In this post, i will discuss two vulnerabilities that i have found in ResEdit 1.5.11-win32, a known resource editor. Since they are very similar, i will discuss them as if it is only one vulnerability.
It is a buffer overflow but what is different in this vulnerability is that the buffer is located in the .data section of ResEdit.exe. It is neither a stack-based nor a heap-based buffer.
The vulnerability occurs when ResEdit tries to copy names of named resource entries to an inadequate buffer.
In the image below, You can see how a normal named entry looks like.
You can see that the length field holds 0xC, which is the number of unicode characters of the string "KNOWNRESTYPE" ( no null terminators are used).
By placing a higher value in the length field and extending the string to be of matching length, we then have a buffer overflow. In the image below, i have used 0xF63 as the malicious length field.
Let's have a look at code in OllyDbg.
As you can see in the image above, there is a loop at 0x46A93F. In this loop, named entries are processed and each name is copied in an unsafe manner to the buffer at 0x4EB118 by calling the "_wcsncpy" function with the "count" parameter set to the value of the length field.
N.B. The second vulnerability exists at 0x46A5CD.
POC for the first vulnerability can be found here.
POC for the second vulnerability can be found here.
You can follow me on Twitter @waleedassar
It is a buffer overflow but what is different in this vulnerability is that the buffer is located in the .data section of ResEdit.exe. It is neither a stack-based nor a heap-based buffer.
The vulnerability occurs when ResEdit tries to copy names of named resource entries to an inadequate buffer.
In the image below, You can see how a normal named entry looks like.
You can see that the length field holds 0xC, which is the number of unicode characters of the string "KNOWNRESTYPE" ( no null terminators are used).
By placing a higher value in the length field and extending the string to be of matching length, we then have a buffer overflow. In the image below, i have used 0xF63 as the malicious length field.
Let's have a look at code in OllyDbg.
As you can see in the image above, there is a loop at 0x46A93F. In this loop, named entries are processed and each name is copied in an unsafe manner to the buffer at 0x4EB118 by calling the "_wcsncpy" function with the "count" parameter set to the value of the length field.
N.B. The second vulnerability exists at 0x46A5CD.
POC for the first vulnerability can be found here.
POC for the second vulnerability can be found here.
You can follow me on Twitter @waleedassar