B)
A00 size of raw data
AA00 file pointer to raw data (0000AA00 to 0000B3FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write
Section contains the following imports:
kernel32.dll
~~~~~~~~~~~~
40E0B4 Import Address Table
0 Import Name Table
~~~~~~
0 time date stamp
0 Index of first forwarder reference
0 DeleteCriticalSection
0 LeaveCriticalSection
0 EnterCriticalSection
0 InitializeCriticalSection
0 VirtualFree
0 VirtualAlloc
0 LocalFree
0 LocalAlloc
0 WideCharToMultiByte
0 TlsSetValue
0 TlsGetValue
0 MultiByteToWideChar
0 GetModuleHandleA
0 GetLastError
0 GetCommandLineA
0 WriteFile
0 SetFilePointer
0 SetEndOfFile
0 RtlUnwind
0 ReadFile
0 RaiseException
0 GetStdHandle
0 GetFileSize
0 GetSystemTime
0 GetFileType
0 ExitProcess
0 CreateFileA
0 CloseHandle
user32.dll
~~~~~~~~~~
40E128 Import Address Table
0 Import Name Table
~~~~~~
0 time date stamp
0 Index of first forwarder reference
0 MessageBoxA
oleaut32.dll
40E130 Import Address Table
0 Import Name Table
~~~~~~
0 time date stamp
0 Index of first forwarder reference
0 VariantChangeTypeEx
0 VariantCopyInd
0 VariantClear
0 SysStringLen
0 SysAllocStringLen
advapi32.dll
~~~~~~~~~~~~
40E148 Import Address Table
0 Import Name Table
~~~~~~
0 time date stamp
0 Index of first forwarder reference
0 RegQueryValueExA
0 RegOpenKeyExA
0 RegCloseKey
0 OpenProcessToken
0 LookupPrivilegeValueA
kernel32.dll
~~~~~~~~~~~~
40E160 Import Address Table
0 Import Name Table
~~~~~~
0 time date stamp
0 Index of first forwarder reference
0 WriteFile
0 VirtualQuery
0 VirtualProtect
0 VirtualFree
0 VirtualAlloc
0 Sleep
0 SizeofResource
0 SetLastError
0 SetFilePointer
0 SetErrorMode
0 SetEndOfFile
0 RemoveDirectoryA
0 ReadFile
0 LockResource
0 LoadResource
0 LoadLibraryA
0 IsDBCSLeadByte
0 GetWindowsDirectoryA
0 GetVersionExA
0 GetVersion
0 GetUserDefaultLangID
0 GetSystemInfo
0 GetSystemDirectoryA
0 GetSystemDefaultLCID
0 GetProcAddress
0 GetModuleHandleA
0 GetModuleFileNameA
0 GetLocaleInfoA
0 GetLastError
0 GetFullPathNameA
0 GetFileSize
0 GetFileAttributesA
0 GetExitCodeProcess
0 GetEnvironmentVariableA
0 GetCurrentProcess
0 GetCommandLineA
0 GetACP
0 InterlockedExchange
0 FormatMessageA
0 FindResourceA
0 DeleteFileA
0 CreateProcessA
0 CreateFileA
0 CreateDirectoryA
0 CloseHandle
user32.dll
~~~~~~~~~~
40E218 Import Address Table
0 Import Name Table
~~~~~~
0 time date stamp
0 Index of first forwarder reference
0 TranslateMessage
0 SetWindowLongA
0 PeekMessageA
0 MsgWaitForMultipleObjects
0 MessageBoxA
0 LoadStringA
0 ExitWindowsEx
0 DispatchMessageA
0 DestroyWindow
0 CreateWindowExA
0 CallWindowProcA
0 CharPrevA
comctl32.dll
40E24C Import Address Table
0 Import Name Table
0 time date stamp
0 Index of first forwarder reference
0 InitCommonControls
advapi32.dll
~~~~~~~~~~~~
40E254 Import Address Table
0 Import Name Table
0 time date stamp
0 Index of first forwarder reference
0 AdjustTokenPrivileges
SECTION HEADER #5
.tls name
8 virtual size
F000 virtual address (0040F000 to 0040F007)
0 size of raw data
B400 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000000 flags
Read Write
SECTION HEADER #6
.rdata name
18 virtual size
10000 virtual address (00410000 to 00410017)
200 size of raw data
B400 file pointer to raw data (0000B400 to 0000B5FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
50000040 flags
Initialized Data
Shared
Read Only
SECTION HEADER #7
.reloc name
~~~~~~
91C virtual size
11000 virtual address (00411000 to 0041191B)
0 size of raw data
~~~~~~
0 file pointer to raw data
~~~~~~
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
50000040 flags
Initialized Data
Shared
Read Only
SECTION HEADER #8
.rsrc name
6000 virtual size
12000 virtual address (00412000 to 00417FFF)
5A00 size of raw data
B600 file pointer to raw data (0000B600 to 00010FFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
50000040 flags
Initialized Data
Shared
Read Only
Summary
1000 .idata
1000 .rdata
1000 .reloc
6000 .rsrc
1000 .tls
1000 BSS
B000 CODE
1000 DATA
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
