#ZeroNights #0day show #lulz #TrendFail

1. Intro.
2. just some facts:
3. I killed/revealed/talked about this 0day in TrendMicro kernel component at several security conferences during 2012:
4. April - Hackito Ergo Sum, Paris
5. May - Hack In The Box, Amsterdam
6. May - Positive Hack Days, Moscow
7.  
8. But no reaction/fix from TrendMicro.
9.  
10. I'm curious, security engineers from TrendMicro dont visit conferences or dont read slides?
11.  
12. Anyway, this vuln is interesting, cause when I revealed it using 1-shot taint analysis, it showed wrong conclusion about exlpoitability.
13. After applying manual analysis, some good news revealed... (See spoil)
14.  
15. 1.Desciption
16. The tmtdi.sys kernel driver distributed with TrendMicro products contains
17. pool corruption vulnerability in the handling of IOCTL 0x220044.
18. Exploitation of this issue allows an attacker to execute arbitrary code
19. within the kernel.
20. An attacker would need local access to a vulnerable computer to exploit
21. this vulnerability.
22.  
23. Affected application: various TrendMicro products.
24. Affected file: tmtdi.sys version 6.8.0.1072.
25.  
26. 2.Details
27.  
28. .text:0001D402 ; int __stdcall ioctl_handler(PDEVICE_OBJECT DeviceObject, PIRP NewIrql)
29. .text:0001D402 ioctl_handler proc near ; DATA XREF: sub_1DD8A+D0o
30. .text:0001D402
31. .text:0001D402 var_4 = dword ptr -4
32. .text:0001D402 DeviceObject = dword ptr 8
33. .text:0001D402 NewIrql = dword ptr 0Ch
34. .text:0001D402
35. .text:0001D402 mov edi, edi
36. .text:0001D404 push ebp
37. .text:0001D405 mov ebp, esp
38. .text:0001D407 push ecx
39. .text:0001D408 mov eax, [ebp+DeviceObject]
40. .text:0001D40B mov eax, [eax+28h]
41. .text:0001D40E and [ebp+var_4], 0
42. .text:0001D412 push ebx
43. .text:0001D413 mov ebx, [ebp+NewIrql]
44. .text:0001D416 push esi
45. .text:0001D417 mov esi, ds:MmIsAddressValid
46. .text:0001D41D push edi
47. .text:0001D41E mov edi, [ebx+60h]
48. .text:0001D421 push edi ; VirtualAddress
49. .text:0001D422 mov [ebp+NewIrql], eax
50. .text:0001D425 call esi ; MmIsAddressValid
51. .text:0001D427 test al, al
52. .text:0001D429 jnz short loc_1D439
53.  
54. [..]
55.  
56. .text:0001D7C0 loc_1D7C0: ; CODE XREF: ioctl_handler+256j
57. .text:0001D7C0 mov eax, ecx
58. .text:0001D7C2 sub eax, 220044h //ioctl check
59. .text:0001D7C7 jz short loc_1D839
60.  
61. .text:0001D839 loc_1D839: ; CODE XREF: ioctl_handler+3C5j
62. .text:0001D839 mov edi, [ebx+0Ch]
63. .text:0001D83C push edi ; VirtualAddress
64. .text:0001D83D call esi ; MmIsAddressValid
65. .text:0001D83F test al, al
66. .text:0001D841 jz loc_1DD63
67. .text:0001D847 push [ebp+var_4]
68. .text:0001D84A push edi
69. .text:0001D84B push offset dword_22BA0
70. .text:0001D850 call sub_15682
71.  
72. [..]
73.  
74. .text:00015682 sub_15682 proc near ; CODE XREF: ioctl_handler+44Ep
75. .text:00015682
76. .text:00015682 NewIrql = byte ptr -1
77. .text:00015682 arg_4 = dword ptr 0Ch
78. .text:00015682
79. .text:00015682 mov edi, edi
80. .text:00015684 push ebp
81. .text:00015685 mov ebp, esp
82. .text:00015687 push ecx
83. .text:00015688 push ebx
84. .text:00015689 mov ecx, offset dword_22C28 ; SpinLock
85. .text:0001568E call ds:KfAcquireSpinLock
86. .text:00015694 mov ebx, [ebp+arg_4]
87. .text:00015697 mov [ebp+NewIrql], al
88. .text:0001569A mov eax, dword_22C20 //list of structs
89. .text:0001569F mov edx, offset dword_22C20
90. .text:000156A4 cmp eax, edx
91. .text:000156A6 jz short loc_156F2 //loop, copy from list to our buffer with out size check
92. .text:000156A8 push esi
93. .text:000156A9 push edi
94. .text:000156AA
95. .text:000156AA loc_156AA: ; CODE XREF: sub_15682+6Cj
96. .text:000156AA mov ecx, [eax+0Ch]
97. .text:000156AD mov [ebx], ecx
98. .text:000156AF mov ecx, [eax+10h]
99. .text:000156B2 mov [ebx+4], ecx
100. .text:000156B5 mov ecx, [eax+14h]
101. .text:000156B8 mov [ebx+8], ecx
102. .text:000156BB mov ecx, [eax+18h]
103. .text:000156BE mov [ebx+0Ch], ecx
104. .text:000156C1 push 5
105. .text:000156C3 pop ecx
106. .text:000156C4 lea esi, [eax+1Ch]
107. .text:000156C7 lea edi, [ebx+10h]
108. .text:000156CA rep movsd
109. .text:000156CC mov cx, [eax+30h]
110. .text:000156D0 mov [ebx+24h], cx
111. .text:000156D4 push 5
112. .text:000156D6 lea esi, [eax+32h]
113. .text:000156D9 lea edi, [ebx+26h]
114. .text:000156DC pop ecx
115. .text:000156DD rep movsd
116. .text:000156DF mov cx, [eax+46h]
117. .text:000156E3 mov [ebx+3Ah], cx
118. .text:000156E7 mov eax, [eax]
119. .text:000156E9 add ebx, 3Ch
120. .text:000156EC cmp eax, edx
121. .text:000156EE jnz short loc_156AA
122. .text:000156F0 pop edi
123. .text:000156F1 pop esi
124. .text:000156F2
125. .text:000156F2 loc_156F2: ; CODE XREF: sub_15682+24j
126. .text:000156F2 mov dl, [ebp+NewIrql] ; NewIrql
127. .text:000156F5 mov ecx, offset dword_22C28 ; SpinLock
128. .text:000156FA call ds:KfReleaseSpinLock
129. .text:00015700 or dword ptr [ebx], 0FFFFFFFFh
130. .text:00015703 pop ebx
131. .text:00015704 leave
132. .text:00015705 retn 0Ch
133. .text:00015705 sub_15682 endp
134.  
135.  
136. 3.Spoil
137.  
138. union AddrInfo
139. {
140. BYTE addr_info_v4[0x4];
141. WORD addr_info_v6[IPV6SIZEWORDS];
142. };
143.  
144. #pragma pack(2)
145. struct tmtdi_ip_port_info_struct{
146. DWORD type;//V4, V6
147. union AddrInfo local_ip;
148. WORD local_ip_port;
149. };
150.  
151. struct tmtdi_conn_info_struct{
152. struct tmtdi_ip_port_info_struct local;
153. struct tmtdi_ip_port_info_struct remote;
154. };
155.  
156. struct tmtdi_struct{
157. DWORD pid;
158. DWORD type;
159. DWORD ipproto;
160. DWORD dir;
161. struct tmtdi_conn_info_struct tmtdi_conn_info;
162. };