search

silverf0x / RpcView

RpcView is a free tool to explore and decompile Microsoft RPC interfaces
GNU General Public License v3.0
895 stars 247 forks source link

UAF in InterfacesWidget_C::InterfaceSelected(const QModelIndex& Index) results in empty interface properties #36

Closed masthoon closed 4 years ago

masthoon commented 4 years ago

In _InterfacesWidgetC::InterfaceSelected, the QByteArray object returned by QString::toLatin1() is released immediately after QByteArray ::data() call (it runs out-of-scope https://doc.qt.io/qt-5/qbytearray.html#data) causing an Use-After-Free in UuidFromStringA when accessing pUuidStringA.

https://github.com/silverf0x/RpcView/blob/c108da277be48accb3c6aaeb4af752a2028069bf/RpcView/InterfacesWidget.cpp#L47-L55

This issue can cause RpcCoreGetInterfaceInfo to fail to retrieve the interface information (race condition overwriting UUID resulting in empty window for interface properties and procedure list).

Repro: Enable page heap, select one interface -> access violation Tested Fix: 

L51 QByteArray          UuidStringARef;
L52     RPC_IF_ID           RpcIfId;
L53 UCHAR*              pUuidStringA;
L54 
L55 QString PidString = pProxyModel->data( pProxyModel->index(Index.row(), Column_Pid) ).toString();
L56 UuidStringARef = pProxyModel->data( pProxyModel->index(Index.row(), Column_Uuid) ).toString().toLatin1();
L57 pUuidStringA = (UCHAR*)UuidStringARef.data();
silverf0x commented 4 years ago

Thanks for the fix.