DataRescue Interactive Disassembler Pro Debugger Format String Vulnerability
     by Piotr Bania <bania.piotr@gmail.com>
     http://pb.specialised.info 
    
	
     Severity: 		 High / Medium - code execution.
     Versions affected:  Probably all versions, however tested on 4.7.0.830.


     I. BACKGROUND

     "The IDA Pro Disassembler and Debugger is an interactive, programmable, extendible, 
      muti-processor disassembler hosted on Windows or on Linux. IDA Pro has become the 
      de-facto standard for the analysis of hostile code, vulnerability research and COTS 
      validation (...) IDA supports debugging of x86 Windows PE files, AMD64 Windows PE 
      files, and x86 Linux ELF files, either locally or remotely."

      MORE AT: http://www.datarescue.com


     II. DESCRIPTION

      The problem exist when IDA Debugger tries to write informations about
      loaded dynamic link library (when LOAD_DLL_DEBUG_EVENT / UNLOAD_DLL_DEBUG_EVENT
      occurs)

      Lets look at following sample code to get a better view:

      -- snip --
      call a
      db "KERNEL32.DLL",0
      a: 
      call LoadLibraryA
      int 3
      -- snip -- 

      Following code should return KERNEL32.DLL base stored in EAX register.
      IDA Debugger shows EAX as: "EAX=77E60000 -> kernel32.dll:77E60000"
      (general registers window) - this is one of the examples. 
      However when loaded library name includes special format specifiers the
      vulnerability takes place, here is the vulnerable code:

      (disassembly of ida.wll)
      .text:012563F8                 mov     esi, [ebp+arg_0]
      .text:012563FB                 push    [ebp+arg_C]    
      .text:012563FE                 push    dword_12A27C4   
      .text:01256404                 push    0
      .text:01256406                 push    ebx             ; format string
      .text:01256407                 lea     eax, [ebp+arg_0]
      .text:0125640A                 push    eax             
      .text:0125640B                 push    offset sub_12562C0
      .text:01256410                 call    sub_011D1C78    ; parser 

      Where EBX contains format specifier supplied by attacker. 

      
     III. IMPACT

     This vulnerability after successful exploitation can allow the 
     attacker to run arbitrary code in context of current user.
     Of course if the exploitation was not successful IDA Debugger
     will fault or IDA can freeze (100% cpu - database corruption).

     Note that potencial attacker can drop "baddll" on the fly, there
     are few variants.

     IV. POC CODE

     The POC code was released for vendor.