API tools faq
paste
Advertisement
Guest User

Novell Client 4.91 SP5 IR1 for Windows XP/2003 #0day

a guest
May 10th, 2013
4,964
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.50 KB | None | 0 0
raw download clone embed print report
  1. 1.Description:
  2.  
  3. The nwfs.sys kernel driver distributed with Novell Client 4.91 SP5 IR1 for Windows XP/2003 contains
  4. an integer overflow vulnerability in the handling of IOCTL 0x1439EB.
  5. Exploitation of this issue allows an attacker to execute arbitrary code
  6. within the kernel.
  7. An attacker would need local access to a vulnerable computer to exploit
  8. this vulnerability.
  9.  
  10. Affected application: Novell Client 4.91 SP5 IR1 for Windows XP/2003 (up-to date).
  11. Affected file: nwfs.sys version 4.91.5.8.
  12.  
  13. 2.Vulnerability details:
  14.  
  15. function at 0x000349CC is responsible for dispatching ioctl codes:
  16.  
  17. .text:000349CC ; int __stdcall ioctl_handler(int, PIRP Irp)
  18. .text:000349CC ioctl_handler proc near ; DATA XREF: DriverEntry-1CCBo
  19. .text:000349CC
  20. .text:000349CC var_3C = dword ptr -3Ch
  21. .text:000349CC var_38 = dword ptr -38h
  22. .text:000349CC var_34 = dword ptr -34h
  23. .text:000349CC var_30 = dword ptr -30h
  24. .text:000349CC var_2C = dword ptr -2Ch
  25. .text:000349CC var_28 = dword ptr -28h
  26. .text:000349CC var_24 = dword ptr -24h
  27. .text:000349CC var_20 = dword ptr -20h
  28. .text:000349CC var_1C = dword ptr -1Ch
  29. .text:000349CC ms_exc = CPPEH_RECORD ptr -18h
  30. .text:000349CC Irp = dword ptr 0Ch
  31. .text:000349CC
  32. .text:000349CC push 2Ch
  33. .text:000349CE push offset stru_81020
  34. .text:000349D3 call __SEH_prolog
  35. .text:000349D8 call ds:KeEnterCriticalRegion
  36. .text:000349DE mov ebx, [ebp+Irp]
  37. .text:000349E1 mov esi, [ebx+60h]
  38. .text:000349E4 mov [ebp+var_1C], esi
  39. .text:000349E7 inc dword_8A1E0
  40. .text:000349ED mov eax, [ebx+60h]
  41. .text:000349F0 or byte ptr [eax+3], 1
  42. .text:000349F4 mov dword ptr [ebx+18h], 103h
  43. .text:000349FB and dword ptr [ebx+1Ch], 0
  44. .text:000349FF call sub_641C0
  45. .text:00034A04 mov edi, eax
  46. .text:00034A06 mov [ebp+var_2C], edi
  47. .text:00034A09 test edi, edi
  48. .text:00034A0B jnz short loc_34A2A
  49.  
  50. [..]
  51.  
  52. .text:00034A2A loc_34A2A: ; CODE XREF: ioctl_handler+3Fj
  53. .text:00034A2A mov [edi+0Ch], ebx
  54. .text:00034A2D mov eax, [esi+18h]
  55. .text:00034A30 mov [edi+10h], eax
  56. .text:00034A33 mov eax, [esi+0Ch]
  57. .text:00034A36 mov ecx, 14393Bh
  58. .text:00034A3B cmp eax, ecx
  59. .text:00034A3D ja loc_34E8F
  60.  
  61. [..]
  62.  
  63. .text:000350F1 loc_350F1: ; CODE XREF: ioctl_handler+6D1j
  64. .text:000350F1 sub eax, 1439EBh
  65. .text:000350F6 jz short loc_3514B
  66.  
  67. [..]
  68.  
  69. .text:0003514B loc_3514B: ; CODE XREF: ioctl_handler+72Aj
  70. .text:0003514B push edi
  71. .text:0003514C call ioctl_handler_0x1439EB_vuln
  72.  
  73. [..]
  74.  
  75. .text:000112F0 ioctl_handler_0x1439EB_vuln proc near ; CODE XREF: ioctl_handler+780p
  76. .text:000112F0 ; sub_46558+694p
  77. .text:000112F0
  78. .text:000112F0 var_80 = byte ptr -80h
  79. .text:000112F0 var_78 = dword ptr -78h
  80. .text:000112F0 var_74 = dword ptr -74h
  81. .text:000112F0 var_68 = byte ptr -68h
  82. .text:000112F0 var_60 = dword ptr -60h
  83. .text:000112F0 var_5C = dword ptr -5Ch
  84. .text:000112F0 var_50 = dword ptr -50h
  85. .text:000112F0 var_4C = dword ptr -4Ch
  86. .text:000112F0 var_48 = dword ptr -48h
  87. .text:000112F0 var_44 = dword ptr -44h
  88. .text:000112F0 var_40 = dword ptr -40h
  89. .text:000112F0 var_3C = dword ptr -3Ch
  90. .text:000112F0 var_38 = dword ptr -38h
  91. .text:000112F0 var_34 = dword ptr -34h
  92. .text:000112F0 var_30 = dword ptr -30h
  93. .text:000112F0 var_2C = dword ptr -2Ch
  94. .text:000112F0 var_28 = dword ptr -28h
  95. .text:000112F0 var_24 = dword ptr -24h
  96. .text:000112F0 var_20 = dword ptr -20h
  97. .text:000112F0 pMem = byte ptr -1Ch
  98. .text:000112F0 ms_exc = CPPEH_RECORD ptr -18h
  99. .text:000112F0 arg_0 = dword ptr 8
  100. .text:000112F0
  101. .text:000112F0 push 70h
  102. .text:000112F2 push offset stru_7F430
  103. .text:000112F7 call __SEH_prolog
  104. .text:000112FC mov eax, [ebp+arg_0]
  105.  
