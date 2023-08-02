The out-of-bound memory access vulnerability introduces an exploit primitive that allows a

malicious client to write an OnDiskExtensionHeader beyond the boundaries of the memory

allocated for the packet.

When assessing a vulnerability that allows for writing values to an offset, some properties

must be considered:

Can the offset be controlled

Can the values written be controlled

In the case of the QueueJumper vulnerabilities, the offset of allocated buffer to the OOB write is controllable because it is calculated using attacker-controlled data. The contents of the OOB write, however, has limited control.

Here, Address represents the corrupted pointer to the end of the packet message where the OnDiskExtension header will be written. The series of operations that occur is as follows:

Value 0x000000000000000C is written to Address

is written to Value 0x00000000 is written to Address+0x2

is written to Value 0x0000000000000000 is written to Address+0x12

is written to Value 0x0000000000000000 is written to Address+0x1A

is written to Value 0x00000094 is written Address+0xE

is written Value 0x0000 is written Address+0x22

is written Value 0x0000 is written to Address+0x62

is written to memcpy(Address+0xA6, Source, Source->AddressLength+0x08)

The Source used in the call to memcpy above refers to a TA_ADDRESS object. The TA_ADDRESS structure defines a single transport address of a specific type (for example, NetBIOS). The definition follows:

typedef struct _TA_ADDRESS {

USHORT AddressLength;;

USHORT AddressType; Info;

UCHAR Address[1];;

} TA_ADDRESS, *PTA_ADDRESS;

AddressLength

Specifies the number of bytes in an address of the specified AddressType.

AddressType

Specifies the type of the transport address.

Address

Specifies a variable-sized array containing the transport address.

In a debugging session below, TA_ADDRESS contains attacker-influenced data in the form of an IP address:

rax=0000014e1d110180 rbx=0000014e1d110180 rcx=0000014e1d110184

rdx=0000014e1ce86b10 rsi=0000014e1d110001 rdi=0000000545d7fa50

rip=00007ff843208074 rsp=0000000545d7f940 rbp=0000000545d7f980

r8=000000000000000c r9=0000000000000002 r10=0000000000000000

r11=0000000545d7f938 r12=0000000000000002 r13=0000000000001000

r14=0000014e1ce86b10 r15=0000000000000000

iopl=0 nv up ei pl nz na po nc

cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206

MQQM!CQmPacket::CQmPacket+0x89c:

00007ff8`43208074 e8a5780a00 call MQQM!memcpy (00007ff8`432af91e)

0:017> dc rcx

0000014e`1d110184 00010004 00000000 8620a8c0 00000000 ………. …..



Above, the TA_ADDRESS object has a length of 4 , a type of 1 , and a value of 0x8620a8c0 . Converting each byte to an IPv4 octet yields the address 192.168.32.134 , which is the IPv4 source address of the client.

This scenario allows for the writing of attacker-controlled data via a source address to a controlled offset from the packet allocation in memory. While very restrictive and possibly impractical, this could theoretically be used to precisely control the values written to memory by making multiple requests from varying source addresses at decrementing packet offsets.