API tools faq
paste
Advertisement
Guest User

#Pizdets #NY_Eve #TrendFAIL #0day

a guest
Dec 31st, 2012
369
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.31 KB | None | 0 0
raw download clone embed print report
  1. 1.Desciption
  2. The tmtdi.sys kernel driver distributed with TrendMicro products contains
  3. pool corruption vulnerability in the handling of various IOCTL codes.
  4. Exploitation of this issue allows an attacker to execute arbitrary code
  5. within the kernel.
  6. An attacker would need local access to a vulnerable computer to exploit
  7. this vulnerability.
  8.  
  9. Affected application: various TrendMicro products.
  10. Affected file: tmtdi.sys version 6.8.0.1072.
  11.  
  12. 2.Details
  13.  
  14. sub_14876 function process zeroing Pool Memory ( memset(ptr, 0x0, controlled) ) of constant size without size check!
  15.  
  16. .text:00014876 ; int __stdcall sub_14876(char, KIRQL NewIrql, int, void *)
  17. .text:00014876 sub_14876 proc near ; CODE XREF: ioctl_handler+30Ep
  18. .text:00014876 ; ioctl_handler+6CFp ...
  19. .text:00014876
  20. .text:00014876 var_1C = byte ptr -1Ch
  21. .text:00014876 var_18 = dword ptr -18h
  22. .text:00014876 var_14 = dword ptr -14h
  23. .text:00014876 var_10 = dword ptr -10h
  24. .text:00014876 var_C = dword ptr -0Ch
  25. .text:00014876 var_8 = dword ptr -8
  26. .text:00014876 var_1 = byte ptr -1
  27. .text:00014876 arg_0 = byte ptr 8
  28. .text:00014876 NewIrql = byte ptr 0Ch
  29. .text:00014876 arg_8 = dword ptr 10h
  30. .text:00014876 arg_C = dword ptr 14h
  31. .text:00014876
  32. .text:00014876 mov edi, edi
  33. .text:00014878 push ebp
  34. .text:00014879 mov ebp, esp
  35. .text:0001487B sub esp, 1Ch
  36. .text:0001487E mov eax, dword ptr [ebp+NewIrql]
  37. .text:00014881 movzx ecx, word ptr [eax+4]
  38. .text:00014885 and [ebp+var_10], 0
  39. .text:00014889 cmp cx, 2
  40. .text:0001488D push ebx
  41. .text:0001488E mov ebx, [eax]
  42. .text:00014890 movzx edx, cx
  43. .text:00014893 push esi
  44. .text:00014894 push edi
  45. .text:00014895 mov [ebp+var_1], 0
  46. .text:00014899 mov dword ptr [ebp+var_1C], ebx
  47. .text:0001489C mov [ebp+var_C], edx
  48. .text:0001489F jz short loc_148A8
  49. .text:000148A1 cmp word ptr [eax+4], 17h
  50. .text:000148A6 jnz short loc_148B1
  51. .text:000148A8
  52. .text:000148A8 loc_148A8: ; CODE XREF: sub_14876+29j
  53. .text:000148A8 movzx ecx, word ptr [eax+6]
  54. .text:000148AC mov [ebp+var_8], ecx
  55. .text:000148AF jmp short loc_148B5
  56. .text:000148B1 ; ---------------------------------------------------------------------------
  57. .text:000148B1
  58. .text:000148B1 loc_148B1: ; CODE XREF: sub_14876+30j
  59. .text:000148B1 and [ebp+var_8], 0
  60. .text:000148B5
  61. .text:000148B5 loc_148B5: ; CODE XREF: sub_14876+39j
  62. .text:000148B5 test dword_2289C, 10000000h
  63. .text:000148BF mov eax, [eax+4Eh]
  64. .text:000148C2 mov esi, [ebp+arg_8]
  65. .text:000148C5 mov [ebp+var_18], eax
  66. .text:000148C8 mov edi, offset aGhi2IoXDirDIpv ; "[GHI2] io=[%X],\tdir=[%d], IPv6=[%d], po"...
  67. .text:000148CD jz short loc_148F3
  68. .text:000148CF push dword ptr [esi]
  69. .text:000148D1 push [ebp+var_8]
  70. .text:000148D4 call sub_13242
  71. .text:000148D9 movzx eax, ax
  72. .text:000148DC push eax
  73. .text:000148DD xor eax, eax
  74. .text:000148DF cmp edx, 17h
  75. .text:000148E2 setz al
  76. .text:000148E5 push eax
  77. .text:000148E6 push ebx
  78. .text:000148E7 push dword ptr [ebp+arg_0]
  79. .text:000148EA push edi ; Format
  80. .text:000148EB call DbgPrint
  81. .text:000148F0 add esp, 18h
  82. .text:000148F3
  83. .text:000148F3 loc_148F3: ; CODE XREF: sub_14876+57j
  84. .text:000148F3 test byte ptr dword_2289C, 1
  85. .text:000148FA jz short loc_14921
  86. .text:000148FC push dword ptr [esi]
  87. .text:000148FE push [ebp+var_8]
  88. .text:00014901 call sub_13242
  89. .text:00014906 movzx eax, ax
  90. .text:00014909 push eax
  91. .text:0001490A xor eax, eax
  92. .text:0001490C cmp [ebp+var_C], 17h
  93. .text:00014910 setz al
  94. .text:00014913 push eax
  95. .text:00014914 push ebx
  96. .text:00014915 push dword ptr [ebp+arg_0] ; char
  97. .text:00014918 push edi ; char *
  98. .text:00014919 call sub_10B34
  99. .text:0001491E add esp, 18h
  100. .text:00014921
  101. .text:00014921 loc_14921: ; CODE XREF: sub_14876+84j
  102. .text:00014921 push dword ptr [esi] ; size_t
  103. .text:00014923 push 0 ; int
  104. .text:00014925 push [ebp+arg_C] ; void *
  105. .text:00014928 call memset <-- Pool Corruption
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!