0day TrendMicro pool corruption vulnerability explained | BOT24

0day TrendMicro pool corruption vulnerability explained


Intro.
just some facts:
I killed/revealed/talked about this 0day in TrendMicro kernel component at several security conferences during 2012:
April - Hackito Ergo Sum, Paris
May - Hack In The Box, Amsterdam
May - Positive Hack Days, Moscow

But no reaction/fix from TrendMicro.

I'm curious, security engineers from TrendMicro dont visit conferences or dont read slides?

Anyway, this vuln is interesting, cause when I revealed it using 1-shot taint analysis, it showed wrong conclusion about exlpoitability.
After applying manual analysis, some good news revealed... (See spoil)

1.Desciption
The tmtdi.sys kernel driver distributed with TrendMicro products contains
pool corruption vulnerability in the handling of IOCTL 0x220044.
Exploitation of this issue allows an attacker to execute arbitrary code
within the kernel.
An attacker would need local access to a vulnerable computer to exploit
this vulnerability.

Affected application: various TrendMicro products.
Affected file: tmtdi.sys version 6.8.0.1072.

2.Details

.text:0001D402 ; int __stdcall ioctl_handler(PDEVICE_OBJECT DeviceObject, PIRP NewIrql)
.text:0001D402 ioctl_handler   proc near               ; DATA XREF: sub_1DD8A+D0 o
.text:0001D402
.text:0001D402 var_4           = dword ptr -4
.text:0001D402 DeviceObject    = dword ptr  8
.text:0001D402 NewIrql         = dword ptr  0Ch
.text:0001D402
.text:0001D402                 mov     edi, edi
.text:0001D404                 push    ebp
.text:0001D405                 mov     ebp, esp
.text:0001D407                 push    ecx
.text:0001D408                 mov     eax, [ebp+DeviceObject]
.text:0001D40B                 mov     eax, [eax+28h]
.text:0001D40E                 and     [ebp+var_4], 0
.text:0001D412                 push    ebx
.text:0001D413                 mov     ebx, [ebp+NewIrql]
.text:0001D416                 push    esi
.text:0001D417                 mov     esi, ds:MmIsAddressValid
.text:0001D41D                 push    edi
.text:0001D41E                 mov     edi, [ebx+60h]
.text:0001D421                 push    edi             ; VirtualAddress
.text:0001D422                 mov     [ebp+NewIrql], eax
.text:0001D425                 call    esi ; MmIsAddressValid
.text:0001D427                 test    al, al
.text:0001D429                 jnz     short loc_1D439

[..]

.text:0001D7C0 loc_1D7C0:                              ; CODE XREF: ioctl_handler+256 j
.text:0001D7C0                 mov     eax, ecx
.text:0001D7C2                 sub     eax, 220044h //ioctl check
.text:0001D7C7                 jz      short loc_1D839

.text:0001D839 loc_1D839:                              ; CODE XREF: ioctl_handler+3C5 j
.text:0001D839                 mov     edi, [ebx+0Ch]
.text:0001D83C                 push    edi             ; VirtualAddress
.text:0001D83D                 call    esi ; MmIsAddressValid
.text:0001D83F                 test    al, al
.text:0001D841                 jz      loc_1DD63
.text:0001D847                 push    [ebp+var_4]
.text:0001D84A                 push    edi
.text:0001D84B                 push    offset dword_22BA0
.text:0001D850                 call    sub_15682

[..]

.text:00015682 sub_15682       proc near               ; CODE XREF: ioctl_handler+44E p
.text:00015682
.text:00015682 NewIrql         = byte ptr -1
.text:00015682 arg_4           = dword ptr  0Ch
.text:00015682
.text:00015682                 mov     edi, edi
.text:00015684                 push    ebp
.text:00015685                 mov     ebp, esp
.text:00015687                 push    ecx
.text:00015688                 push    ebx
.text:00015689                 mov     ecx, offset dword_22C28 ; SpinLock
.text:0001568E                 call    ds:KfAcquireSpinLock
.text:00015694                 mov     ebx, [ebp+arg_4]
.text:00015697                 mov     [ebp+NewIrql], al
.text:0001569A                 mov     eax, dword_22C20 //list of structs
.text:0001569F                 mov     edx, offset dword_22C20
.text:000156A4                 cmp     eax, edx
.text:000156A6                 jz      short loc_156F2 //loop, copy from list to our buffer with out size check
.text:000156A8                 push    esi
.text:000156A9                 push    edi
.text:000156AA
.text:000156AA loc_156AA:                              ; CODE XREF: sub_15682+6C j
.text:000156AA                 mov     ecx, [eax+0Ch]
.text:000156AD                 mov     [ebx], ecx
.text:000156AF                 mov     ecx, [eax+10h]
.text:000156B2                 mov     [ebx+4], ecx
.text:000156B5                 mov     ecx, [eax+14h]
.text:000156B8                 mov     [ebx+8], ecx
.text:000156BB                 mov     ecx, [eax+18h]
.text:000156BE                 mov     [ebx+0Ch], ecx
.text:000156C1                 push    5
.text:000156C3                 pop     ecx
.text:000156C4                 lea     esi, [eax+1Ch]
.text:000156C7                 lea     edi, [ebx+10h]
.text:000156CA                 rep movsd
.text:000156CC                 mov     cx, [eax+30h]
.text:000156D0                 mov     [ebx+24h], cx
.text:000156D4                 push    5
.text:000156D6                 lea     esi, [eax+32h]
.text:000156D9                 lea     edi, [ebx+26h]
.text:000156DC                 pop     ecx
.text:000156DD                 rep movsd
.text:000156DF                 mov     cx, [eax+46h]
.text:000156E3                 mov     [ebx+3Ah], cx
.text:000156E7                 mov     eax, [eax]
.text:000156E9                 add     ebx, 3Ch
.text:000156EC                 cmp     eax, edx
.text:000156EE                 jnz     short loc_156AA
.text:000156F0                 pop     edi
.text:000156F1                 pop     esi
.text:000156F2
.text:000156F2 loc_156F2:                              ; CODE XREF: sub_15682+24 j
.text:000156F2                 mov     dl, [ebp+NewIrql] ; NewIrql
.text:000156F5                 mov     ecx, offset dword_22C28 ; SpinLock
.text:000156FA                 call    ds:KfReleaseSpinLock
.text:00015700                 or      dword ptr [ebx], 0FFFFFFFFh
.text:00015703                 pop     ebx
.text:00015704                 leave
.text:00015705                 retn    0Ch
.text:00015705 sub_15682       endp


3.Spoil

union AddrInfo
{
BYTE addr_info_v4[0x4];
WORD addr_info_v6[IPV6SIZEWORDS];
};

#pragma pack(2)
struct tmtdi_ip_port_info_struct{
DWORD type;//V4, V6
union AddrInfo local_ip;
WORD local_ip_port;
};

struct tmtdi_conn_info_struct{
struct tmtdi_ip_port_info_struct local;
struct tmtdi_ip_port_info_struct remote;
};

struct tmtdi_struct{
DWORD pid;
DWORD type;
DWORD ipproto;
DWORD dir;
struct tmtdi_conn_info_struct tmtdi_conn_info;
};

#ZeroNights #


//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information



Share on Google Plus

About Bradley Susser

    Blogger Comment
    Facebook Comment

0 comments :

Post a Comment