Advertisement
Guest User

INFO-BEZ EXPO 2012 Security Awards Infotecs FAIL

a guest
Sep 14th, 2012
1,762
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.22 KB | None | 0 0
  1. хоть я сейчас и наслаждаюсь очаровательным Батлийски морем, но все равно руки доходят до дебаггера ;)
  2. А то!!! Когда видишь вот такое:http://infobez-expo.ru/conference/events/golosov/
  3. Ну и собственно всё началось вот с этого: https://twitter.com/NTarakanov/status/244013953649373184
  4.  
  5. Поревёрсить захотелось мне и мой взор упал на продукты компании Infotecs. Какого-то злого умысла к Infotecs у меня нету, просто эта компания номинирована аж в двух(!!) номинациях:
  6. Размер имеет значение – за масштабируемость решений
  7. E=mc2 – за создание мощных приложений, технологий
  8. , и я подумал будет fun поревёрсить чо у них там да как!
  9.  
  10. Продуктов у них несколько, но множество из них ставят драйвера и палят хэндлы даже Guest'у!
  11. хехе, заплесневелый баян ioctl живее живых!
  12.  
  13. Я подумал надо посмотреть их флагманский продукт: Vipnet Client ну сооб-но вот что из этого вышло :)))) :
  14.  
  15. ioctl:
  16.  
  17. 0x222098: arbitrary memory overwrite
  18.  
  19. kd> !analyze -v
  20. *******************************************************************************
  21. * *
  22. * Bugcheck Analysis *
  23. * *
  24. *******************************************************************************
  25.  
  26. PAGE_FAULT_IN_NONPAGED_AREA (50)
  27. Invalid system memory was referenced. This cannot be protected by try-except,
  28. it must be protected by a Probe. Typically the address is just plain bad or it
  29. is pointing at freed memory.
  30. Arguments:
  31. Arg1: 90909090, memory referenced.
  32. Arg2: 00000001, value 0 = read operation, 1 = write operation.
  33. Arg3: 804f3b76, If non-zero, the instruction address which referenced the bad memory
  34. address.
  35. Arg4: 00000000, (reserved)
  36.  
  37. Debugging Details:
  38. ------------------
  39.  
  40. *************************************************************************
  41. *** ***
  42. *** ***
  43. *** Your debugger is not using the correct symbols ***
  44. *** ***
  45. *** In order for this command to work properly, your symbol path ***
  46. *** must point to .pdb files that have full type information. ***
  47. *** ***
  48. *** Certain .pdb files (such as the public OS symbols) do not ***
  49. *** contain the required information. Contact the group that ***
  50. *** provided you with these symbols if you need this command to ***
  51. *** work. ***
  52. *** ***
  53. *** Type referenced: kernel32!pNlsUserInfo ***
  54. *** ***
  55. *************************************************************************
  56. *************************************************************************
  57. *** ***
  58. *** ***
  59. *** Your debugger is not using the correct symbols ***
  60. *** ***
  61. *** In order for this command to work properly, your symbol path ***
  62. *** must point to .pdb files that have full type information. ***
  63. *** ***
  64. *** Certain .pdb files (such as the public OS symbols) do not ***
  65. *** contain the required information. Contact the group that ***
  66. *** provided you with these symbols if you need this command to ***
  67. *** work. ***
  68. *** ***
  69. *** Type referenced: kernel32!pNlsUserInfo ***
  70. *** ***
  71. *************************************************************************
  72.  
  73. WRITE_ADDRESS: 90909090
  74.  
  75. FAULTING_IP:
  76. nt!IopCompleteRequest+92
  77. 804f3b76 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
  78.  
  79. MM_INTERNAL_CODE: 0
  80.  
  81. DEFAULT_BUCKET_ID: DRIVER_FAULT
  82.  
  83. BUGCHECK_STR: 0x50
  84.  
  85. PROCESS_NAME: IpLir.exe
  86.  
  87. IRP_ADDRESS: 81e90f68
  88.  
  89. DEVICE_OBJECT: 8211eb90
  90.  
  91. DRIVER_OBJECT: 820614b0
  92.  
  93. IMAGE_NAME: IPLIR.sys
  94.  
  95. DEBUG_FLR_IMAGE_TIMESTAMP: 4f81e2b7
  96.  
  97. MODULE_NAME: IPLIR
  98.  
  99. FAULTING_MODULE: f82fb000 IPLIR
  100.  
  101. TRAP_FRAME: b20f8a34 -- (.trap 0xffffffffb20f8a34)
  102. ErrCode = 00000002
  103. eax=00000008 ebx=81e90f68 ecx=00000002 edx=00000001 esi=81fe3d78 edi=90909090
  104. eip=804f3b76 esp=b20f8aa8 ebp=b20f8aec iopl=0 nv up ei pl nz na po nc
  105. cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
  106. nt!IopCompleteRequest+0x92:
  107. 804f3b76 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
  108. Resetting default scope
  109.  
