zodmagus, 3 months ago

@malwaretech did you try the same with Gemini?

malwaretech, 3 months ago

@zodmagus After arguing with me for several minutes that it isn't possible to use CryptBinaryToString for Base64 encoding, I pasted it the MSDN documentation saying it is, at which point it conceded and told me it was possible but "not official documented" then gave me the same vulnerable code that ChatGPT did

zodmagus, 3 months ago

@malwaretech yep same here. I tried it at as well. Long way to go before they replace real people lol

NosirrahSec, 3 months ago

@malwaretech dword is too small for the expected char input with null terminators being counted, but not allocated for?

I haven't honestly touched C since the 00s

I know there's some overflow potential here.

johntimaeus, 3 months ago

@malwaretech

I don't code, but this was a cool little Friday night lesson that explains some things. Thanks.

18+ Seibai, 3 months ago

@malwaretech This is classic. And it's sort of cool that GPT does this because so many C programmers fall into the same trap.

For folks who are struggling: the parameter names are a hint.

malwaretech, 3 months ago

5 people here found it almost immediately, and so far only 1 on LinkedIn. Another W for mastodon :)

AMS, 3 months ago

@malwaretech Probably more folks here have dealt with horrors like 24-bit chars before.

AMS, 3 months ago

@malwaretech malloc's half a buffer? Because dumb windows wchars.

malwaretech, 3 months ago

@AMS yup lol

Rairii, 3 months ago

@malwaretech CryptBinaryToStringW returns length in chars, not bytes; correct alloc would be malloc(dwLength * sizeof(wchar_t))

malwaretech, 3 months ago

@Rairii malloc((dwLength + 1) * sizeof(wchar_t)) I think, but yeah you found it :)

Rairii, 3 months ago

@malwaretech the api docs said that when passing null pointer it returns length including null terminator

malwaretech, 3 months ago

@Rairii ah, you're right! I missed that part.

svavar, 3 months ago

I'll take a stab at it even though I'm a C# programmer and say that the malloc statement raises red flags and that there is no validation or escaping of the input string.

Is it allocating an unchecked string to memory?

@malwaretech

malwaretech, 3 months ago

@svavar nah, it should handle validation internally

delta_vee, 3 months ago

@malwaretech This might be a horribly embarrassing guess - my C is very rusty - but...is it because it's malloc()ing only dwLength and not adding one?

malwaretech, 3 months ago

@delta_vee I think that is correct, but there's an even bigger vulnerability

dalias, 3 months ago

@malwaretech I would assume length is in characters (or rather UTF-16 code units since this is some Windows hell), not bytes...

malwaretech, 3 months ago

@dalias We have a winner.

JesseEmond, 3 months ago

@malwaretech @dalias I'm sure I'm just misreading the doc, but doesn't it say that pcchString will get the length in "TCHARs" i.e. chars? So why would dwLength not be in # of bytes in this case?

malwaretech, 3 months ago

@JesseEmond @dalias wchars are 2 bytes each

JesseEmond, 3 months ago

@malwaretech @dalias oh I got confused by what I found for the definition of "TCHAR", I thought it was typedeffed to 'char', nevermind. Thanks!

dalias, 3 months ago

@JesseEmond @malwaretech TCHAR is this hideous Windows thing that expands to CHAR or WCHAR (which isn't a conformant wchar_t but UTF-16) depending on whether you setup your build parameters to "Unicode" or "ANSI".

jay_townsend1, 3 months ago

@malwaretech if I am reading it correctly stack buffer overflow?

malwaretech, 3 months ago

@jay_townsend1 nope, no stack buffers involved in this one

jay_townsend1, 3 months ago

@malwaretech heap?

malwaretech, 3 months ago

@jay_townsend1 yeah

jay_townsend1, 3 months ago

@malwaretech nice, glad I could tell there was an overflow just wrong area lol

cafechatnoir, 3 months ago

@malwaretech
I'm guessing it's not "I asked ChatGPT"

malwaretech, 3 months ago

@cafechatnoir Sometimes you can ask ChatGPT to find the vulnerability and it can, but in this specific case it couldn't unless explicitly told what it is and why.