Show Notes

160 - Some Browser Exploitation and a Format String Bug?

A format-string bug in Trackmania Forever server accessible from server clients, pretty straight forward bug, input in a client RPC gets printed on the server.

Bit of an interesting context though, as the print happened on the server exploitation was blind, and unlike most format string CTF challenges the printed string was stored on the heap, so no easy string pops to get to controlled pointers. However, with no PIE and a statically compiled binary, offsets were predictable and the author pulled off a cool chain by targeting the base pointers stored on the stack to create a write gadget for a more useful primitive.

A couple integer overflows in the the Windows Kernel through the registry, the core problem being that a 16bit integer is used for the Count field storing the number of subkeys inside an index. Under normal circumstances, when adding new subkeys the registry will automatically divide itself so you won’t have more than ~1000 subkeys, but you can import arbitrarily formatted indexes, using this you can craft one with 65535 keys. Add on more key and it will overflow the Count field back to 0.

This becomes an issue in conjunction with the _CM_KEY_NODE.SubKeyCounts[0] value which should remain consistent with the Count field but is a 32bit integer, so Count overflows to 0 and the key is written to index 0, but SubKeyCounts goes beyond 0xFF, so whe doing a lookup by number, the list may be accessed directly by an index greater than 0xFF leading to an out of bounds access.

} }