Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform
Philippe Laulheret - TalosPosted 1 Year Ago- ClipSp is a Windows driver used for Client Licensing. Because it's fairly sensitive, the driver has no symbols and they're even obfuscated. The author of this post spent some time reviewing this code to find a few OOB reads and writes.
- The format processing is tag-length-value (TLV) format for a large group of blocks. Each one of these tag entries represented a bit of license information. One of these tags was a signature tag.
- The code would iterate over the top of every single tag. When it saw the signature block it would use the an index to count to the number of bytes in the buffer before this that needed to be signed.
- The issue with this scheme is that the data after the signature block would still be processed without being checked by the signature. If a field was already used, it could even be overwritten. I like this bug since it's a fairly deep implementation flaw of the algorithm. Good find!
