NT Internals - Advisory NTIADV0801 - Hardware Sensors Monitor (Hmonitor.sys) Multiple Vulnerabilities

Advisory NTIADV0801 (Accelerated Disclosure)
Hardware Sensors Monitor (Hmonitor.sys) Multiple Vulnerabilities
Vendor	AB Software
Affected Software	Hardware sensors monitor < = 4.4.3.1
Affected Driver	Hmonitor device Driver - Hmonitor.sys < = 4.4.1.1
Date Reported	2008-09-17
Release Date	2008-10-17
Status	Not fixed
Exploit	Hmonitor_DoS.zip - Local Denial of Service Exploit Hmonitor_IOPL.zip - I/O Manipulation Exploit - HalMakeBeep
Disclosure Timeline	2008-09-17 - Vulnerability reported to vendor 2008-10-17 - Full technical details released to general public
Description
Hardware Sensors Monitor contains signed drivers, one for x86 and one for x64 systems. It loads a kernel module hmonitor.sys. This module includes functionality that can be abused to immediately system restart or unrestricted I/O access.
Details
In order to exploit this vulnerability, an Administrator must launch the Hardware Sensors Monitor application, which will load the hmonitor.sys driver into the kernel. Once loaded, the vulnerable kernel module will be accessible by all users, and will remain loaded until the system is rebooted. After the system reboot hmonitor.sys will be loaded automatically. If the user supplied parameters for MmMapIoSpace are specially constructed it is possible to overwrite the kernel stack and gain immediate system crash. ... .text:0001159A @@ioctl_map_io_space: .text:0001159A cmp [ebp+InputBufferLength], 8 .text:0001159E jl short @@jmp .text:000115A0 mov eax, [ebp+InputBuffer] .text:000115A3 mov ecx, [eax+4] ; InputBuffer[1] -> CacheType .text:000115A6 mov [ebp+CacheType], ecx .text:000115A9 mov edx, [ebp+InputBuffer] .text:000115AC mov eax, [edx] ; InputBuffer[0] -> PhysicalAddress .text:000115AE xor ecx, ecx .text:000115B0 mov [ebp+PhysicalAddress], eax .text:000115B3 mov [ebp+NumberOfBytes], ecx .text:000115B6 push 0 .text:000115B8 mov edx, [ebp+CacheType] .text:000115BB push edx ; CacheType .text:000115BC mov eax, [ebp+NumberOfBytes] .text:000115BF push eax ; NumberOfBytes .text:000115C0 mov ecx, [ebp+PhysicalAddress] .text:000115C3 push ecx ; PhysicalAddress .text:000115C4 call ds:MmMapIoSpace .text:000115CA mov [ebp+VirtualAddress], eax ... Hardware Sensors Monitor enables I/O Privilege Level for all processes that produces IRP_MJ_CREATE requests. It also supports functionality that allows to unrestricted I/O access by supplying a specially crafted Irp to the IOCTL handler. .text:000110D0 ; int __stdcall DeviceCreate(int,int) .text:000110D0 DeviceCreate proc near .text:000110D0 .text:000110D0 DeviceObject = dword ptr 8 .text:000110D0 Irp = dword ptr 0Ch .text:000110D0 .text:000110D0 push ebp .text:000110D1 mov ebp, esp .text:000110D3 push 1 ; MapNumber .text:000110D5 call SetIopl .text:000110DA mov eax, [ebp+Irp] .text:000110DD mov dword ptr [eax+1Ch], 0 .text:000110E4 mov ecx, [ebp+Irp] .text:000110E7 mov dword ptr [ecx+18h], 0 .text:000110EE xor dl, dl .text:000110F0 mov ecx, [ebp+Irp] .text:000110F3 call ds:IofCompleteRequest .text:000110F9 xor eax, eax .text:000110FB pop ebp .text:000110FC retn 8 .text:000110FC DeviceCreate endp .text:000110A0 ; int __stdcall SetIopl(int MapNumber) .text:000110A0 SetIopl proc near .text:000110A0 .text:000110A0 MapNumber = dword ptr 8 .text:000110A0 .text:000110A0 push ebp .text:000110A1 mov ebp, esp .text:000110A3 mov eax, [ebp+MapNumber] .text:000110A6 push eax ; MapNumber .text:000110A7 call ds:IoGetCurrentProcess .text:000110AD push eax ; Process .text:000110AE call Ke386IoSetAccessProcess .text:000110B3 mov ecx, NonCachedMemory .text:000110B9 push ecx ; IoAccessMap .text:000110BA push 1 ; MapNumber .text:000110BC call Ke386SetIoAccessMap .text:000110C1 pop ebp .text:000110C2 retn 4 .text:000110C2 SetIopl endp