Home / vulnerabilitiesPDF  

TKADV2008-008.txt

Posted on 19 September 2008
Source : packetstormsecurity.org Link

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory: G DATA AntiVirus/InternetSecurity/TotalCare 2008
GDTdiIcpt.sys Memory Corruption Vulnerability
Advisory ID: TKADV2008-008
Revision: 1.0
Release Date: 2008/09/17
Last Modified: 2008/09/17
Date Reported: 2007/11/29
Author: Tobias Klein (tk at trapkit.de)
Affected Software: G DATA AntiVirus 2008
G DATA InternetSecurity 2008
G DATA TotalCare 2008
Remotely Exploitable: No
Locally Exploitable: Yes
Vendor URL: http://www.gdata.de/
Vendor Status: Vendor has released an updated version
Patch development time: 294 days


======================
Vulnerability details:
======================

The kernel driver GDTdiIcpt.sys shipped with G DATA AntiVirus/Internet
Security/TotalCare 2008 contains a vulnerability in the code that handles
IOCTL requests. Exploitation of this vulnerability can result in:

1) local denial of service attacks (system crash due to a kernel panic), or

2) local execution of arbitrary code at the kernel level (complete system
compromise)

The issue can be triggered by sending a specially crafted IOCTL request.


======================
Technical description:
======================

The IOCTL call 0x8317001c of the GDTdiIcpt.sys kernel driver accepts user
supplied input that doesn't get validated. In consequence it is possible to
fill different kernel registers with arbitrary values. These register
values are further on used as parameters for different functions of the
windows kernel (e.g. KeSetEvent). If these parameters are carefully crafted
it is possible to force the windows kernel into performing a memory
corruption that leads to full control of the kernel execution flow.

Disassembly of GDTdiIcpt.sys (Windows Vista 32bit version):

[...]
.text:00012510 cmp [ebp+arg_18], 8317001Ch
[...]
.text:0001251D mov ebx, [ebp+arg_10] <-- [1]
.text:00012520 mov esi, [ebp+arg_8]
.text:00012523 push 7
.text:00012525 pop ecx
.text:00012526 mov edi, ebx
.text:00012528 rep movsd
.text:0001252A movsb
.text:0001252B test byte ptr [ebx+2], 8
.text:0001252F jnz short loc_12598
[...]

[1] The user controlled input gets copied into the EBX register without
any input validation

Example for an exploitable code path:

[...]
.text:00012531 mov esi, [ebx+3] <-- [2]
[...]
.text:00012566 mov edi, [esi+8] <-- [3]
[...]
.text:0001257E push 0
.text:00012580 push 0
.text:00012582 push dword ptr [edi] <-- [4]
.text:00012584 call ds:KeSetEvent
[...]

[2] The ESI register is filled with the user supplied data (from EBX)
[3] The EDI register is also filled with the user supplied data
[4] The user supplied value of EDI is used as a parameter for the
KeSetEvent kernel function

With enough crafting, the user supplied argument to the KeSetEvent kernel
function can be used to hijack the execution flow of the kernel.


=========
Solution:
=========

Upgrade to G DATA AntiVirus/InternetSecurity/TotalCare 2009.

http://www.gdata.de/


========
History:
========

2007/11/29 - Vendor notified using info@gdata.de
2007/12/01 - Vendor response (Customer Support)
2007/12/03 - Vendor response (QA)
2007/12/03 - Asking for a PGP key
2007/12/06 - Vendor response with PGP key. Detailed vulnerability
information sent to G DATA.
2007/12/17 - Status update request
2007/12/18 - Status update from vendor. Detailed information sent a 2nd
time to G DATA.
2008/01/03 - Status update request
2008/01/03 - Status update from vendor
2007/02/12 - Status update request (no response)
2007/02/26 - Status update request (no response)
2007/02/28 - Status update from vendor
2008/09/17 - Update released by the vendor
2008/09/17 - Full technical details released to general public


========
Credits:
========

Vulnerability found and advisory written by Tobias Klein.


===========
References:
===========

[1] http://www.gdata.de/
[2] http://www.trapkit.de/advisories/TKADV2008-008.txt


========
Changes:
========

Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release


===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


==================
PGP Signature Key:
==================

http://www.trapkit.de/advisories/tk-advisories-signature-key.asc


Copyright 2008 Tobias Klein. All rights reserved.


-----BEGIN PGP SIGNATURE-----

wj8DBQFI0U8mkXxgcAIbhEERAltuAKCS4sgBzS+t7G2DBQAXQ/OgKzlr2ACbBpX2
uFw+/y+ruFlEIoGU/wd0GYo=
=XRWj
-----END PGP SIGNATURE-----

 

TOP

Malware :

Exploits :