INFO-BEZ EXPO 2012 Security Awards Infotecs FAIL

1. хоть я сейчас и наслаждаюсь очаровательным Батлийски морем, но все равно руки доходят до дебаггера ;)
2. А то!!! Когда видишь вот такое:http://infobez-expo.ru/conference/events/golosov/
3. Ну и собственно всё началось вот с этого: https://twitter.com/NTarakanov/status/244013953649373184
4.  
5. Поревёрсить захотелось мне и мой взор упал на продукты компании Infotecs. Какого-то злого умысла к Infotecs у меня нету, просто эта компания номинирована аж в двух(!!) номинациях:
6. Размер имеет значение – за масштабируемость решений
7. E=mc2 – за создание мощных приложений, технологий
8. , и я подумал будет fun поревёрсить чо у них там да как!
9.  
10. Продуктов у них несколько, но множество из них ставят драйвера и палят хэндлы даже Guest'у!
11. хехе, заплесневелый баян ioctl живее живых!
12.  
13. Я подумал надо посмотреть их флагманский продукт: Vipnet Client ну сооб-но вот что из этого вышло :)))) :
14.  
15. ioctl:
16.  
17. 0x222098: arbitrary memory overwrite
18.  
19. kd> !analyze -v
20. *******************************************************************************
21. * *
22. * Bugcheck Analysis *
23. * *
24. *******************************************************************************
25.  
26. PAGE_FAULT_IN_NONPAGED_AREA (50)
27. Invalid system memory was referenced. This cannot be protected by try-except,
28. it must be protected by a Probe. Typically the address is just plain bad or it
29. is pointing at freed memory.
30. Arguments:
31. Arg1: 90909090, memory referenced.
32. Arg2: 00000001, value 0 = read operation, 1 = write operation.
33. Arg3: 804f3b76, If non-zero, the instruction address which referenced the bad memory
34. address.
35. Arg4: 00000000, (reserved)
36.  
37. Debugging Details:
38. ------------------
39.  
40. *************************************************************************
41. *** ***
42. *** ***
43. *** Your debugger is not using the correct symbols ***
44. *** ***
45. *** In order for this command to work properly, your symbol path ***
46. *** must point to .pdb files that have full type information. ***
47. *** ***
48. *** Certain .pdb files (such as the public OS symbols) do not ***
49. *** contain the required information. Contact the group that ***
50. *** provided you with these symbols if you need this command to ***
51. *** work. ***
52. *** ***
53. *** Type referenced: kernel32!pNlsUserInfo ***
54. *** ***
55. *************************************************************************
56. *************************************************************************
57. *** ***
58. *** ***
59. *** Your debugger is not using the correct symbols ***
60. *** ***
61. *** In order for this command to work properly, your symbol path ***
62. *** must point to .pdb files that have full type information. ***
63. *** ***
64. *** Certain .pdb files (such as the public OS symbols) do not ***
65. *** contain the required information. Contact the group that ***
66. *** provided you with these symbols if you need this command to ***
67. *** work. ***
68. *** ***
69. *** Type referenced: kernel32!pNlsUserInfo ***
70. *** ***
71. *************************************************************************
72.  
73. WRITE_ADDRESS: 90909090
74.  
75. FAULTING_IP:
76. nt!IopCompleteRequest+92
77. 804f3b76 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
78.  
79. MM_INTERNAL_CODE: 0
80.  
81. DEFAULT_BUCKET_ID: DRIVER_FAULT
82.  
83. BUGCHECK_STR: 0x50
84.  
85. PROCESS_NAME: IpLir.exe
86.  
87. IRP_ADDRESS: 81e90f68
88.  
89. DEVICE_OBJECT: 8211eb90
90.  
91. DRIVER_OBJECT: 820614b0
92.  
93. IMAGE_NAME: IPLIR.sys
94.  
95. DEBUG_FLR_IMAGE_TIMESTAMP: 4f81e2b7
96.  
97. MODULE_NAME: IPLIR
98.  
99. FAULTING_MODULE: f82fb000 IPLIR
100.  
101. TRAP_FRAME: b20f8a34 -- (.trap 0xffffffffb20f8a34)
102. ErrCode = 00000002
103. eax=00000008 ebx=81e90f68 ecx=00000002 edx=00000001 esi=81fe3d78 edi=90909090
104. eip=804f3b76 esp=b20f8aa8 ebp=b20f8aec iopl=0 nv up ei pl nz na po nc
105. cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
106. nt!IopCompleteRequest+0x92:
107. 804f3b76 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
108. Resetting default scope
109.  
