SQ14142
Detected Windows executable files with sections that map header information to their own address space, which may lead to misuse of header information.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | fail | high | medium | 4 | hardening: fail Reason: critical code linking issues |
About the issueโ
Windows executable files are mapped in memory as a sequence of allocated pages backed by its physical content. Programming language toolchains typically order these sections linearly both on disk and in memory. Starting executable file memory regions are reserved for the Portable Executable (PE) header. The operating system uses this information to correctly map the executable file in memory. Overlapping the header, its fields and tables with the rest of the executable is not recommended. Depending on the extent of the data overlap, this may lead to exposing critical security data to overwrites, tampering, and complete bypasses of vulnerability mitigations. This issue is typically reported when a software publisher uses a low quality executable packing solution.
How to resolve the issueโ
- You should deprecate the use of runtime packers or enforce digital rights management via less intrusive ways that preserve compatibility with vulnerability mitigation options.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- A brief introduction to PE format (External resource - Medium)