OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Andrey Kolishak (andrSANDY.RU)
Date: Wed Feb 21 2001 - 12:00:17 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Many NT drivers are potentially vulnerable to "format string bug".
    The problem is concerned with DbgPrint function that is used for debug
    messages. Some drivers instead of directly call of this function use
    additional intermediate functions. Those functions add a prefix to an
    outputted string, resolve a string format and pass the final string to
    DbgPrint. Note the DbgPrint also additionally resolves format
    specifications. A typical intermediate function looks like this:

    void DebugMessage(const char * format, ...)
     {
         char buf[1024];
         int outLen;
         ULONG PrefLen;
         va_list argptr;

         strcpy(buf, "DriverName: ");
         PrefLen = strlen(buf);
         va_start( argptr, format );
         outLen = _vsnprintf( buf+PrefLen, sizeof(buf)-PrefLen, format, argptr );
         va_end( argptr );
         DbgPrint(buf);
     }

    As you can see it looks like clean code. But since DbgPrint function
    uses string format resolving the DebugMessage function is vulnerable.
    So the following function call is vulnerable:

    DebugMessage("MajorFunction = %d, filename = "%-*S\n",
     CurrentLocation->MajorFunction, FileObject->FileName. Length,
     FileObject->FileName.Buffer);

    All drivers that use such technique and retain the debug messages in
    the release build are potentially vulnerable to format string
    behaviors. Unfortunately researching of this problem shows that many
    drivers use it. For example, NuMega's DriverWorks has a potentially
    vulnerable class KTrace. In consequence all drivers written with
    DriverWorks KTrace class and debug messages in the release build are
    potentially vulnerable. The isapnp.sys driver coming with Windows 2000
    also use such technique.

    The bug is highly dangerous because it can leads to a possible patch
    of the kernel memory. You can download the example of an attack on the
    vulnerability here: http://www.securewave.com/ on "Free downloads"
    section. The example contains a simple vulnerable driver that calls
    DebugMessage as described above and a small user mode program that
    exploits a driver vulnerability to patch the kernel. The patch allows
    bypass all the system security checks. Thus any user can gain full
    access for any file, install and start drivers and so on.

     Andrey Kolishak mailto:andrsandy.ru