Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 1.Description:
- The ntk_PowerDVD12.sys kernel driver distributed with CyberLing PowerDVD contains
- an pool overflow vulnerability in the handling of IOCTL 0x9C402404.
- Exploitation of this issue allows an attacker to execute arbitrary code
- within the kernel.
- An attacker would need local access to a vulnerable computer to exploit
- this vulnerability.
- 2.Vulnerability details:
- function at 0x0001906C is responsible for dispatching ioctl codes:
- .text:0001906C ; int __stdcall ioctl_handler(int, PIRP Irp)
- .text:0001906C ioctl_handler proc near ; DATA XREF: DriverEntry+CDo
- .text:0001906C
- .text:0001906C var_4FC = dword ptr -4FCh
- .text:0001906C var_FC = byte ptr -0FCh
- .text:0001906C var_84 = dword ptr -84h
- .text:0001906C var_5C = byte ptr -5Ch
- .text:0001906C var_3C = byte ptr -3Ch
- .text:0001906C var_1C = dword ptr -1Ch
- .text:0001906C var_18 = dword ptr -18h
- .text:0001906C inbuff_mem = dword ptr -14h
- .text:0001906C NumberOfBytes = dword ptr -10h
- .text:0001906C BaseAddress = dword ptr -0Ch
- .text:0001906C var_8 = dword ptr -8
- .text:0001906C var_4 = dword ptr -4
- .text:0001906C Irp = dword ptr 0Ch
- .text:0001906C
- .text:0001906C push ebp
- .text:0001906D mov ebp, esp
- .text:0001906F sub esp, 4FCh
- .text:00019075 push ebx
- .text:00019076 push esi
- .text:00019077 mov esi, [ebp+Irp]
- .text:0001907A mov ebx, [esi+60h]
- .text:0001907D mov ecx, [ebx+8]
- .text:00019080 push edi
- .text:00019081 xor edi, edi
- .text:00019083 cmp ecx, edi
- .text:00019085 mov [ebp+NumberOfBytes], ecx
- .text:00019088 mov eax, [ebx+4]
- .text:0001908B mov [ebp+var_1C], edi
- .text:0001908E mov [ebp+var_4], eax
- .text:00019091 jnz short loc_1909F
- .text:00019093 mov [ebp+var_1C], 0C000000Dh
- .text:0001909A jmp loc_19A03
- .text:0001909F ; ---------------------------------------------------------------------------
- .text:0001909F
- .text:0001909F loc_1909F: ; CODE XREF: ioctl_handler+25j
- .text:0001909F mov eax, [ebx+0Ch]
- .text:000190A2 cmp eax, 9C402400h
- .text:000190A7 jz loc_19852
- .text:000190AD cmp eax, 9C402404h
- .text:000190B2 jz loc_1982D
- [..]
- .text:0001982D mov edx, [ebp+Irp]
- .text:00019830 mov eax, [edx+0Ch]
- .text:00019833 push 8
- .text:00019835 mov byte ptr [eax], 0
- .text:00019838 lea edi, [eax+1]
- .text:0001983B pop ecx
- .text:0001983C mov esi, offset unk_23D20
- .text:00019841 rep movsd <---- No check for inbuff size!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement