[<prev] [next>] [day] [month] [year] [list]
Message-Id: <16277a0f7c4.106fd78fb764945.5873316850625710899@whiteteamsec.com>
Date: Fri, 30 Mar 2018 19:57:40 +0400
From: WTS Research Team <rnd@...teteamsec.com>
To: "oss-security" <oss-security@...ts.openwall.com>,
"fulldisclosure" <fulldisclosure@...lists.org>
Subject: [FD] Null Pointer Deference (Denial of Service)-Kingsoft Internet
Security 9+ Kernel Driver KWatch3.sys
*****[ White Team Security (WTS) Security Advisory- ADV-01-03-2018 ]*****
Kingsoft Internet Security 9+ - Null Pointer Deference Kernel Driver KWatch3.sys
--------------------------------------------------------------------------------------------------------------
Author:
- Arjun Basnet from White Team Security (WTS) Research Team
*****[ Table of Contents ]*****
* Overview
* Detailed description
* Vulnerable IOCTL
* Timeline of disclosure
*****[ Overview]*****
* System affected : Kingsoft Internet Security 9+
* Software Version : 2010.06.23.247
* Impact : Allow an authorized but non-privileged local user to execute arbitrary code which cause denial of service.
*****[ Detailed description]*****
Null Pointer deference bug in the function called ObReferenceObjectByHandle in Kingsoft Internet Security 9+ kernel driver KWatch3.sys allows local non-privilege users to
crash the system. Bugcheck details below
------------------------------------------
*****[Vulnerable IOCTL]*****
0x80030030
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 00000000
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000
Debugging Details:
------------------
*** WARNING: Unable to verify checksum for Kernel_Driver_Fuzzer.exe
*** ERROR: Module load completed but symbols could not be loaded for Kernel_Driver_Fuzzer.exe
DUMP_CLASS: 1
DUMP_QUALIFIER: 0
BUILD_VERSION_STRING: 7601.17514.x86fre.win7sp1_rtm.101119-1850
DUMP_TYPE: 0
BUGCHECK_P1: 0
BUGCHECK_P2: 0
BUGCHECK_P3: 0
BUGCHECK_P4: 0
PROCESS_NAME: Kernel_Driver_Fuzzer.exe
FAULTING_IP:
KWatch3+1931
9813a931 8b3f mov edi,dword ptr [edi]
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000000
FOLLOWUP_IP:
KWatch3+1931
9813a931 8b3f mov edi,dword ptr [edi]
BUGCHECK_STR: ACCESS_VIOLATION
READ_ADDRESS: 00000000
DEFAULT_BUCKET_ID: NULL_DEREFERENCE
CPU_COUNT: 1
CPU_MHZ: 891
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 3d
CPU_STEPPING: 4
CPU_MICROCODE: 6,3d,4,0 (F,M,S,R) SIG: 0'00000000 (cache) 0'00000000 (init)
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: CSW-4001
ANALYSIS_SESSION_TIME: 03-18-2018 20:00:35.0429
ANALYSIS_VERSION: 10.0.16299.15 x86fre
LAST_CONTROL_TRANSFER: from 82957294 to 9813a931
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
a6a62ab8 82957294 00000000 a6a62ad8 82a3a77c KWatch3+0x1931
a6a62ac4 82a3a77c 0000001c 85a0fd48 a6a62bac nt!ExFreePoolWithTag+0x7f7
a6a62ad8 82a3a57e 0000001c 85a0fd01 001afcf0 nt!ExMapHandleToPointerEx+0x1c
a6a62b14 82a439d5 85a404c0 859823b8 85982428 nt!ObReferenceObjectByHandleWithTag+0xf6
a6a62b34 82a45dc8 869e42f0 85a404c0 00000000 nt!IopSynchronousServiceTail+0x1f8
a6a62bd0 82a4cd9d 869e42f0 859823b8 00000000 nt!IopXxxControlFile+0x6aa
a6a62c04 8287387a 0000001c 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
a6a62c04 76e770b4 0000001c 00000000 00000000 nt!KiFastCallEntry+0x12a
0019fac0 76e75864 7514989d 0000001c 00000000 ntdll!KiFastSystemCallRet
0019fac4 7514989d 0000001c 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc
0019fb24 763da671 0000001c 80030030 001afcf0 KERNELBASE!DeviceIoControl+0xf6
0019fb50 00022f3e 0000001c 80030030 001afcf0 kernel32!DeviceIoControlImplementation+0x80
001dfcf8 0002518c 00000008 0020fe10 0020fe78 Kernel_Driver_Fuzzer+0x2f3e
001dfd40 763e3c45 7ffdf000 001dfd8c 76e937f5 Kernel_Driver_Fuzzer+0x518c
001dfd4c 76e937f5 7ffdf000 7649f14a 00000000 kernel32!BaseThreadInitThunk+0xe
001dfd8c 76e937c8 00025209 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70
001dfda4 00000000 00025209 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b
THREAD_SHA1_HASH_MOD_FUNC: e4be6252f97078994190e4adbba1a96f58895f14
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 39866b2768c179268382e715ed5e95956f1b3a0b
THREAD_SHA1_HASH_MOD: 1092ff199f12a636b612ec3d1a4db2ddc045b337
FAULT_INSTR_CODE: ff853f8b
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: KWatch3+1931
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: KWatch3
IMAGE_NAME: KWatch3.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 49bef736
STACK_COMMAND: .thread ; .cxr ; kb
FAILURE_BUCKET_ID: ACCESS_VIOLATION_KWatch3+1931
BUCKET_ID: ACCESS_VIOLATION_KWatch3+1931
PRIMARY_PROBLEM_CLASS: ACCESS_VIOLATION_KWatch3+1931
TARGET_TIME: 2018-03-18T15:58:49.000Z
OSBUILD: 7601
OSSERVICEPACK: 1000
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x86
OSNAME: Windows 7
OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2010-11-20 12:42:46
BUILDDATESTAMP_STR: 101119-1850
BUILDLAB_STR: win7sp1_rtm
BUILDOSVER_STR: 6.1.7601.17514.x86fre.win7sp1_rtm.101119-1850
ANALYSIS_SESSION_ELAPSED_TIME: 40c8
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:access_violation_kwatch3+1931
FAILURE_ID_HASH: {e9cfce9f-7931-ad9e-e258-dbb277ebe372}
Followup: MachineOwner
---------
*****[ Timeline of disclosure]*****
23/03/2018 - Vendor was informed of the vulnerability. No response tried multiple times to reach out.
30/03/2018 - Release in Public
Regards,
WTS Research Team
rnd@...teteamsec.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists