markski1
commented
4 months ago Hi. To confirm, as I cannot test it right now, have you been able to make this RCE (either the PoC or any variant) work when this patch is installed?
Open fj600 opened 4 months ago
markski1
commented
4 months ago Hi. To confirm, as I cannot test it right now, have you been able to make this RCE (either the PoC or any variant) work when this patch is installed?
fj600
commented
4 months ago Yes, i can confirm. If captionLength is > 64, you will get an "Invalid caption length" message and the RPC will be ignored. But when running the PoC, the message box will show anyways. RPC is not filtered because captionLength is > 0 and < 64.
Hi. I think the bug occurs because the function at .text:03C5B090 is expecting a null terminated string, and if you give a non-null terminated string for the dialog body a buffer of 132 bytes is written out of bounds, which leads to the RCE.
I don't think it is related to the caption length passed by the server. Here you can see a PoC:
https://gist.github.com/fj600/11d375293f93c209c8f213ba7ee6d966
I checked the memory client side and the value received for captionLength is 4 as expected, so i don't think rejecting RPC calls with captionLength greater than 64 can avoid the RCE.
I'm still not sure about what conditions trigger the bug. I will research it further when i have more time and see how we can patch this.
Thanks for your contribution!