  110. LAST_CONTROL_TRANSFER: from 804f7bad to 80527bec
  111.  
  112. STACK_TEXT:
  113. b20f8570 804f7bad 00000003 90909090 00000000 nt!RtlpBreakWithStatusInstruction
  114. b20f85bc 804f879a 00000003 00000000 c0484848 nt!KiBugCheckDebugBreak+0x19
  115. b20f899c 804f8cc5 00000050 90909090 00000001 nt!KeBugCheck2+0x574
  116. b20f89bc 8051cc5f 00000050 90909090 00000001 nt!KeBugCheckEx+0x1b
  117. b20f8a1c 8054052c 00000001 90909090 00000000 nt!MmAccessFault+0x8e7
  118. b20f8a1c 804f3b76 00000001 90909090 00000000 nt!KiTrap0E+0xcc
  119. b20f8aec 804fdaf1 81e90fa8 b20f8b38 b20f8b2c nt!IopCompleteRequest+0x92
  120. b20f8b3c 806d2c35 00000000 00000000 b20f8b54 nt!KiDeliverApc+0xb3
  121. b20f8b3c 806d2861 00000000 00000000 b20f8b54 hal!HalpApcInterrupt+0xc5
  122. b20f8bc4 804fab03 81e90fa8 81e90f68 00000000 hal!KeReleaseInStackQueuedSpinLock+0x11
  123. b20f8be4 804f07e4 81e90fa8 81adcdd8 00000000 nt!KeInsertQueueApc+0x4b
  124. b20f8c18 f836e574 81adcdd8 820614b0 b20f8c58 nt!IopfCompleteRequest+0x1d8
  125. WARNING: Stack unwind information not available. Following frames may be wrong.
  126. 00000000 00000000 00000000 00000000 00000000 IPLIR+0x73574
  127.  
  128.  
  129. STACK_COMMAND: kb
  130.  
  131. FOLLOWUP_IP:
  132. IPLIR+73574
  133. f836e574 8b442410 mov eax,dword ptr [esp+10h]
  134.  
  135. SYMBOL_STACK_INDEX: c
  136.  
  137. SYMBOL_NAME: IPLIR+73574
  138.  
  139. FOLLOWUP_NAME: MachineOwner
  140.  
  141. FAILURE_BUCKET_ID: 0x50_IPLIR+73574
  142.  
  143. BUCKET_ID: 0x50_IPLIR+73574
  144.  
  145. Followup: MachineOwner
  146. ---------
  147.  
  148. kd> dd 81fe3d78
  149. 81fe3d78 41414141 00000000 41414141 41414141 <--- controlled values == 0dayz LPE!
  150. 81fe3d88 41414141 c4000001 00040004 63426343
  151. 81fe3d98 81ed2a18 81a022a8 00c80000 00000000
  152. 81fe3da8 820c1fe8 81ae9858 0a0d0004 61436d4d
  153. 81fe3db8 e236e908 805586a8 81ed33e4 00000000
  154. 81fe3dc8 00000001 00000000 00000002 00000000
  155. 81fe3dd8 09008080 81ebcb40 00000000 00000000
  156. 81fe3de8 81fe3db8 00000060 00000000 00000040
  157.  
  158. and many many more buggy code!
  159.  
  160. 0x222070: NPD useless?
  161.  
  162. kd> !analyze -v
  163. *******************************************************************************
  164. * *
  165. * Bugcheck Analysis *
  166. * *
  167. *******************************************************************************
  168.  
  169. KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
  170. This is a very common bugcheck. Usually the exception address pinpoints
  171. the driver/function that caused the problem. Always note this address
  172. as well as the link date of the driver/image that contains this address.
  173. Some common problems are exception code 0x80000003. This means a hard
  174. coded breakpoint or assertion was hit, but this system was booted
  175. /NODEBUG. This is not supposed to happen as developers should never have
  176. hardcoded breakpoints in retail code, but ...
  177. If this happens, make sure a debugger gets connected, and the
  178. system is booted /DEBUG. This will let us see why this breakpoint is
  179. happening.
  180. Arguments:
  181. Arg1: c0000005, The exception code that was not handled
  182. Arg2: f83250bb, The address that the exception occurred at
  183. Arg3: b29d4b50, Trap Frame
  184. Arg4: 00000000
  185.  
  186. Debugging Details:
  187. ------------------
  188.  