110. LAST_CONTROL_TRANSFER: from 804f7bad to 80527bec
111.  
112. STACK_TEXT:
113. b20f8570 804f7bad 00000003 90909090 00000000 nt!RtlpBreakWithStatusInstruction
114. b20f85bc 804f879a 00000003 00000000 c0484848 nt!KiBugCheckDebugBreak+0x19
115. b20f899c 804f8cc5 00000050 90909090 00000001 nt!KeBugCheck2+0x574
116. b20f89bc 8051cc5f 00000050 90909090 00000001 nt!KeBugCheckEx+0x1b
117. b20f8a1c 8054052c 00000001 90909090 00000000 nt!MmAccessFault+0x8e7
118. b20f8a1c 804f3b76 00000001 90909090 00000000 nt!KiTrap0E+0xcc
119. b20f8aec 804fdaf1 81e90fa8 b20f8b38 b20f8b2c nt!IopCompleteRequest+0x92
120. b20f8b3c 806d2c35 00000000 00000000 b20f8b54 nt!KiDeliverApc+0xb3
121. b20f8b3c 806d2861 00000000 00000000 b20f8b54 hal!HalpApcInterrupt+0xc5
122. b20f8bc4 804fab03 81e90fa8 81e90f68 00000000 hal!KeReleaseInStackQueuedSpinLock+0x11
123. b20f8be4 804f07e4 81e90fa8 81adcdd8 00000000 nt!KeInsertQueueApc+0x4b
124. b20f8c18 f836e574 81adcdd8 820614b0 b20f8c58 nt!IopfCompleteRequest+0x1d8
125. WARNING: Stack unwind information not available. Following frames may be wrong.
126. 00000000 00000000 00000000 00000000 00000000 IPLIR+0x73574
127.  
128.  
129. STACK_COMMAND: kb
130.  
131. FOLLOWUP_IP:
132. IPLIR+73574
133. f836e574 8b442410 mov eax,dword ptr [esp+10h]
134.  
135. SYMBOL_STACK_INDEX: c
136.  
137. SYMBOL_NAME: IPLIR+73574
138.  
139. FOLLOWUP_NAME: MachineOwner
140.  
141. FAILURE_BUCKET_ID: 0x50_IPLIR+73574
142.  
143. BUCKET_ID: 0x50_IPLIR+73574
144.  
145. Followup: MachineOwner
146. ---------
147.  
148. kd> dd 81fe3d78
149. 81fe3d78 41414141 00000000 41414141 41414141 <--- controlled values == 0dayz LPE!
150. 81fe3d88 41414141 c4000001 00040004 63426343
151. 81fe3d98 81ed2a18 81a022a8 00c80000 00000000
152. 81fe3da8 820c1fe8 81ae9858 0a0d0004 61436d4d
153. 81fe3db8 e236e908 805586a8 81ed33e4 00000000
154. 81fe3dc8 00000001 00000000 00000002 00000000
155. 81fe3dd8 09008080 81ebcb40 00000000 00000000
156. 81fe3de8 81fe3db8 00000060 00000000 00000040
157.  
158. and many many more buggy code!
159.  
160. 0x222070: NPD useless?
161.  
162. kd> !analyze -v
163. *******************************************************************************
164. * *
165. * Bugcheck Analysis *
166. * *
167. *******************************************************************************
168.  
169. KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
170. This is a very common bugcheck. Usually the exception address pinpoints
171. the driver/function that caused the problem. Always note this address
172. as well as the link date of the driver/image that contains this address.
173. Some common problems are exception code 0x80000003. This means a hard
174. coded breakpoint or assertion was hit, but this system was booted
175. /NODEBUG. This is not supposed to happen as developers should never have
176. hardcoded breakpoints in retail code, but ...
177. If this happens, make sure a debugger gets connected, and the
178. system is booted /DEBUG. This will let us see why this breakpoint is
179. happening.
180. Arguments:
181. Arg1: c0000005, The exception code that was not handled
182. Arg2: f83250bb, The address that the exception occurred at
183. Arg3: b29d4b50, Trap Frame
184. Arg4: 00000000
185.  
186. Debugging Details:
187. ------------------
188.  
