InfoSect's Month of Pointless Bonus Bugs (#34)

InfoSect, Canberra's hackerspace, regularly runs public group sessions to perform code review and vulnerability discovery. Over the next 30 days, I'll highlight the source code of 30 unknown vulnerabilities.

Bonus Bug #34

Another bios decompression bug. This time in awardeco.

typedef struct
                byte    HeadLen;
                byte    HeadCrc;
                byte    Method[5];
                dword   PackLen;
                dword   RealLen;
                dword   TStamp;
                byte    Attr;
                byte    Level;
                byte    FilenameLen;
                byte    FileName[12];
                word    CRC16;
                byte    DOS;
                word    Empty;

        } LZHHead;


byte XtractAwd(FILE *ptx, byte Action, dword DecoOff, dword FirstOff, byte i

        FILE *pto;
        interfacing interface;
        byte PartTotal=0, CntMods = 0;
        NewLZHHead head;
        byte Buf[32], Buf2[128], Len = 0xFF;
        dword i, k, CurPos = 0;

        byte SkipMech = 0;


              case Xtract:
                /*      Xtracting Part  */

                printf("\n  %2.2i (%24.24s): ", CntMods++, head.FileName );
                printf(" %5.5X => %6.6X, %2.2i%, ID: %8.8X",            
                            ( 100 * head.PackLen / head.RealLen),           


                Buf2[head.FilenameLen] = '\x0';

No input validation on FilenameLen. It's only 1 byte, but it doesn't check for the sign, so you can overflow the 128 byte buffer on the stack with up to 255 bytes. 

Popular posts from this blog

Pointer Compression in V8

C++ Memory Corruption (std::string) - part 4

C++ Memory Corruption (std::vector) - part 2