search

trustedsec / CS-Situational-Awareness-BOF

Situational Awareness commands implemented using Beacon Object Files
GNU General Public License v2.0
1.26k stars 218 forks source link

Leak in _adcs_get_CertificateTemplateExtendedKeyUsages() of bstFriendlyName #52

Closed JohnLaTwC closed 3 years ago

JohnLaTwC commented 3 years ago

This BSTR for bstFriendlyName is not deallocated. Needs a call to SysFreeString

HRESULT _adcs_get_CertificateTemplateExtendedKeyUsages(VARIANT* lpvarExtendedKeyUsages)
{
...
    BSTR bstFriendlyName = NULL;
...
    while(SUCCEEDED(hr) && lFetch > 0)
    {
        if (lFetch == 1)
        {
            pDisp = V_DISPATCH(&var);
            pDisp->lpVtbl->QueryInterface(pDisp, &IID_IObjectId, (void**)&pObjectId); 
            SAFE_RELEASE(pDisp);

            hr = pObjectId->lpVtbl->get_FriendlyName(
                pObjectId, 
                &bstFriendlyName
            );
            if (FAILED(hr)) { internal_printf("      N/A\n"); }
            else { 
                internal_printf("      %S\n", bstFriendlyName); 
+               SAFE_FREE(bstFriendlyName);
            }

            SAFE_RELEASE(pObjectId);
        }
        OLEAUT32$VariantClear(&var);

        hr = pEnum->lpVtbl->Next(pEnum, 1, &var, &lFetch);
    } // end loop through IObjectIds via enumerator
    SAFE_RELEASE(pObjectId);

    hr = S_OK;

    //internal_printf("\n _adcs_get_CertificateTemplateExtendedKeyUsages SUCCESS.\n");

fail:

    OLEAUT32$VariantClear(&var);

    return hr;
} // end _adcs_get_CertificateTemplateExtendedKeyUsages

https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/04bed3d78799ef643376354ab85e806cc218f157/src/SA/adcs_enum_com2/adcs_enum_com2.c#L911

freefirex commented 3 years ago

Thanks!