Browse code
imphash: dll and func name validation
Kevin Lin authored on 2016/06/28 06:55:16Showing 1 changed files
| ... | ... |
@@ -2167,6 +2167,32 @@ static char *pe_ordinal(char *dll, uint16_t ord) |
| 2167 | 2167 |
return cli_strdup(name); |
| 2168 | 2168 |
} |
| 2169 | 2169 |
|
| 2170 |
+static int validate_impname(const char *name, uint32_t length, int dll) |
|
| 2171 |
+{
|
|
| 2172 |
+ uint32_t i = 0; |
|
| 2173 |
+ const char *c = name; |
|
| 2174 |
+ |
|
| 2175 |
+ cli_dbgmsg("%s\n", name);
|
|
| 2176 |
+ |
|
| 2177 |
+ if (!name || length == 0) |
|
| 2178 |
+ return CL_SUCCESS; |
|
| 2179 |
+ |
|
| 2180 |
+ while (i < length && *c != '\0') {
|
|
| 2181 |
+ if ((*c >= '0' && *c <= '9') || |
|
| 2182 |
+ (*c >= 'a' && *c <= 'z') || |
|
| 2183 |
+ (*c >= 'A' && *c <= 'Z') || |
|
| 2184 |
+ (*c == '_') || |
|
| 2185 |
+ (dll && *c == '.')) {
|
|
| 2186 |
+ |
|
| 2187 |
+ c++; |
|
| 2188 |
+ i++; |
|
| 2189 |
+ } else |
|
| 2190 |
+ return CL_BREAK; |
|
| 2191 |
+ } |
|
| 2192 |
+ |
|
| 2193 |
+ return CL_SUCCESS; |
|
| 2194 |
+} |
|
| 2195 |
+ |
|
| 2170 | 2196 |
static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, uint32_t *itsz, struct pe_image_import_descriptor *image, char *dllname, struct cli_exe_section *exe_sections, uint16_t nsections, uint32_t hdr_size, int pe_plus, int *first){
|
| 2171 | 2197 |
uint32_t toff, offset; |
| 2172 | 2198 |
fmap_t *map = *ctx->fmap; |
| ... | ... |
@@ -2214,6 +2240,8 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, uint32_t *itsz, s |
| 2214 | 2214 |
} \ |
| 2215 | 2215 |
\ |
| 2216 | 2216 |
funclen = strlen(funcname); \ |
| 2217 |
+ if (validate_impname(funcname, funclen, 1) != CL_SUCCESS) \ |
|
| 2218 |
+ break; \ |
|
| 2217 | 2219 |
\ |
| 2218 | 2220 |
fname = cli_calloc(funclen + dlllen + 3, sizeof(char)); \ |
| 2219 | 2221 |
if (fname == NULL) { \
|
| ... | ... |
@@ -2366,7 +2394,8 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c |
| 2366 | 2366 |
} |
| 2367 | 2367 |
|
| 2368 | 2368 |
if ((buffer = fmap_need_off_once(map, offset, MIN(PE_MAXNAMESIZE, fsize-offset))) != NULL) {
|
| 2369 |
- /* TODO - sanitize dllname */ |
|
| 2369 |
+ if (validate_impname(dllname, MIN(PE_MAXNAMESIZE, fsize-offset), 1) != CL_SUCCESS) |
|
| 2370 |
+ break; |
|
| 2370 | 2371 |
dllname = strndup(buffer, MIN(PE_MAXNAMESIZE, fsize-offset)); |
| 2371 | 2372 |
if (dllname == NULL) {
|
| 2372 | 2373 |
cli_dbgmsg("IMPTBL: cannot duplicate dll name\n");
|