search

0xrawsec / golang-evtx

GNU General Public License v3.0
157 stars 26 forks source link

panic: runtime error: makeslice: len out of range on ValueBinary Parse if vd.Size < 0 #3

Closed fishboy25uk closed 6 years ago

fishboy25uk commented 6 years ago

I came across the following crash when trying to parse a System hive, which occured on both my own parser application and evtxdump. Panic occurs if the *ValueBinary Parse function (in values.go) attempts to make a slice if the Value (from ParseValueReader in parser.go) is of type Binary and the size is less than zero. I hacked it just by setting vd.Size to 0 if it was originally less than zero but I guess there is a better solution?

Dump:

panic: runtime error: makeslice: len out of range

goroutine 24 [running]: github.com/0xrawsec/golang-evtx/evtx.(ValueBinary).Parse(0xc4201d1a40, 0x5d8460, 0xc4203f8d20, 0x7, 0x0) /src/github.com/0xrawsec/golang-evtx/evtx/values.go:618 +0x44 github.com/0xrawsec/golang-evtx/evtx.ParseValueReader(0xec828, 0x5d8460, 0xc4203f8d20, 0x5d7d20, 0xc4202999d0, 0x0, 0x0) /src/github.com/0xrawsec/golang-evtx/evtx/parser.go:253 +0x9f3 github.com/0xrawsec/golang-evtx/evtx.(TemplateInstanceData).Parse(0xc4201a15a8, 0x5d8460, 0xc4203f8d20, 0x0, 0x0) /src/github.com/0xrawsec/golang-evtx/evtx/structs.go:796 +0x26e github.com/0xrawsec/golang-evtx/evtx.(TemplateInstance).Parse(0xc4201a1550, 0x5d8460, 0xc4203f8d20, 0x604, 0x0) /src/github.com/0xrawsec/golang-evtx/evtx/structs.go:660 +0x114 github.com/0xrawsec/golang-evtx/evtx.Parse(0x5d8460, 0xc4203f8d20, 0x0, 0xc4203f8d01, 0x5d76e0, 0xc420460600, 0x0, 0x4945f4) /src/github.com/0xrawsec/golang-evtx/evtx/parser.go:139 +0xa0a github.com/0xrawsec/golang-evtx/evtx.Parse(0x5d8460, 0xc4203f8d20, 0x0, 0x1, 0x0, 0x5db960, 0x5283c0, 0x5283c0) /src/github.com/0xrawsec/golang-evtx/evtx/parser.go:64 +0x1148 github.com/0xrawsec/golang-evtx/evtx.ParseValueReader(0x21c93f, 0x5d8460, 0xc4203f8d20, 0x5d7b20, 0xc420298ecc, 0x0, 0x0) /src/github.com/0xrawsec/golang-evtx/evtx/parser.go:285 +0x530 github.com/0xrawsec/golang-evtx/evtx.(TemplateInstanceData).Parse(0xc4201a14f8, 0x5d8460, 0xc4203f8d20, 0x5d7320, 0xc4203f8d20) /src/github.com/0xrawsec/golang-evtx/evtx/structs.go:796 +0x26e github.com/0xrawsec/golang-evtx/evtx.Parse(0x5d8460, 0xc4203f8d20, 0xc4200d2480, 0xc4203f8d00, 0x5d76e0, 0xc4204605a0, 0xc4200d2480, 0x16) /src/github.com/0xrawsec/golang-evtx/evtx/parser.go:131 +0xd17 github.com/0xrawsec/golang-evtx/evtx.Parse(0x5d8460, 0xc4203f8d20, 0xc4200d2480, 0xc420041f00, 0x4dfdcc, 0x5d72e0, 0xc4203f8930, 0x514780) /src/github.com/0xrawsec/golang-evtx/evtx/parser.go:64 +0x1148 github.com/0xrawsec/golang-evtx/evtx.Event.GoEvtxMap(0x200, 0xcd4800002a2a, 0x69200, 0x1d37864a7bb2980, 0xc4200d2480, 0x1d37864a7bb2980, 0x0, 0x0) /src/github.com/0xrawsec/golang-evtx/evtx/event.go:65 +0x114 github.com/0xrawsec/golang-evtx/evtx.(Chunk).Events.func1(0xc4204e0530, 0xc4200d2480) /src/github.com/0xrawsec/golang-evtx/evtx/chunk.go:249 +0x11d created by github.com/0xrawsec/golang-evtx/evtx.(Chunk).Events /src/github.com/0xrawsec/golang-evtx/evtx/chunk.go:244 +0x97

qjerome commented 6 years ago

Thank you very much for reporting the issue and sorry for the delay, I was quite busy these days. I have made a fix more clean, which is reporting an error when the binary value size is less than 0, which should not happen if an EVTX file is properly formatted. Since you got the issue in both your tool and evtxdump, are you sure your file is properly formatted? Were you getting this error while using the carving mode?

fishboy25uk commented 6 years ago

Hi,

The log was from a virtual machine image which I think was just suspended, so it is likely the log was corrupted (the value was -16857474 or something). I wasn't carving, just a normal file.

I was also wondering whether you could expose more log properties? I manually added in functions to expose EventRecordID and UserID (this is not always present in all logs so error handling needed).

Thanks for your work!

Ewan

From: qjerome notifications@github.com Sent: Monday, February 12, 2018 10:09:34 PM To: 0xrawsec/golang-evtx Cc: divetools.io; Author Subject: Re: [0xrawsec/golang-evtx] panic: runtime error: makeslice: len out of range on ValueBinary Parse if vd.Size < 0 (#3)

Thank you very much for reporting the issue and sorry for the delay, I was quite busy these days. I have made a fix more clean, which is reporting an error when the binary value size is less than 0, which should not happen if an EVTX file is properly formatted. Since you got the issue in both your tool and evtxdump, are you sure your file is properly formatted? Were you getting this error while using the carving mode?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/0xrawsec/golang-evtx/issues/3#issuecomment-365079875, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ATkQgkqN964oBNkxwvgLXbZXL4Z7UXt4ks5tULaegaJpZM4Rz_Jd.

qjerome commented 6 years ago

Hi,

Thank you for your feedback. EventRecordID is already there since few commits and the last commit contains the UserID one (which also returns a bool to check if UserID was found or not)

If you have any other feature request, let me know, I will do my best to make it available asap.

Quentin