Add checks to strComputerName and strFullComputerName size

DFIR-ORC / dfir-orc

Forensics artefact collection tool for systems running Microsoft Windows

https://dfir-orc.github.io

GNU Lesser General Public License v2.1

389 stars 42 forks source link

Add checks to strComputerName and strFullComputerName size #26

Closed sydurand closed 4 years ago

sydurand commented 4 years ago

Hello,

There was not size check on strComputerName and not ComputerName extraction from strComputerNameFull. A ComputerName longer than MAX_COMPUTER_NAME_LENGTH characters cause an overflow and error in the csv Column CompterName.

Due to szComputerNameand szOrcComputerName size is MAX_COMPUTER_NAME_LENGTH and strComputerName or strComputerNameFull copied without check.

Regards,

jgautier-anssi commented 4 years ago

Hi Sylvain,

First thank you for reporting this. While I work to fix the underlying issue, I do not understand why you say there is no size check and a risk of overflow. I personally do not see that in the code.

However, as previously said, I will lift the MAX_COMPUTER_NAME_LENGTH limitation as it is outdated. Thank you for reporting this! Jean

sydurand commented 4 years ago

Hi Jean,

I just wanted to say, the lack of size check on strComputerName (maybe I'm wrong) cause a corruption in the ComputerName csv field.

If you want to reproduce this behaviour launch "DFIR-ORC (Embeded)" with /Compter or /CompterFull parameter greater than 16 characters and it causes a corruption of the ComputerName field in NTFSInfo csv ouput.

I propose you to close this PR.

Thank you.

Sylvain.

jgautier-anssi commented 4 years ago

Hi Sylvain,

I was not able to reproduce the behavior you describe. The command line: dfir-orc.exe ntfsinfo /Computer=tototototototototototototititututatatytytltl /config=C:\temp\dump\NTFSINFO_LITTLE_CONFIG.XML /out=c:\temp\test.csv

produces the expected result:

But may be I do not have the repro scenario right?

Anyway, I will push a fix where the computer name could be truncated to 20 chars in some scenarios.

Thank you for your interest of NTFSInfo & DFIR-Orc :-)

Jean

sydurand commented 4 years ago

Hi Jean,

The issue is in wolflancher argument handling.

Please find build DFIR-ORC here or the config files here

The command line : DFIR-Orc.exe /Computer=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFf or DFIR-Orc.exe /FullComputer=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFf

Thank you for the fix and the tools :-)

Sylvain.