lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <16277a0f7c4.106fd78fb764945.5873316850625710899@whiteteamsec.com>
Date: Fri, 30 Mar 2018 19:57:40 +0400
From: WTS Research Team <rnd@...teteamsec.com>
To: "oss-security" <oss-security@...ts.openwall.com>, 
 "fulldisclosure" <fulldisclosure@...lists.org>
Subject: [FD] Null Pointer Deference (Denial of Service)-Kingsoft Internet
 Security 9+ Kernel Driver KWatch3.sys

*****[ White Team Security (WTS) Security Advisory- ADV-01-03-2018 ]*****



Kingsoft Internet Security 9+ - Null Pointer Deference Kernel Driver KWatch3.sys

--------------------------------------------------------------------------------------------------------------

Author:

- Arjun Basnet from White Team Security (WTS) Research Team



*****[ Table of Contents ]*****



* Overview

* Detailed description

* Vulnerable IOCTL

* Timeline of disclosure



*****[ Overview]*****



* System affected : Kingsoft Internet Security 9+

* Software Version : 2010.06.23.247

* Impact : Allow an authorized but non-privileged local user to execute arbitrary code which cause denial of service. 



*****[ Detailed description]*****



Null Pointer deference bug in the function called ObReferenceObjectByHandle in Kingsoft Internet Security 9+  kernel driver KWatch3.sys allows local non-privilege users to 

crash the system. Bugcheck details below

------------------------------------------



*****[Vulnerable IOCTL]*****

            0x80030030



*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************



Unknown bugcheck code (0)

Unknown bugcheck description

Arguments:

Arg1: 00000000

Arg2: 00000000

Arg3: 00000000

Arg4: 00000000



Debugging Details:

------------------



*** WARNING: Unable to verify checksum for Kernel_Driver_Fuzzer.exe

*** ERROR: Module load completed but symbols could not be loaded for Kernel_Driver_Fuzzer.exe



DUMP_CLASS: 1



DUMP_QUALIFIER: 0



BUILD_VERSION_STRING:  7601.17514.x86fre.win7sp1_rtm.101119-1850



DUMP_TYPE:  0



BUGCHECK_P1: 0



BUGCHECK_P2: 0



BUGCHECK_P3: 0



BUGCHECK_P4: 0



PROCESS_NAME:  Kernel_Driver_Fuzzer.exe



FAULTING_IP:

KWatch3+1931

9813a931 8b3f            mov     edi,dword ptr [edi]



ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.



EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.



EXCEPTION_CODE_STR:  c0000005



EXCEPTION_PARAMETER1:  00000000



EXCEPTION_PARAMETER2:  00000000



FOLLOWUP_IP:

KWatch3+1931

9813a931 8b3f            mov     edi,dword ptr [edi]



BUGCHECK_STR:  ACCESS_VIOLATION



READ_ADDRESS:  00000000



DEFAULT_BUCKET_ID:  NULL_DEREFERENCE



CPU_COUNT: 1



CPU_MHZ: 891



CPU_VENDOR:  GenuineIntel



CPU_FAMILY: 6



CPU_MODEL: 3d



CPU_STEPPING: 4



CPU_MICROCODE: 6,3d,4,0 (F,M,S,R)  SIG: 0'00000000 (cache) 0'00000000 (init)



CURRENT_IRQL:  0



ANALYSIS_SESSION_HOST:  CSW-4001



ANALYSIS_SESSION_TIME:  03-18-2018 20:00:35.0429



ANALYSIS_VERSION: 10.0.16299.15 x86fre



LAST_CONTROL_TRANSFER:  from 82957294 to 9813a931



STACK_TEXT: 

WARNING: Stack unwind information not available. Following frames may be wrong.

