MSI string pool handling doesn't account for large strings #72
Comments
|
Thanks for the excellent bug report, I'll look into it ASAP. I'll also try to find some more samples with the same phenomenon, maybe additional data can help understand the mystery about the shift length. |
|
This is the pool data for your provided sample that triggers the problem: Now shifting So when instead we assume that |
|
Tahnks for this! That makes a lot more sense. I'll fix the implementation that I built. |
h/t binref/refinery#72 Also added output for version in the custom package parser tool.
h/t binref/refinery#72, for #24720. No changes file as this is an unreleased bug. Also added output for version in the custom package parser tool. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Manual QA for all new/changed functionality
h/t binref/refinery#72, for #24720. No changes file as this is an unreleased bug. Also added output for version in the custom package parser tool. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Manual QA for all new/changed functionality
Description
Parsing properties from OpenVPN Connect v3's MSI doesn't grab the right data.
To Reproduce
emit->xtmsion the above installer, then look at the properties output. There's a license string blob that gets partially pulled into one interned string stream, with the string overflowing into the remainder of the string pool, while a bunch of the interned strings are missing (e.g. ProductName, ProductCode, ProductVersion).Environment
Additional Context
I found a clue in the source for the msi-props-reader JS package: for interned strings too long to fit into a single length value, eight bytes are used rather than four for the string pool record, with the first two bytes as zeroes to indicate a longer record, the next two with the top two bytes of the length, the next two with the bottom two bytes of the length, then the last two with the reference count.
What's weird is that in my testing with the installer above (and the x86 version) I needed a 17-bit shift rather than 16, which makes me think I'm doing something wrong here, but for the above 17 bits works and 16 doesn't. My fix implementation is on another package, in another language (fleetdm/fleet#25079), but should be easy enough to port over if the code passes the smell test. Really uneasy about the 17-bit shift though, even though we're talking about an undocumented format that...well, I don't want to make guesses about why I'm seeing what I'm seeing.
The text was updated successfully, but these errors were encountered: