osslsigncode Integer Underflow Vulnerability Leading to Out-of-Bounds Read

A memory corruption vulnerability has been identified in osslsigncode versions prior to 2.13. The issue arises from an integer underflow in the PE page-hash computation function, pe_page_hash_calc(). When processing a PE file, the function subtracts the header size from the page size without validating that the page size is greater than or equal to the header size. This oversight allows a malicious PE file to cause the subtraction to underflow, resulting in a large unsigned length. Consequently, the code allocates a buffer of the (underflowed) page size, hashes a portion of it, and inadvertently reads beyond the allocated memory, leading to a heap-based out-of-bounds read that can crash the application.

Impact

Exploitation of this vulnerability causes the application to crash while processing the page hash of a PE file, creating a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by signing a malicious PE file with page hashing enabled, or by verifying a signed PE file that already contains page hashes, without the need to pass the page hashing option.

Remediation

Users are advised to upgrade to osslsigncode version 2.13, where this vulnerability has been fixed.