Giters

silverf0x / RpcView

RpcView is a free tool to explore and decompile Microsoft RPC interfaces

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

UAF in InterfacesWidget_C::InterfaceSelected(const QModelIndex& Index) results in empty interface properties

masthoon opened this issue · comments

commented

In InterfacesWidget_C::InterfaceSelected, the QByteArray object returned by QString::toLatin1() is released immediately after QByteArray ::data() call (it runs out-of-scope https://doc.qt.io/qt-5/qbytearray.html#data) causing an Use-After-Free in UuidFromStringA when accessing pUuidStringA.

RpcView/RpcView/InterfacesWidget.cpp

Lines 47 to 55 in c108da2

void InterfacesWidget_C::InterfaceSelected(const QModelIndex& Index)
{
QStringList PidStringList;
QStringList VersionStringList;
RPC_IF_ID RpcIfId;
UCHAR* pUuidStringA;
QString PidString = pProxyModel->data( pProxyModel->index(Index.row(), Column_Pid) ).toString();
pUuidStringA = (UCHAR*)pProxyModel->data( pProxyModel->index(Index.row(), Column_Uuid) ).toString().toLatin1().data();

This issue can cause RpcCoreGetInterfaceInfo to fail to retrieve the interface information (race condition overwriting UUID resulting in empty window for interface properties and procedure list).

Repro: Enable page heap, select one interface -> access violation
Tested Fix:

L51	QByteArray 			UuidStringARef;
L52 	RPC_IF_ID			RpcIfId;
L53	UCHAR*				pUuidStringA;
L54	
L55	QString	PidString = pProxyModel->data( pProxyModel->index(Index.row(), Column_Pid) ).toString();
L56	UuidStringARef = pProxyModel->data( pProxyModel->index(Index.row(), Column_Uuid) ).toString().toLatin1();
L57	pUuidStringA = (UCHAR*)UuidStringARef.data();
commented

Thanks for the fix.