  189. *************************************************************************
  190. *** ***
  191. *** ***
  192. *** Your debugger is not using the correct symbols ***
  193. *** ***
  194. *** In order for this command to work properly, your symbol path ***
  195. *** must point to .pdb files that have full type information. ***
  196. *** ***
  197. *** Certain .pdb files (such as the public OS symbols) do not ***
  198. *** contain the required information. Contact the group that ***
  199. *** provided you with these symbols if you need this command to ***
  200. *** work. ***
  201. *** ***
  202. *** Type referenced: kernel32!pNlsUserInfo ***
  203. *** ***
  204. *************************************************************************
  205. *************************************************************************
  206. *** ***
  207. *** ***
  208. *** Your debugger is not using the correct symbols ***
  209. *** ***
  210. *** In order for this command to work properly, your symbol path ***
  211. *** must point to .pdb files that have full type information. ***
  212. *** ***
  213. *** Certain .pdb files (such as the public OS symbols) do not ***
  214. *** contain the required information. Contact the group that ***
  215. *** provided you with these symbols if you need this command to ***
  216. *** work. ***
  217. *** ***
  218. *** Type referenced: kernel32!pNlsUserInfo ***
  219. *** ***
  220. *************************************************************************
  221.  
  222. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
  223.  
  224. FAULTING_IP:
  225. IPLIR+2a0bb
  226. f83250bb 8b10 mov edx,dword ptr [eax]
  227.  
  228. TRAP_FRAME: b29d4b50 -- (.trap 0xffffffffb29d4b50)
  229. ErrCode = 00000000
  230. eax=00000004 ebx=b29d4c30 ecx=81ca27b9 edx=fffffffc esi=00000000 edi=81ca2550
  231. eip=f83250bb esp=b29d4bc4 ebp=00000000 iopl=0 nv up ei ng nz na pe nc
  232. cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
  233. IPLIR+0x2a0bb:
  234. f83250bb 8b10 mov edx,dword ptr [eax] ds:0023:00000004=????????
  235. Resetting default scope
  236.  
  237. DEFAULT_BUCKET_ID: DRIVER_FAULT
  238.  
  239. BUGCHECK_STR: 0x8E
  240.  
  241. PROCESS_NAME: IpLir.exe
  242.  
  243. LAST_CONTROL_TRANSFER: from 804f7bad to 80527bec
  244.  
  245. STACK_TEXT:
  246. b29d42cc 804f7bad 00000003 b29d4628 00000000 nt!RtlpBreakWithStatusInstruction
  247. b29d4318 804f879a 00000003 00000000 b29d4afc nt!KiBugCheckDebugBreak+0x19
  248. b29d46f8 804f8cc5 0000008e c0000005 f83250bb nt!KeBugCheck2+0x574
  249. b29d4718 804fccff 0000008e c0000005 f83250bb nt!KeBugCheckEx+0x1b
  250. b29d4ae0 8053e091 b29d4afc 00000000 b29d4b50 nt!KiDispatchException+0x3b1
  251. b29d4b48 8053e042 00000000 f83250bb badb0d00 nt!CommonDispatchException+0x4d
  252. b29d4b60 806d2ca4 00000000 ffdff980 80541086 nt!KiExceptionExit+0x18a
  253. b29d4b6c 80541086 82079d00 000000d1 b29d4c44 hal!HalEndSystemInterrupt+0x54
  254. b29d4b6c 00000000 82079d00 000000d1 b29d4c44 nt!KeUpdateSystemTime+0x13e
  255.  
  256.  
  257. STACK_COMMAND: kb
  258.  
  259. FOLLOWUP_IP:
  260. IPLIR+2a0bb
  261. f83250bb 8b10 mov edx,dword ptr [eax]
  262.  
  263. SYMBOL_STACK_INDEX: 0
  264.  
  265. SYMBOL_NAME: IPLIR+2a0bb
  266.  
  267. FOLLOWUP_NAME: MachineOwner
  268.  
  269. MODULE_NAME: IPLIR
  270.  
  271. IMAGE_NAME: IPLIR.sys
  272.  
  273. DEBUG_FLR_IMAGE_TIMESTAMP: 4f81e2b7
  274.  
  275. FAILURE_BUCKET_ID: 0x8E_IPLIR+2a0bb
  276.  
  277. BUCKET_ID: 0x8E_IPLIR+2a0bb
  278.  
  279. Followup: MachineOwner
  280. ---------
  281.  
  282. К чему я это всё?
  283.  
  284. Да к тому, что имхо не нужны нам такие "конференции"!
  285.  
  286. Нам нужны PHD,ZN!
  287. Почему не создать третью???
  288.  
  289. Вообще хорошего пятничного вечера!
  290. Если хотите у меня нульдеи и для других продуктов Infotecs ;)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement