首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
G Data TotalCare 2011 NtOpenKey Race Condition Vulnerability
来源:http://www.exploit-db.com 作者:Tarakanov 发布时间:2010-11-08  

1.Description:

The HookCentre.sys kernel driver distributed with G Data TotalCare 2011
contains a race condition vulnerability in the handling arguments of
NtOpenkey function.
Exploitation of this issue allows an attacker to crash system(make infamous
BSoD) or gain escalated priviligies.
An attacker would need local access to a vulnerable computer to exploit this
vulnerability.


Affected application: G Data TotalCare 2011, up to date version 21.1.0.5.
Affected file: HookCentre.sys version 10.0.8.11.

2.Crash dump info:
kd> !analyze -v
*******************************************************************************
*
*
*                        Bugcheck
Analysis                                    *
*
*
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by
try-except,
it must be protected by a Probe.  Typically the address is just plain bad or
it
is pointing at freed memory.
Arguments:
Arg1: 90909090, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 80536913, If non-zero, the instruction address which referenced the
bad memory
    address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


READ_ADDRESS:  90909090

FAULTING_IP:
nt!memcpy+33
80536913 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE:  0

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  hookfuzz.exe

TRAP_FRAME:  f06f7c24 -- (.trap 0xfffffffff06f7c24)
ErrCode = 00000000
eax=909090ea ebx=0012ff08 ecx=00000016 edx=00000002 esi=90909090
edi=81ae5d2c
eip=80536913 esp=f06f7c98 ebp=f06f7ca0 iopl=0         nv up ei pl nz ac po
nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000
efl=00010212
nt!memcpy+0x33:
80536913 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

LAST_CONTROL_TRANSFER:  from 804f7b9d to 80527bdc

STACK_TEXT:
f06f7760 804f7b9d 00000003 90909090 00000000
nt!RtlpBreakWithStatusInstruction
f06f77ac 804f878a 00000003 00000000 c0484848 nt!KiBugCheckDebugBreak+0x19
f06f7b8c 804f8cb5 00000050 90909090 00000000 nt!KeBugCheck2+0x574
f06f7bac 8051cc4f 00000050 90909090 00000000 nt!KeBugCheckEx+0x1b
f06f7c0c 8054051c 00000000 90909090 00000000 nt!MmAccessFault+0x8e7
f06f7c0c 80536913 00000000 90909090 00000000 nt!KiTrap0E+0xcc
f06f7ca0 f9cbc7d5 81ae5d2c 90909090 0000005a nt!memcpy+0x33
WARNING: Stack unwind information not available. Following frames may be
wrong.
f06f7cc0 f9cbd818 0012ff08 0012ff08 00000000 HookCentre+0x7d5
f06f7cd8 f9cbddd2 00000001 00000188 000006cc HookCentre+0x1818
f06f7d28 f9cbe50b 00000188 000006cc 000007d8 HookCentre+0x1dd2
f06f7d50 8053d638 0012ff04 00020000 00000000 HookCentre+0x250b
f06f7d50 7c90e4f4 0012ff04 00020000 00000000 nt!KiFastCallEntry+0xf8
0012fec4 7c90d5bc 004010d0 0012ff04 00020000 ntdll!KiFastSystemCallRet
0012fec8 004010d0 0012ff04 00020000 0012feec ntdll!ZwOpenKey+0xc
0012ff70 00401622 00000001 00342e68 00342e98 hookfuzz!wmain+0xd0
0012ffc0 7c817067 fdd46ae8 01cb4211 7ffdd000
hookfuzz!__tmainCRTStartup+0x15e
0012fff0 00000000 00401679 00000000 78746341 kernel32!BaseProcessStart+0x23


STACK_COMMAND:  kb

FOLLOWUP_IP:
HookCentre+7d5
f9cbc7d5 83c40c          add     esp,0Ch

SYMBOL_STACK_INDEX:  7

SYMBOL_NAME:  HookCentre+7d5

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: HookCentre

IMAGE_NAME:  HookCentre.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4c75a6b8

FAILURE_BUCKET_ID:  0x50_HookCentre+7d5

BUCKET_ID:  0x50_HookCentre+7d5

Followup: MachineOwner
---------

 

3.PoC is in NtOpenKey_poc.zip file.

http://www.exploit-db.com/sploits/NtOpenKey_poc.zip


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Quick Tftp Server Pro v2.1 Rem
·Femitter FTP Server 1.04 Direc
·AT-TFTP Server v1.8 Remote Dir
·ProFTPD IAC Remote Root Exploi
·LEADTOOLS v11.5.0.9 ltdlg11n.o
·DeluxeBB <= 1.3 Private Info D
·LEADTOOLS v11.5.0.9 lttmb11n.o
·Android versions 2.0 and 2.1 r
·LEADTOOLS v11.5.0.9 ltdlg11n.o
·WordPress Database Interface T
·LEADTOOLS v11.5.0.9 ltlst11n.o
·DeluxeBB versions 1.3 and belo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved