Figure out how many chars to process this round. What the difference? Well ‘int’ variables can be assigned negative values.Īfter setting the _maxChars variable, the function code goes into a loop: int charStart = 0 The interesting aspect with this variable was that it is an ‘int’ variable and not ‘unsigned int’. The _maxChars variable is a private member of integer in public class BinaryWriter: private int _maxChars The function first retrieves the member variable _maxChars as follows: _maxChars = LargeByteBufferSize / _encoding.GetMaxByteCount(1) System.IO.BinaryWrite Class has multiple function with the same name. The “_15” at the end means it’s an overloaded function. I found the System.IO.BinaryWrite_Write_15 function which takes a string as its parameter: public unsafe virtual void Write(String value)
But I decide to investigate further for any other vulnerable entry points. The discoverer from Kaspersky had already reported that the vulnerability existed in “GetChars()“. In the changed function list, most changes are related to the "GetChars()" function or related calls. I decided to analyze it and below is a screen capture of the diff between the unpatched and patched file: Since there were too many files that were changed in the patch, I decided to just google ".net framework decoder" from which I came across mscorlib.dll. Microsoft bulletin mentions "malicious decoder that can return negative offsets". In this blog, I’m presenting analysis of a different function that was also fixed in the same patch. When I was working on the analysis Kaspersky Lab published a great blog post about the story of this vulnerability. I started to analyze it as soon as I finished writing signatures for the existing patch. I had a hunch that something more was hiding. It’s a Remote Code Execution vulnerability which allows attackers to run code of his or her choice on the victim machine. This week Microsoft released a patch for a critical Silverlight issue, MS16-006, and since I worked on Silverlight signatures in the past it caught my eye.
0 kommentar(er)