  106. [..]
  107.  
  108. LULZ
  109. THANK YOU Novell for leaving such strings:
  110.  
  111. .text:0001140B push dword ptr [eax+0Ch]
  112. .text:0001140E push ebx
  113. .text:0001140F push offset aNwc_verify_key ; "NWC_VERIFY_KEY_WITHCONN"
  114. .text:00011414 push esi
  115. .text:00011415 push offset Format ; "[NWFS] VerifyIOCTL EXCEPTION 0x%08X whi"...
  116. .text:0001141A call DbgPrint
  117. .text:0001141F add esp, 18h
  118.  
  119. [..]
  120.  
  121. .text:00011422 loc_11422: ; CODE XREF: ioctl_handler_0x1439EB_vuln+28j
  122. .text:00011422 ; ioctl_handler_0x1439EB_vuln+F0j
  123. .text:00011422 or [ebp+ms_exc.disabled], 0FFFFFFFFh
  124. .text:00011426 test ebx, ebx
  125. .text:00011428 jz loc_114EA
  126. .text:0001142E mov [ebp+ms_exc.disabled], 1
  127. .text:00011435 mov eax, [ebx]
  128. .text:00011437 mov ecx, [ebx+4]
  129. .text:0001143A mov eax, [eax+8]
  130. .text:0001143D add eax, [ecx+8]
  131. .text:00011440 push eax ; NewIrql
  132. .text:00011441 push dword_8A1DC ; int
  133. .text:00011447 call Alloc_NonPaged_vuln_proxy
  134.  
  135. [..]
  136.  
  137. .text:00010980 Alloc_NonPaged_vuln_proxy proc near ; CODE XREF: ioctl_handler_0x1439EB_vuln+157p
  138. .text:00010980 ; sub_11820+20Dp ...
  139. .text:00010980
  140. .text:00010980 nBytes = byte ptr 0Ch
  141. .text:00010980
  142. .text:00010980 mov edi, edi
  143. .text:00010982 push ebp
  144. .text:00010983 mov ebp, esp
  145. .text:00010985 push dword ptr [ebp+nBytes] ; nBytes
  146. .text:00010988 push 1 ; int
  147. .text:0001098A call Alloc_NonPaged_vuln
  148. .text:0001098F pop ebp
  149. .text:00010990 retn 8
  150. .text:00010990 Alloc_NonPaged_vuln_proxy endp
  151.  
  152. [..]
  153.  
  154. .text:0004EEA6 ; int __stdcall Alloc_NonPaged_vuln(int, UINT nBytes)
  155. .text:0004EEA6 Alloc_NonPaged_vuln proc near ; CODE XREF: Alloc_NonPaged_vuln_proxy+Ap
  156. .text:0004EEA6 ; sub_10A16+Ap ...
  157. .text:0004EEA6
  158. .text:0004EEA6 var_4 = dword ptr -4
  159. .text:0004EEA6 arg_0 = dword ptr 8
  160. .text:0004EEA6 nBytes = dword ptr 0Ch
  161. .text:0004EEA6
  162. .text:0004EEA6 mov edi, edi
  163. .text:0004EEA8 push ebp
  164. .text:0004EEA9 mov ebp, esp
  165. .text:0004EEAB push ecx
  166. .text:0004EEAC push ebx
  167. .text:0004EEAD mov ebx, [ebp+nBytes]
  168. .text:0004EEB0 test ebx, ebx
  169. .text:0004EEB2 jz loc_4EF5E
  170. .text:0004EEB8 mov [ebp+var_4], ebx
  171. .text:0004EEBB add ebx, 18h <---- Integer overflow right here! What about 0xffffffe8 value? :P
  172. .text:0004EEBE cmp [ebp+arg_0], 3
  173. .text:0004EEC2 ja loc_4EF5E
  174. .text:0004EEC8 push esi
  175. .text:0004EEC9 push 5346574Eh ; Tag
  176. .text:0004EECE push ebx ; NumberOfBytes
  177. .text:0004EECF push 0 ; PoolType
  178. .text:0004EED1 call ds:ExAllocatePoolWithTag
  179.  
  180. [..]
  181.  
  182. .text:0004EF40 mov ecx, [ebp+var_4]
  183. .text:0004EF43 mov edx, ecx
  184. .text:0004EF45 add esi, 18h
  185. .text:0004EF48 shr ecx, 2
  186. .text:0004EF4B xor eax, eax
  187. .text:0004EF4D mov edi, esi
  188. .text:0004EF4F rep stosd <--- Pool overflow
  189. .text:0004EF51 mov ecx, edx
  190. .text:0004EF53 and ecx, 3
  191. .text:0004EF56 rep stosb
  192.  
  193. 3.Exploit - made it by youself! :P
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!