osslsigncode Out-of-Bounds Read Vulnerability in PE Page Hash Calculation

A vulnerability allowing out-of-bounds read has been identified in osslsigncode versions prior to 2.13. The issue arises in the PE page-hash computation function, which processes section headers without validating that the referenced data is within the bounds of the mapped file. This flaw can be exploited by crafting a PE file with section headers that point beyond the file's end. When osslsigncode hashes the pages of such a file, it may read from an invalid memory region, leading to a process crash. This vulnerability can be triggered while signing a malicious PE file with page hashing enabled or while verifying a signed PE file that already contains page hashes, without the need to pass the page hashing option during verification.

Impact

Exploitation of this vulnerability causes the application to crash, creating a denial-of-service condition.

Reproduction

To reproduce this vulnerability, use osslsigncode version 2.12 or earlier to sign a PE file with crafted section headers that point beyond the file's end. Enable page hashing during the signing process. Alternatively, verify a signed PE file that contains page hashes, without passing the page hashing option.

Remediation

Users are advised to upgrade to osslsigncode version 2.13, which addresses this vulnerability by validating section table bounds before reading section headers, thereby preventing the out-of-bounds read.