Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Intro.
- just some facts:
- I killed/revealed/talked about this 0day in TrendMicro kernel component at several security conferences during 2012:
- April - Hackito Ergo Sum, Paris
- May - Hack In The Box, Amsterdam
- May - Positive Hack Days, Moscow
- But no reaction/fix from TrendMicro.
- I'm curious, security engineers from TrendMicro dont visit conferences or dont read slides?
- Anyway, this vuln is interesting, cause when I revealed it using 1-shot taint analysis, it showed wrong conclusion about exlpoitability.
- After applying manual analysis, some good news revealed... (See spoil)
- 1.Desciption
- The tmtdi.sys kernel driver distributed with TrendMicro products contains
- pool corruption vulnerability in the handling of IOCTL 0x220044.
- Exploitation of this issue allows an attacker to execute arbitrary code
- within the kernel.
- An attacker would need local access to a vulnerable computer to exploit
- this vulnerability.
- Affected application: various TrendMicro products.
- Affected file: tmtdi.sys version 6.8.0.1072.
- 2.Details
- .text:0001D402 ; int __stdcall ioctl_handler(PDEVICE_OBJECT DeviceObject, PIRP NewIrql)
- .text:0001D402 ioctl_handler proc near ; DATA XREF: sub_1DD8A+D0o
- .text:0001D402
- .text:0001D402 var_4 = dword ptr -4
- .text:0001D402 DeviceObject = dword ptr 8
- .text:0001D402 NewIrql = dword ptr 0Ch
- .text:0001D402
- .text:0001D402 mov edi, edi
- .text:0001D404 push ebp
- .text:0001D405 mov ebp, esp
- .text:0001D407 push ecx
- .text:0001D408 mov eax, [ebp+DeviceObject]
- .text:0001D40B mov eax, [eax+28h]
- .text:0001D40E and [ebp+var_4], 0
- .text:0001D412 push ebx
- .text:0001D413 mov ebx, [ebp+NewIrql]
- .text:0001D416 push esi
- .text:0001D417 mov esi, ds:MmIsAddressValid
- .text:0001D41D push edi
- .text:0001D41E mov edi, [ebx+60h]
- .text:0001D421 push edi ; VirtualAddress
- .text:0001D422 mov [ebp+NewIrql], eax
- .text:0001D425 call esi ; MmIsAddressValid
- .text:0001D427 test al, al
- .text:0001D429 jnz short loc_1D439
- [..]
- .text:0001D7C0 loc_1D7C0: ; CODE XREF: ioctl_handler+256j
- .text:0001D7C0 mov eax, ecx
- .text:0001D7C2 sub eax, 220044h //ioctl check
- .text:0001D7C7 jz short loc_1D839
- .text:0001D839 loc_1D839: ; CODE XREF: ioctl_handler+3C5j
- .text:0001D839 mov edi, [ebx+0Ch]
- .text:0001D83C push edi ; VirtualAddress
- .text:0001D83D call esi ; MmIsAddressValid
- .text:0001D83F test al, al
- .text:0001D841 jz loc_1DD63
- .text:0001D847 push [ebp+var_4]
- .text:0001D84A push edi
- .text:0001D84B push offset dword_22BA0
- .text:0001D850 call sub_15682
- [..]
- .text:00015682 sub_15682 proc near ; CODE XREF: ioctl_handler+44Ep
- .text:00015682
- .text:00015682 NewIrql = byte ptr -1
- .text:00015682 arg_4 = dword ptr 0Ch
- .text:00015682
- .text:00015682 mov edi, edi
- .text:00015684 push ebp
- .text:00015685 mov ebp, esp
- .text:00015687 push ecx
- .text:00015688 push ebx
- .text:00015689 mov ecx, offset dword_22C28 ; SpinLock
- .text:0001568E call ds:KfAcquireSpinLock
- .text:00015694 mov ebx, [ebp+arg_4]
- .text:00015697 mov [ebp+NewIrql], al
- .text:0001569A mov eax, dword_22C20 //list of structs
- .text:0001569F mov edx, offset dword_22C20
- .text:000156A4 cmp eax, edx
- .text:000156A6 jz short loc_156F2 //loop, copy from list to our buffer with out size check
- .text:000156A8 push esi
- .text:000156A9 push edi
- .text:000156AA
- .text:000156AA loc_156AA: ; CODE XREF: sub_15682+6Cj
- .text:000156AA mov ecx, [eax+0Ch]
- .text:000156AD mov [ebx], ecx
- .text:000156AF mov ecx, [eax+10h]
- .text:000156B2 mov [ebx+4], ecx
- .text:000156B5 mov ecx, [eax+14h]
- .text:000156B8 mov [ebx+8], ecx
- .text:000156BB mov ecx, [eax+18h]
- .text:000156BE mov [ebx+0Ch], ecx
- .text:000156C1 push 5
- .text:000156C3 pop ecx
- .text:000156C4 lea esi, [eax+1Ch]
- .text:000156C7 lea edi, [ebx+10h]
- .text:000156CA rep movsd
- .text:000156CC mov cx, [eax+30h]
- .text:000156D0 mov [ebx+24h], cx
- .text:000156D4 push 5
- .text:000156D6 lea esi, [eax+32h]
- .text:000156D9 lea edi, [ebx+26h]
- .text:000156DC pop ecx
- .text:000156DD rep movsd
- .text:000156DF mov cx, [eax+46h]
- .text:000156E3 mov [ebx+3Ah], cx
- .text:000156E7 mov eax, [eax]
- .text:000156E9 add ebx, 3Ch
- .text:000156EC cmp eax, edx
- .text:000156EE jnz short loc_156AA
- .text:000156F0 pop edi
- .text:000156F1 pop esi
- .text:000156F2
- .text:000156F2 loc_156F2: ; CODE XREF: sub_15682+24j
- .text:000156F2 mov dl, [ebp+NewIrql] ; NewIrql
- .text:000156F5 mov ecx, offset dword_22C28 ; SpinLock
- .text:000156FA call ds:KfReleaseSpinLock
- .text:00015700 or dword ptr [ebx], 0FFFFFFFFh
- .text:00015703 pop ebx
- .text:00015704 leave
- .text:00015705 retn 0Ch
- .text:00015705 sub_15682 endp
- 3.Spoil
- union AddrInfo
- {
- BYTE addr_info_v4[0x4];
- WORD addr_info_v6[IPV6SIZEWORDS];
- };
- #pragma pack(2)
- struct tmtdi_ip_port_info_struct{
- DWORD type;//V4, V6
- union AddrInfo local_ip;
- WORD local_ip_port;
- };
- struct tmtdi_conn_info_struct{
- struct tmtdi_ip_port_info_struct local;
- struct tmtdi_ip_port_info_struct remote;
- };
- struct tmtdi_struct{
- DWORD pid;
- DWORD type;
- DWORD ipproto;
- DWORD dir;
- struct tmtdi_conn_info_struct tmtdi_conn_info;
- };
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement