RPC Overflow in WINDOWS

Yuan Ge

RPC Overflow in WINDOWS

 

The RPC parameter deserialization in WINDOWS (should it be called a scattered set ?) The input is missing check, which can easily cause buffer overflow.

.

 

For example, if GetInfoForName is called, The IDL description is as follows:

 

 

[Helpstring ("method GetInfoForName")]

HRESULT GetInfoForName

(

[In, string] const unsigned char * szVarName,

[In, out, unique, size_is (cchBuffer)] unsigned char * pchBuffer,

[In] DWORD cchBuffer,

[Out] DWORD * pcchRequired

 

);

 

Buffer pchBuffer is the input and output parameters, and its size is the value of the cchBuffer parameter, such as cchBuffer = 8, RP

C will pass the length of pchBuffer 8 and the content, while cchBuffer is another parameter, RPC will also pass.

On the RPC service provider, the parameter deserialization program of RPC decodes pchBuffer to check the validity of its length.

The decoded cchBuffer and pchBuffer have no association detection.

 

 

If we forge a small cchBuffer during RPC parameter serialization, The pchBuffer setting is relatively large.

This will cause the RPC service program to get the wrong pchBuffe size limit cchBuffer, while copying too much data to it

This causes a buffer overflow. Because RPC applies for Heap Storage parameters, pchBuffe is in the heap, so it will cause heap overflow.