I have a legacy Windows application that needs to be looked over in terms of security. During this review something caught me eye. In the out of process COM server I'm looking at is a method that accepts an arbitrary class pointer. The method manually queries the attacker supplied interface for a specific IID and proceeds to call methods on that interface. It's possible for an attacker to supply any COM class pointer they want to this method, and no further verification is done. The COM server is running the process of a more privileged user.
I don't know much about COM, but this behavior feels unsafe to me. Can an attacker exploit this behavior by sending their own specially crafted COM object or is this safe?
I've been struggling reading documentation and experimenting. I can't seem to find a definitive answer to this question anywhere on MSDN or the web. Could be that I just don't understand the technology enough.
EDIT:
The server's method looks like this, I've abridged it slightly:
HRESULT __stdcall CCallbackRegister::register_handler(char* new_handler, IUnknown* handler_pointer)
{
std::string handler_name(new_handler);
if (std::find(_handler_cache.begin(), _handler_cache.end(), handler_name) != _handler_cache.end())
return E_FAIL;
void* register_interface = nullptr;
if (handler_pointer->QueryInterface(_static_handle_proc_iid, ®ister_proc) == S_OK)
{
IHandlerRegister* handler_register = (IHandlerRegister)register_interface;
handler_register->do_register(this);
}
...
}