Tuesday, 13 March 2018

Forensics Bugs (#2 rifitui)

rifitui is a tool to recover Windows recycle bins.

   int currrecoff;
  int recordsize;

 ...

   pread( info2_file, fourbytes, 4, 0x0C );
  recordsize = bah_to_i( fourbytes, 4 );

   record = malloc( recordsize );

 ...

   while (eof == 0) {
    res = pread( info2_file, record, recordsize, currrecoff );
    if (res < recordsize) {
      eof = 1;
    } else {
      filename = record + 0x04;
      index = bah_to_i( record+0x108, 4 );
      drive = bah_to_i( record+0x10C, 4 );

      deltime = win_time_to_unix( record+0x110 );
      deltm = localtime( &deltime );
      year = deltm->tm_year + 1900;
      mon = deltm->tm_mon + 1;
      sprintf( ascdeltime, "%02d/%02d/%02d %02d:%02d:%02d", mon, deltm->tm_mday, year, deltm->tm_hour, deltm->tm_min, deltm->tm_sec );

      filesize = bah_to_i( record+0x118, 4 );

      printf( "%d%s%s%s%d%s%s%s%d\n", index, delim, ascdeltime, delim, drive, delim, filename, delim, filesize );
    }
    currrecoff = currrecoff + recordsize;

It's not a big bug, but file offsets should probably be 64bit off_t and not int types. There is potential for integer overflows and other issues.
at

Exploiting the Lorex 2K Indoor Wifi at Pwn2Own Ireland

Introduction In October InfoSect participated in Pwn2Own Ireland 2024 and successfully exploited the Sonos Era 300 smart speaker and Lor...