Author Topic: [Bug] CryptCATAdminEnumCatalogFromHash and infinite loop  (Read 1147 times)

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1525
[Bug] CryptCATAdminEnumCatalogFromHash and infinite loop
« on: May 29, 2017, 12:29:11 pm »
I already hear some of you say "infinite loop in Windows API, are you serious?". Well, unfortunately I am. As I later found out it's already descussed here http://mnin.blogspot.ru/2013/06/how-to-dos-authenticode-signature.html But I'll give a brief description anyway.

As you probably know there are 2 types of digital signatures: embedded into file and detached in a separate CAT-file. Most standard Windows files are signed with a detached signature. And CryptCATAdminEnumCatalogFromHash is the only API that can get a corresponding CAT-file, so no easy workaround here. This function searches C:\Windows\System32\catroot2 directory by mask {????????????????????????????????????}. It may find files and folders. It checks attributes to distinguish between these two. And... here comes the interesting part... if it's a file, it gets into an infinite loop checking its attributes forever, hanging the thread and eating CPU. Ahhhmmm, okay... According to the article I gave above, this issue has been reported, but they didn't consider it a security threat, so it's still there (as you can see for 4 years already). Partially I agree, it takes administrator access rights to write a file in that folder. On the other hand, there're lots of detached-signed files, it's the only API available, it eats CPU and hangs thread forever, lots of security and forensic software fall victim to this, come on, guys, how hard can it be to fix one check.

Meanwhile keep this issue in mind and execute it in a separate thread waiting for a timeout and killing it if you suspect things went south. Ugly, but I don't see any nice options here.

This issue was found several months ago, it wasn't fixed then. And according to the article it's been there for over 4 years already. I haven't checked it since, but I suspect it to remain broken for many years to come.
« Last Edit: June 19, 2017, 12:06:03 pm by fixer »