189. *************************************************************************
190. *** ***
191. *** ***
192. *** Your debugger is not using the correct symbols ***
193. *** ***
194. *** In order for this command to work properly, your symbol path ***
195. *** must point to .pdb files that have full type information. ***
196. *** ***
197. *** Certain .pdb files (such as the public OS symbols) do not ***
198. *** contain the required information. Contact the group that ***
199. *** provided you with these symbols if you need this command to ***
200. *** work. ***
201. *** ***
202. *** Type referenced: kernel32!pNlsUserInfo ***
203. *** ***
204. *************************************************************************
205. *************************************************************************
206. *** ***
207. *** ***
208. *** Your debugger is not using the correct symbols ***
209. *** ***
210. *** In order for this command to work properly, your symbol path ***
211. *** must point to .pdb files that have full type information. ***
212. *** ***
213. *** Certain .pdb files (such as the public OS symbols) do not ***
214. *** contain the required information. Contact the group that ***
215. *** provided you with these symbols if you need this command to ***
216. *** work. ***
217. *** ***
218. *** Type referenced: kernel32!pNlsUserInfo ***
219. *** ***
220. *************************************************************************
221.  
222. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
223.  
224. FAULTING_IP:
225. IPLIR+2a0bb
226. f83250bb 8b10 mov edx,dword ptr [eax]
227.  
228. TRAP_FRAME: b29d4b50 -- (.trap 0xffffffffb29d4b50)
229. ErrCode = 00000000
230. eax=00000004 ebx=b29d4c30 ecx=81ca27b9 edx=fffffffc esi=00000000 edi=81ca2550
231. eip=f83250bb esp=b29d4bc4 ebp=00000000 iopl=0 nv up ei ng nz na pe nc
232. cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
233. IPLIR+0x2a0bb:
234. f83250bb 8b10 mov edx,dword ptr [eax] ds:0023:00000004=????????
235. Resetting default scope
236.  
237. DEFAULT_BUCKET_ID: DRIVER_FAULT
238.  
239. BUGCHECK_STR: 0x8E
240.  
241. PROCESS_NAME: IpLir.exe
242.  
243. LAST_CONTROL_TRANSFER: from 804f7bad to 80527bec
244.  
245. STACK_TEXT:
246. b29d42cc 804f7bad 00000003 b29d4628 00000000 nt!RtlpBreakWithStatusInstruction
247. b29d4318 804f879a 00000003 00000000 b29d4afc nt!KiBugCheckDebugBreak+0x19
248. b29d46f8 804f8cc5 0000008e c0000005 f83250bb nt!KeBugCheck2+0x574
249. b29d4718 804fccff 0000008e c0000005 f83250bb nt!KeBugCheckEx+0x1b
250. b29d4ae0 8053e091 b29d4afc 00000000 b29d4b50 nt!KiDispatchException+0x3b1
251. b29d4b48 8053e042 00000000 f83250bb badb0d00 nt!CommonDispatchException+0x4d
252. b29d4b60 806d2ca4 00000000 ffdff980 80541086 nt!KiExceptionExit+0x18a
253. b29d4b6c 80541086 82079d00 000000d1 b29d4c44 hal!HalEndSystemInterrupt+0x54
254. b29d4b6c 00000000 82079d00 000000d1 b29d4c44 nt!KeUpdateSystemTime+0x13e
255.  
256.  
257. STACK_COMMAND: kb
258.  
259. FOLLOWUP_IP:
260. IPLIR+2a0bb
261. f83250bb 8b10 mov edx,dword ptr [eax]
262.  
263. SYMBOL_STACK_INDEX: 0
264.  
265. SYMBOL_NAME: IPLIR+2a0bb
266.  
267. FOLLOWUP_NAME: MachineOwner
268.  
269. MODULE_NAME: IPLIR
270.  
271. IMAGE_NAME: IPLIR.sys
272.  
273. DEBUG_FLR_IMAGE_TIMESTAMP: 4f81e2b7
274.  
275. FAILURE_BUCKET_ID: 0x8E_IPLIR+2a0bb
276.  
277. BUCKET_ID: 0x8E_IPLIR+2a0bb
278.  
279. Followup: MachineOwner
280. ---------
281.  
282. К чему я это всё?
283.  
284. Да к тому, что имхо не нужны нам такие "конференции"!
285.  
286. Нам нужны PHD,ZN!
287. Почему не создать третью???
288.  
289. Вообще хорошего пятничного вечера!
290. Если хотите у меня нульдеи и для других продуктов Infotecs ;)