CVE-2021-45423
📋 TL;DR
A buffer overflow vulnerability in Pev 0.81 allows arbitrary code execution when processing malicious PE files. The vulnerability occurs due to improper bounds checking in the pe_exports function, where an array allocated based on NumberOfFunctions is accessed using NumberOfNames as the iteration limit. This affects any system or application using the vulnerable libpe library to parse Portable Executable files.
💻 Affected Systems
- Pev
- Applications using libpe library
📦 What is this software?
Pev by Pev Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the process parsing the malicious PE file, potentially leading to full system compromise.
Likely Case
Local privilege escalation or denial of service when users or automated systems process untrusted PE files.
If Mitigated
Denial of service or application crash if memory protections like ASLR are enabled, preventing reliable code execution.
🎯 Exploit Status
The vulnerability is straightforward to exploit with a crafted PE file. Public proof-of-concept exists in the GitHub issue.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libpe versions after the fix in commit 6b5c5a5
Vendor Advisory: https://github.com/merces/libpe/issues/35
Restart Required: No
Instructions:
1. Update libpe to a patched version. 2. Recompile any applications using libpe. 3. Update Pev to a version built with patched libpe.
🔧 Temporary Workarounds
Disable PE file processing
allPrevent applications from processing untrusted PE files
Use memory protection controls
linuxEnable ASLR, DEP, and other memory protections to reduce exploit reliability
echo 2 > /proc/sys/kernel/randomize_va_space
sysctl -w kernel.randomize_va_space=2
🧯 If You Can't Patch
- Restrict access to Pev and applications using libpe to trusted users only
- Implement strict file upload validation to block potentially malicious PE files
🔍 How to Verify
Check if Vulnerable:
Check Pev version with 'pev --version' or examine libpe version in applicationsCheck Version:
pev --versionVerify Fix Applied:
Verify libpe version includes commit 6b5c5a5 or test with proof-of-concept PE file📡 Detection & Monitoring
Log Indicators:
- Application crashes when processing PE files
- Unusual process spawning from Pev or related applications
Network Indicators:
- Unusual file transfers of PE files to systems running vulnerable software
SIEM Query:
Process:pev AND (EventID:1000 OR EventID:1001) OR ProcessCreation WHERE Image LIKE '%pev%' AND ParentImage NOT IN (trusted_processes)