InfoSect's Month of Pointless Bonus Bugs (#34)
InfoSect, Canberra's hackerspace, regularly runs public group sessions to perform code review and vulnerability discovery. Over the next 30 days, I'll highlight the source code of 30 unknown vulnerabilities.
Bonus Bug #34
Another bios decompression bug. This time in awardeco.
typedef struct
{
byte HeadLen;
byte HeadCrc;
byte Method[5];
dword PackLen;
dword RealLen;
dword TStamp;
byte Attr;
byte Level;
byte FilenameLen;
byte FileName[12];
word CRC16;
byte DOS;
word Empty;
} LZHHead;
/*---------------------------------
XtractAwd
----------------------------------*/
byte XtractAwd(FILE *ptx, byte Action, dword DecoOff, dword FirstOff, byte i
sASUS)
{
FILE *pto;
interfacing interface;
byte PartTotal=0, CntMods = 0;
NewLZHHead head;
byte Buf[32], Buf2[128], Len = 0xFF;
dword i, k, CurPos = 0;
byte SkipMech = 0;
...
case Xtract:
/* Xtracting Part */
printf("\n %2.2i (%24.24s): ", CntMods++, head.FileName );
printf(" %5.5X => %6.6X, %2.2i%, ID: %8.8X",
head.PackLen,
head.RealLen,
( 100 * head.PackLen / head.RealLen),
head.TStamp);
memcpy(Buf2,head.FileName,head.FilenameLen);
Buf2[head.FilenameLen] = '\x0';
Bonus Bug #34
Another bios decompression bug. This time in awardeco.
typedef struct
{
byte HeadLen;
byte HeadCrc;
byte Method[5];
dword PackLen;
dword RealLen;
dword TStamp;
byte Attr;
byte Level;
byte FilenameLen;
byte FileName[12];
word CRC16;
byte DOS;
word Empty;
} LZHHead;
...
XtractAwd
----------------------------------*/
byte XtractAwd(FILE *ptx, byte Action, dword DecoOff, dword FirstOff, byte i
sASUS)
{
FILE *pto;
interfacing interface;
byte PartTotal=0, CntMods = 0;
NewLZHHead head;
byte Buf[32], Buf2[128], Len = 0xFF;
dword i, k, CurPos = 0;
byte SkipMech = 0;
...
case Xtract:
/* Xtracting Part */
printf("\n %2.2i (%24.24s): ", CntMods++, head.FileName );
printf(" %5.5X => %6.6X, %2.2i%, ID: %8.8X",
head.PackLen,
head.RealLen,
( 100 * head.PackLen / head.RealLen),
head.TStamp);
memcpy(Buf2,head.FileName,head.FilenameLen);
Buf2[head.FilenameLen] = '\x0';
No input validation on FilenameLen. It's only 1 byte, but it doesn't check for the sign, so you can overflow the 128 byte buffer on the stack with up to 255 bytes.