API tools faq
paste
Advertisement
Guest User

CyberLink PowerDVD #0day

a guest
Jan 10th, 2013
544
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.05 KB | None | 0 0
raw download clone embed print report
  1. 1.Description:
  2.  
  3. The ntk_PowerDVD12.sys kernel driver distributed with CyberLing PowerDVD contains
  4. an pool overflow vulnerability in the handling of IOCTL 0x9C402404.
  5. Exploitation of this issue allows an attacker to execute arbitrary code
  6. within the kernel.
  7. An attacker would need local access to a vulnerable computer to exploit
  8. this vulnerability.
  9.  
  10. 2.Vulnerability details:
  11.  
  12. function at 0x0001906C is responsible for dispatching ioctl codes:
  13.  
  14. .text:0001906C ; int __stdcall ioctl_handler(int, PIRP Irp)
  15. .text:0001906C ioctl_handler proc near ; DATA XREF: DriverEntry+CDo
  16. .text:0001906C
  17. .text:0001906C var_4FC = dword ptr -4FCh
  18. .text:0001906C var_FC = byte ptr -0FCh
  19. .text:0001906C var_84 = dword ptr -84h
  20. .text:0001906C var_5C = byte ptr -5Ch
  21. .text:0001906C var_3C = byte ptr -3Ch
  22. .text:0001906C var_1C = dword ptr -1Ch
  23. .text:0001906C var_18 = dword ptr -18h
  24. .text:0001906C inbuff_mem = dword ptr -14h
  25. .text:0001906C NumberOfBytes = dword ptr -10h
  26. .text:0001906C BaseAddress = dword ptr -0Ch
  27. .text:0001906C var_8 = dword ptr -8
  28. .text:0001906C var_4 = dword ptr -4
  29. .text:0001906C Irp = dword ptr 0Ch
  30. .text:0001906C
  31. .text:0001906C push ebp
  32. .text:0001906D mov ebp, esp
  33. .text:0001906F sub esp, 4FCh
  34. .text:00019075 push ebx
  35. .text:00019076 push esi
  36. .text:00019077 mov esi, [ebp+Irp]
  37. .text:0001907A mov ebx, [esi+60h]
  38. .text:0001907D mov ecx, [ebx+8]
  39. .text:00019080 push edi
  40. .text:00019081 xor edi, edi
  41. .text:00019083 cmp ecx, edi
  42. .text:00019085 mov [ebp+NumberOfBytes], ecx
  43. .text:00019088 mov eax, [ebx+4]
  44. .text:0001908B mov [ebp+var_1C], edi
  45. .text:0001908E mov [ebp+var_4], eax
  46. .text:00019091 jnz short loc_1909F
  47. .text:00019093 mov [ebp+var_1C], 0C000000Dh
  48. .text:0001909A jmp loc_19A03
  49. .text:0001909F ; ---------------------------------------------------------------------------
  50. .text:0001909F
  51. .text:0001909F loc_1909F: ; CODE XREF: ioctl_handler+25j
  52. .text:0001909F mov eax, [ebx+0Ch]
  53. .text:000190A2 cmp eax, 9C402400h
  54. .text:000190A7 jz loc_19852
  55. .text:000190AD cmp eax, 9C402404h
  56. .text:000190B2 jz loc_1982D
  57.  
  58. [..]
  59.  
  60. .text:0001982D mov edx, [ebp+Irp]
  61. .text:00019830 mov eax, [edx+0Ch]
  62. .text:00019833 push 8
  63. .text:00019835 mov byte ptr [eax], 0
  64. .text:00019838 lea edi, [eax+1]
  65. .text:0001983B pop ecx
  66. .text:0001983C mov esi, offset unk_23D20
  67. .text:00019841 rep movsd <---- No check for inbuff size!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!