Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 1.Desciption
- The tmtdi.sys kernel driver distributed with TrendMicro products contains
- pool corruption vulnerability in the handling of various IOCTL codes.
- Exploitation of this issue allows an attacker to execute arbitrary code
- within the kernel.
- An attacker would need local access to a vulnerable computer to exploit
- this vulnerability.
- Affected application: various TrendMicro products.
- Affected file: tmtdi.sys version 6.8.0.1072.
- 2.Details
- sub_14876 function process zeroing Pool Memory ( memset(ptr, 0x0, controlled) ) of constant size without size check!
- .text:00014876 ; int __stdcall sub_14876(char, KIRQL NewIrql, int, void *)
- .text:00014876 sub_14876 proc near ; CODE XREF: ioctl_handler+30Ep
- .text:00014876 ; ioctl_handler+6CFp ...
- .text:00014876
- .text:00014876 var_1C = byte ptr -1Ch
- .text:00014876 var_18 = dword ptr -18h
- .text:00014876 var_14 = dword ptr -14h
- .text:00014876 var_10 = dword ptr -10h
- .text:00014876 var_C = dword ptr -0Ch
- .text:00014876 var_8 = dword ptr -8
- .text:00014876 var_1 = byte ptr -1
- .text:00014876 arg_0 = byte ptr 8
- .text:00014876 NewIrql = byte ptr 0Ch
- .text:00014876 arg_8 = dword ptr 10h
- .text:00014876 arg_C = dword ptr 14h
- .text:00014876
- .text:00014876 mov edi, edi
- .text:00014878 push ebp
- .text:00014879 mov ebp, esp
- .text:0001487B sub esp, 1Ch
- .text:0001487E mov eax, dword ptr [ebp+NewIrql]
- .text:00014881 movzx ecx, word ptr [eax+4]
- .text:00014885 and [ebp+var_10], 0
- .text:00014889 cmp cx, 2
- .text:0001488D push ebx
- .text:0001488E mov ebx, [eax]
- .text:00014890 movzx edx, cx
- .text:00014893 push esi
- .text:00014894 push edi
- .text:00014895 mov [ebp+var_1], 0
- .text:00014899 mov dword ptr [ebp+var_1C], ebx
- .text:0001489C mov [ebp+var_C], edx
- .text:0001489F jz short loc_148A8
- .text:000148A1 cmp word ptr [eax+4], 17h
- .text:000148A6 jnz short loc_148B1
- .text:000148A8
- .text:000148A8 loc_148A8: ; CODE XREF: sub_14876+29j
- .text:000148A8 movzx ecx, word ptr [eax+6]
- .text:000148AC mov [ebp+var_8], ecx
- .text:000148AF jmp short loc_148B5
- .text:000148B1 ; ---------------------------------------------------------------------------
- .text:000148B1
- .text:000148B1 loc_148B1: ; CODE XREF: sub_14876+30j
- .text:000148B1 and [ebp+var_8], 0
- .text:000148B5
- .text:000148B5 loc_148B5: ; CODE XREF: sub_14876+39j
- .text:000148B5 test dword_2289C, 10000000h
- .text:000148BF mov eax, [eax+4Eh]
- .text:000148C2 mov esi, [ebp+arg_8]
- .text:000148C5 mov [ebp+var_18], eax
- .text:000148C8 mov edi, offset aGhi2IoXDirDIpv ; "[GHI2] io=[%X],\tdir=[%d], IPv6=[%d], po"...
- .text:000148CD jz short loc_148F3
- .text:000148CF push dword ptr [esi]
- .text:000148D1 push [ebp+var_8]
- .text:000148D4 call sub_13242
- .text:000148D9 movzx eax, ax
- .text:000148DC push eax
- .text:000148DD xor eax, eax
- .text:000148DF cmp edx, 17h
- .text:000148E2 setz al
- .text:000148E5 push eax
- .text:000148E6 push ebx
- .text:000148E7 push dword ptr [ebp+arg_0]
- .text:000148EA push edi ; Format
- .text:000148EB call DbgPrint
- .text:000148F0 add esp, 18h
- .text:000148F3
- .text:000148F3 loc_148F3: ; CODE XREF: sub_14876+57j
- .text:000148F3 test byte ptr dword_2289C, 1
- .text:000148FA jz short loc_14921
- .text:000148FC push dword ptr [esi]
- .text:000148FE push [ebp+var_8]
- .text:00014901 call sub_13242
- .text:00014906 movzx eax, ax
- .text:00014909 push eax
- .text:0001490A xor eax, eax
- .text:0001490C cmp [ebp+var_C], 17h
- .text:00014910 setz al
- .text:00014913 push eax
- .text:00014914 push ebx
- .text:00014915 push dword ptr [ebp+arg_0] ; char
- .text:00014918 push edi ; char *
- .text:00014919 call sub_10B34
- .text:0001491E add esp, 18h
- .text:00014921
- .text:00014921 loc_14921: ; CODE XREF: sub_14876+84j
- .text:00014921 push dword ptr [esi] ; size_t
- .text:00014923 push 0 ; int
- .text:00014925 push [ebp+arg_C] ; void *
- .text:00014928 call memset <-- Pool Corruption
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement