Forensics Bugs (#2 rifitui)

rifitui is a tool to recover Windows recycle bins.

  int currrecoff;
  int recordsize;

...

  pread( info2_file, fourbytes, 4, 0x0C );
  recordsize = bah_to_i( fourbytes, 4 );

  record = malloc( recordsize );

...

  while (eof == 0) {
    res = pread( info2_file, record, recordsize, currrecoff );
    if (res < recordsize) {
      eof = 1;
    } else {
      filename = record + 0x04;
      index = bah_to_i( record+0x108, 4 );
      drive = bah_to_i( record+0x10C, 4 );

      deltime = win_time_to_unix( record+0x110 );
      deltm = localtime( &deltime );
      year = deltm->tm_year + 1900;
      mon = deltm->tm_mon + 1;
      sprintf( ascdeltime, "%02d/%02d/%02d %02d:%02d:%02d", mon, deltm->tm_mday, year, deltm->tm_hour, deltm->tm_min, deltm->tm_sec );

      filesize = bah_to_i( record+0x118, 4 );

      printf( "%d%s%s%s%d%s%s%s%d\n", index, delim, ascdeltime, delim, drive, delim, filename, delim, filesize );
    }
    currrecoff = currrecoff + recordsize;

It's not a big bug, but file offsets should probably be 64bit off_t and not int types. There is potential for integer overflows and other issues.

Comments

Popular posts from this blog

Heap Exploitation in Chrome's PartitionAlloc - part 1