1.Description:
The HookCentre.sys kernel driver distributed with G Data TotalCare 2011 contains a race condition vulnerability in the handling arguments of NtOpenkey function. Exploitation of this issue allows an attacker to crash system(make infamous BSoD) or gain escalated priviligies. An attacker would need local access to a vulnerable computer to exploit this vulnerability.
Affected application: G Data TotalCare 2011, up to date version 21.1.0.5. Affected file: HookCentre.sys version 10.0.8.11.
2.Crash dump info: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * *******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: 90909090, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: 80536913, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved)
Debugging Details: ------------------
READ_ADDRESS: 90909090
FAULTING_IP: nt!memcpy+33 80536913 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: hookfuzz.exe
TRAP_FRAME: f06f7c24 -- (.trap 0xfffffffff06f7c24) ErrCode = 00000000 eax=909090ea ebx=0012ff08 ecx=00000016 edx=00000002 esi=90909090 edi=81ae5d2c eip=80536913 esp=f06f7c98 ebp=f06f7ca0 iopl=0 nv up ei pl nz ac po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212 nt!memcpy+0x33: 80536913 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] Resetting default scope
LAST_CONTROL_TRANSFER: from 804f7b9d to 80527bdc
STACK_TEXT: f06f7760 804f7b9d 00000003 90909090 00000000 nt!RtlpBreakWithStatusInstruction f06f77ac 804f878a 00000003 00000000 c0484848 nt!KiBugCheckDebugBreak+0x19 f06f7b8c 804f8cb5 00000050 90909090 00000000 nt!KeBugCheck2+0x574 f06f7bac 8051cc4f 00000050 90909090 00000000 nt!KeBugCheckEx+0x1b f06f7c0c 8054051c 00000000 90909090 00000000 nt!MmAccessFault+0x8e7 f06f7c0c 80536913 00000000 90909090 00000000 nt!KiTrap0E+0xcc f06f7ca0 f9cbc7d5 81ae5d2c 90909090 0000005a nt!memcpy+0x33 WARNING: Stack unwind information not available. Following frames may be wrong. f06f7cc0 f9cbd818 0012ff08 0012ff08 00000000 HookCentre+0x7d5 f06f7cd8 f9cbddd2 00000001 00000188 000006cc HookCentre+0x1818 f06f7d28 f9cbe50b 00000188 000006cc 000007d8 HookCentre+0x1dd2 f06f7d50 8053d638 0012ff04 00020000 00000000 HookCentre+0x250b f06f7d50 7c90e4f4 0012ff04 00020000 00000000 nt!KiFastCallEntry+0xf8 0012fec4 7c90d5bc 004010d0 0012ff04 00020000 ntdll!KiFastSystemCallRet 0012fec8 004010d0 0012ff04 00020000 0012feec ntdll!ZwOpenKey+0xc 0012ff70 00401622 00000001 00342e68 00342e98 hookfuzz!wmain+0xd0 0012ffc0 7c817067 fdd46ae8 01cb4211 7ffdd000 hookfuzz!__tmainCRTStartup+0x15e 0012fff0 00000000 00401679 00000000 78746341 kernel32!BaseProcessStart+0x23
STACK_COMMAND: kb
FOLLOWUP_IP: HookCentre+7d5 f9cbc7d5 83c40c add esp,0Ch
SYMBOL_STACK_INDEX: 7
SYMBOL_NAME: HookCentre+7d5
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: HookCentre
IMAGE_NAME: HookCentre.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4c75a6b8
FAILURE_BUCKET_ID: 0x50_HookCentre+7d5
BUCKET_ID: 0x50_HookCentre+7d5
Followup: MachineOwner ---------
3.PoC is in NtOpenKey_poc.zip file.
http://www.exploit-db.com/sploits/NtOpenKey_poc.zip
|