InfoSect: InfoSect's Month of Pointless Bonus Bugs (#34)

Saturday, 24 February 2018

InfoSect's Month of Pointless Bonus Bugs (#34)

InfoSect, Canberra's hackerspace, regularly runs public group sessions to perform code review and vulnerability discovery. Over the next 30 days, I'll highlight the source code of 30 unknown vulnerabilities.

Bonus Bug #34

Another bios decompression bug. This time in awardeco.

typedef struct
{
byte HeadLen;
byte HeadCrc;
byte Method[5];
dword PackLen;
dword RealLen;
dword TStamp;
byte Attr;
byte Level;
byte FilenameLen;
byte FileName[12];
word CRC16;
byte DOS;
word Empty;

} LZHHead;

...

/*---------------------------------
XtractAwd
----------------------------------*/
byte XtractAwd(FILE *ptx, byte Action, dword DecoOff, dword FirstOff, byte i
sASUS)
{

FILE *pto;
interfacing interface;
byte PartTotal=0, CntMods = 0;
NewLZHHead head;
byte Buf[32], Buf2[128], Len = 0xFF;
dword i, k, CurPos = 0;

byte SkipMech = 0;

...

case Xtract:
/* Xtracting Part */

printf("\n %2.2i (%24.24s): ", CntMods++, head.FileName );
printf(" %5.5X => %6.6X, %2.2i%, ID: %8.8X",
head.PackLen,

head.RealLen,
( 100 * head.PackLen / head.RealLen),

head.TStamp);




memcpy(Buf2,head.FileName,head.FilenameLen);

Buf2[head.FilenameLen] = '\x0';

No input validation on FilenameLen. It's only 1 byte, but it doesn't check for the sign, so you can overflow the 128 byte buffer on the stack with up to 255 bytes.

InfoSect

Saturday, 24 February 2018

InfoSect's Month of Pointless Bonus Bugs (#34)

Exploiting the Lorex 2K Indoor Wifi at Pwn2Own Ireland

Contributors