Fix bug with multiple signatures. (VirusTotal#940)

* Fix bug with multiple signatures. * Don't use BIO interface, use d2i instead. Fix some other small bugs and don't recurse forever when parsing nested signatures. * Walk the X509 attributes looking for nested signatures. * Move variable declarations out of loop. * Move nested signature checking out of the loop. Move the nested signature checking out of the main certificate parsing loop. The nested signatures are on the PKCS7 structure, not the certificate. Also, make the loop better by not processing the same attribute over and over. These were suggested by Andrew Williams. * If the nested signature is NULL, break early. If the nested signature is ever NULL, break early because it will always be NULL. Also, tighten up the the checks for MAX_PE_CERTS. We aren't likely to ever see a PE that hits the case where it has multiple certs in a single PKCS7 blob, but it can't hurt to check in the loop too.
mandiant · Feb 17, 2020 · 970e4d0 · 970e4d0
1 parent d68fbac
commit 970e4d0
Show file tree

Hide file tree

Showing 2 changed files with 215 additions and 164 deletions.
diff --git a/libyara/include/yara/pe.h b/libyara/include/yara/pe.h
@@ -464,6 +464,8 @@ typedef struct _VERSION_INFO {
 } VERSION_INFO, *PVERSION_INFO;
 
 
+#define MAX_PE_CERTS 16
+
 #define WIN_CERT_REVISION_1_0 0x0100
 #define WIN_CERT_REVISION_2_0 0x0200
 
@@ -481,6 +483,8 @@ typedef struct _WIN_CERTIFICATE {
     BYTE  Certificate[0];
 } WIN_CERTIFICATE, *PWIN_CERTIFICATE;
 
+#define SPC_NESTED_SIGNATURE_OBJID  "1.3.6.1.4.1.311.2.4.1"
+
 
 //
 // Rich signature.