Forensics Bugs (#2 rifitui)

rifitui is a tool to recover Windows recycle bins.

  int currrecoff;
  int recordsize;

...

  pread( info2_file, fourbytes, 4, 0x0C );
  recordsize = bah_to_i( fourbytes, 4 );

  record = malloc( recordsize );

...

  while (eof == 0) {
    res = pread( info2_file, record, recordsize, currrecoff );
    if (res < recordsize) {
      eof = 1;
    } else {
      filename = record + 0x04;
      index = bah_to_i( record+0x108, 4 );
      drive = bah_to_i( record+0x10C, 4 );

      deltime = win_time_to_unix( record+0x110 );
      deltm = localtime( &deltime );
      year = deltm->tm_year + 1900;
      mon = deltm->tm_mon + 1;
      sprintf( ascdeltime, "%02d/%02d/%02d %02d:%02d:%02d", mon, deltm->tm_mday, year, deltm->tm_hour, deltm->tm_min, deltm->tm_sec );

      filesize = bah_to_i( record+0x118, 4 );

      printf( "%d%s%s%s%d%s%s%s%d\n", index, delim, ascdeltime, delim, drive, delim, filename, delim, filesize );
    }
    currrecoff = currrecoff + recordsize;

It's not a big bug, but file offsets should probably be 64bit off_t and not int types. There is potential for integer overflows and other issues.

Comments

Popular posts from this blog

NetBSD kernel wscons IOCTL vulnerable bug class

Linux Kernel Infoleaks

InfoSect's Month of Pointless Bugs (#1, #2)