a6a62ab8 82957294 00000000 a6a62ad8 82a3a77c KWatch3+0x1931

a6a62ac4 82a3a77c 0000001c 85a0fd48 a6a62bac nt!ExFreePoolWithTag+0x7f7

a6a62ad8 82a3a57e 0000001c 85a0fd01 001afcf0 nt!ExMapHandleToPointerEx+0x1c

a6a62b14 82a439d5 85a404c0 859823b8 85982428 nt!ObReferenceObjectByHandleWithTag+0xf6

a6a62b34 82a45dc8 869e42f0 85a404c0 00000000 nt!IopSynchronousServiceTail+0x1f8

a6a62bd0 82a4cd9d 869e42f0 859823b8 00000000 nt!IopXxxControlFile+0x6aa

a6a62c04 8287387a 0000001c 00000000 00000000 nt!NtDeviceIoControlFile+0x2a

a6a62c04 76e770b4 0000001c 00000000 00000000 nt!KiFastCallEntry+0x12a

0019fac0 76e75864 7514989d 0000001c 00000000 ntdll!KiFastSystemCallRet

0019fac4 7514989d 0000001c 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc

0019fb24 763da671 0000001c 80030030 001afcf0 KERNELBASE!DeviceIoControl+0xf6

0019fb50 00022f3e 0000001c 80030030 001afcf0 kernel32!DeviceIoControlImplementation+0x80

001dfcf8 0002518c 00000008 0020fe10 0020fe78 Kernel_Driver_Fuzzer+0x2f3e

001dfd40 763e3c45 7ffdf000 001dfd8c 76e937f5 Kernel_Driver_Fuzzer+0x518c

001dfd4c 76e937f5 7ffdf000 7649f14a 00000000 kernel32!BaseThreadInitThunk+0xe

001dfd8c 76e937c8 00025209 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70

001dfda4 00000000 00025209 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b





THREAD_SHA1_HASH_MOD_FUNC:  e4be6252f97078994190e4adbba1a96f58895f14



THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  39866b2768c179268382e715ed5e95956f1b3a0b



THREAD_SHA1_HASH_MOD:  1092ff199f12a636b612ec3d1a4db2ddc045b337



FAULT_INSTR_CODE:  ff853f8b



SYMBOL_STACK_INDEX:  0



SYMBOL_NAME:  KWatch3+1931



FOLLOWUP_NAME:  MachineOwner



MODULE_NAME: KWatch3



IMAGE_NAME:  KWatch3.sys



DEBUG_FLR_IMAGE_TIMESTAMP:  49bef736



STACK_COMMAND:  .thread ; .cxr ; kb



FAILURE_BUCKET_ID:  ACCESS_VIOLATION_KWatch3+1931



BUCKET_ID:  ACCESS_VIOLATION_KWatch3+1931



PRIMARY_PROBLEM_CLASS:  ACCESS_VIOLATION_KWatch3+1931



TARGET_TIME:  2018-03-18T15:58:49.000Z



OSBUILD:  7601



OSSERVICEPACK:  1000



SERVICEPACK_NUMBER: 0



OS_REVISION: 0



SUITE_MASK:  272



PRODUCT_TYPE:  1



OSPLATFORM_TYPE:  x86



OSNAME:  Windows 7



OSEDITION:  Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS



OS_LOCALE: 



USER_LCID:  0



OSBUILD_TIMESTAMP:  2010-11-20 12:42:46



BUILDDATESTAMP_STR:  101119-1850



BUILDLAB_STR:  win7sp1_rtm



BUILDOSVER_STR:  6.1.7601.17514.x86fre.win7sp1_rtm.101119-1850



ANALYSIS_SESSION_ELAPSED_TIME:  40c8



ANALYSIS_SOURCE:  KM



FAILURE_ID_HASH_STRING:  km:access_violation_kwatch3+1931



FAILURE_ID_HASH:  {e9cfce9f-7931-ad9e-e258-dbb277ebe372}



Followup:     MachineOwner

---------





*****[ Timeline of disclosure]*****



23/03/2018 - Vendor was informed of the vulnerability. No response tried multiple times to reach out.

30/03/2018 - Release in Public



Regards,

WTS Research Team

rnd@...teteamsec.com 













_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists