I have discovered a vulnerability in Resource Hacker 3.6.0.92. The vulnerability occurs due an improper way of reading strings of RT_STRING resources.
In the images below, you can see how the string table looks like.
At address 0x457C6F, there is a loop that goes through strings in the string table one by one.
The "readStringIntoBuffer" function converts the unicode string into its ASCII form. The new ASCII string is stored in a heap-based memory block. After the "readStringIntoBuffer" function returns, the "parseIndiv_string" function is called to parse and format strings in order to be display them properly.
N.B. I have assigned the names, readStringIntoBuffer and parseIndiv_string for functions at 0x45FAE4 and 0x451C00 for sake of simplification.
We have to go abit deeper and look at the "parseIndiv_string" function since it is the vulnerable function.
The "parseIndiv_string" function allocates a new heap-based memory block with size equal to the ASCII string length plus 0x32. A question arises here, why 0x32?
After the new block is allocated, a loop is entered. Inside this loop, the ASCII string is copied to the new block byte by byte. But if a TAB character (0x09) or line feed character (0x0A) is found, the two characters "\t" in case of 0x09 or "\n" in case of 0x0A are copied to the new block.
So, if we have a string with more than 0x19 (0x32/2) TABs (or line feeds), we will have a heap overflow.
A POC can be found here.
You can follow me on Twitter @waleedassar
In the images below, you can see how the string table looks like.
The "readStringIntoBuffer" function converts the unicode string into its ASCII form. The new ASCII string is stored in a heap-based memory block. After the "readStringIntoBuffer" function returns, the "parseIndiv_string" function is called to parse and format strings in order to be display them properly.
N.B. I have assigned the names, readStringIntoBuffer and parseIndiv_string for functions at 0x45FAE4 and 0x451C00 for sake of simplification.
We have to go abit deeper and look at the "parseIndiv_string" function since it is the vulnerable function.
The "parseIndiv_string" function allocates a new heap-based memory block with size equal to the ASCII string length plus 0x32. A question arises here, why 0x32?
So, if we have a string with more than 0x19 (0x32/2) TABs (or line feeds), we will have a heap overflow.
A POC can be found here.
You can follow me on Twitter @waleedassar
No comments:
Post a Comment