2015-10-14: 细节已通知厂商并且等待厂商处理中 2015-10-14: 厂商已经确认,细节仅向厂商公开 2015-10-17: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航) 2015-12-08: 细节向核心白帽子及相关领域专家公开 2015-12-18: 细节向普通白帽子公开 2015-12-28: 细节向实习白帽子公开 2016-01-12: 细节向公众公开
瑞星浏览器保护驱动protreg.sys,在Vista之后的系统上存在一处拒绝服务BUG,会导致系统BSOD.
瑞星浏览器保护驱动protreg.sys, 在NtBuildNumber>=6000的系统上会注册一个注册表回调,在该回调例程中对于注册表表根键的NtFlushKey的操作会触发一个
通过设置HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun下任意一个Value,其Name和Data的大小在0x400B, Data的大小大于0x220,就可以覆盖一处指针,该指针会被ExFree掉。
PCWSTR szKey_DisallowRun = L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun";void __stdcall CMCALLBACK_BSOD_ROUTINE(PCWSTR KeyNameBuf){ SIZE_T KeyNameLength; UNICODE_STRING KeyName; ULONG ResultLength = 0; ULONG i = 0; // [sp+10h] [bp-844h]@1 PKEY_FULL_INFORMATION FullKeyInfo = NULL; NTSTATUS Status = STATUS_UNSUCCESSFUL; WCHAR ValueNameBuf[256] = {0}; // [esp+1Ch] [ebp-838h] WCHAR ValueDataBuf[256] = {0}; // [esp+21Ch] [ebp-638h] OBJECT_ATTRIBUTES obja = {0}; // [esp+420h] [ebp-434h] PKEY_VALUE_FULL_INFORMATION FullValueInfo = NULL; // [esp+438h] char Unused[512] = {0}; UNICODE_STRING ValueName; ULONG ValueNumbers = 0; HANDLE KeyHandle; ULONG Index = 0; WCHAR NameBuf[256] = {0}; KeyNameLength = wcslen(KeyNameBuf); if ( KeyNameLength + wcslen(szKey_DisallowRun) + 1 <= 0x100 ) { wcscpy(NameBuf, KeyNameBuf); wcscat(NameBuf, szKey_DisallowRun); RtlInitUnicodeString(&KeyName, NameBuf); InitializeObjectAttributes(&obja, &KeyName, OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, NULL, NULL); Status = ZwOpenKey(&KeyHandle, 0xF003Fu, &obja); if ( NT_SUCCESS(Status) ) { Status = ZwQueryKey(KeyHandle, KeyFullInformation, 0, 0, &ResultLength); if ( Status == STATUS_BUFFER_OVERFLOW || Status == STATUS_BUFFER_TOO_SMALL ) { FullKeyInfo = (PKEY_FULL_INFORMATION)ExAllocatePool(NonPagedPool, ResultLength); if ( FullKeyInfo ) { Status = ZwQueryKey(KeyHandle, KeyFullInformation, FullKeyInfo, ResultLength, &ResultLength); if ( NT_SUCCESS(Status) ) { ValueNumbers = FullKeyInfo->Values; FullValueInfo = ExAllocatePool(NonPagedPool, 0x418); if ( FullValueInfo ) { for ( Index = 0; Index < ValueNumbers; ++Index ) { Status = ZwEnumerateValueKey( KeyHandle, Index, KeyValueFullInformation, FullValueInfo, 0x418u, &ResultLength); if ( NT_SUCCESS(Status) ) { memset(ValueNameBuf, 0, 0x200); memset(ValueDataBuf, 0, 0x200); memcpy(ValueNameBuf, FullValueInfo->Name, FullValueInfo->NameLength); memcpy(ValueDataBuf, (PCH)FullValueInfo + FullValueInfo->DataOffset, FullValueInfo->DataLength);//Buffer over flow for ( i = 0; ProcessNameList2[i]; ++i ) { if ( !wcsicmp(ProcessNameList2[i], ValueDataBuf) ) { RtlInitUnicodeString(&ValueName, ValueNameBuf); Status = ZwDeleteValueKey(KeyHandle, &ValueName); if ( Status >= 0 ) { --Index; --ValueNumbers; } } } } } ZwClose(KeyHandle); ExFreePoolWithTag(FullKeyInfo, 0); ExFreePoolWithTag(FullValueInfo, 0);//BSOD } else { Status = STATUS_INSUFFICIENT_RESOURCES; ZwClose(KeyHandle); ExFreePoolWithTag(FullKeyInfo, 0); } } else { ZwClose(KeyHandle); ExFreePoolWithTag(FullKeyInfo, 0); } } else { Status = STATUS_INSUFFICIENT_RESOURCES; ZwClose(KeyHandle); } } } }}
严格把控缓冲区的大小,不要随意执行内存复制操作.
危害等级:低
漏洞Rank:1
确认时间:2015-10-14 15:51
3Q
暂无
