| Advisory NTIADV0811 (Accelerated Disclosure) | |
| RegRun & UnHackMe Multiple Vulnerabilities | |
| Vendor | Greatis Software |
| Affected Software | RegRun Reanimator < = 6.0.6.50 RegRun Security Suite Version < = 6.00 UnHackMe < = 5.5 beta |
| Affected Driver | Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista - regguard.sys <= 4.0.6.0 Partizan - Rootkit detector - Partizan.sys < = 1.0.0.1 regrunfm.sys regrunrm.sys |
| Date Reported | 2008-12-14 |
| Release Date | 2009-09-04 |
| Status | Not fixed |
| Exploit | RegGuard_DoS_01.zip - Local Denial of Service Exploit - NULL Pointer Dereference (KeClearEvent) RegGuard_DoS_02.zip - Local Denial of Service Exploit - NtOpenKey (SDT HOOK) Partizan_DoS.zip - Local Denial of Service Exploit - METHOD_NEITHER |
| Disclosure Timeline | 2008-12-14 - Vulnerability reported to vendor 2008-12-15 - Vendor response 2008-12-18 - Vendor confirms the vulnerability 2009-04-21 - Status update request 2009-05-05 - Vendor response (First incomplete update released) 2009-05-XX - Vendor releases another incomplete updates 2009-09-04 - Public disclosure |
| Description: | |
| RegRun and UnHackMe are prone to a local privilege-escalation vulnerabilities. | |
| Details | |
|
Drivers shipped with RegRun & UnHackMe don't properly validate certain parameters passed to hooked services (NtCreateKey, NtOpenKey, NtSetValueKey, NtDeleteValueKey, NtQueryValueKey), which allows local users to cause a Denial of Service. Device drivers that fails to properly validate IRP parameters could be exploited by malicious users to overwrite arbitrary kernel memory and execute code with elevated privileges. | |
| regguard.sys | |
.text:00011900 HookNtOpenKey proc near
.text:00011900
.text:00011900 Pool = dword ptr -20Ch
.text:00011900 Unknown = dword ptr -208h
.text:00011900 NtStatus = dword ptr -204h
.text:00011900 LocalBuffer = dword ptr -200h
.text:00011900 KeyHandle = dword ptr 8
.text:00011900 DesiredAccess = dword ptr 0Ch
.text:00011900 ObjectAttributes = dword ptr 10h
.text:00011900
.text:00011900 push ebp
.text:00011901 mov ebp, esp
.text:00011903 sub esp, 20Ch
.text:00011909 xor eax, eax
.text:0001190B mov al, protection_state
.text:00011910 test eax, eax
.text:00011912 jz @@call_org_service
.text:00011918 push 200h
.text:0001191D push 0
.text:0001191F lea ecx, [ebp+LocalBuffer]
.text:00011925 push ecx
.text:00011926 call memset
.text:0001192B add esp, 0Ch
.text:0001192E push 'TklB'
.text:00011933 push 400h
.text:00011938 push 1
.text:0001193A call ds:ExAllocatePoolWithTag
.text:00011940 mov [ebp+Pool], eax
.text:00011946 cmp [ebp+Pool], 0
.text:0001194D jz @@call_org_service
.text:00011953 mov edx, [ebp+Pool]
.text:00011959 push edx
.text:0001195A mov eax, [ebp+ObjectAttributes]
.text:0001195D mov ecx, [eax+8] ; ObjectName
.text:00011960 push ecx
.text:00011961 mov edx, [ebp+ObjectAttributes]
.text:00011964 mov eax, [edx+4] ; RootDirectory
.text:00011967 push eax
.text:00011968 call QueryObject
...
| |
| Fixed: | |
| The regguard.sys driver doesn't properly validate parameters passed to kernel functions like KeClearEvent, KeReleaseMutex, KeWaitForSingleObject. | |
.text:00010961 @@ioctl_222064:
.text:00010961
.text:00010961 mov edx, EventObject
.text:00010967 push edx
.text:00010968 call ds:KeClearEvent
.text:0001096E mov eax, [ebp+IoStackLocation]
.text:00010971 mov ecx, [eax+4]
.text:00010974 mov [ebp+OutputBufferLength], ecx
.text:00010977 cmp [ebp+OutputBufferLength], 200h
.text:0001097E jnb short @@buffer_length_ok
.text:00010980 mov [ebp+Status], 0C000000Dh
.text:00010987 jmp @@exit
...
| |
| Partizan.sys | |
...
.text:0001161B mov eax, [ebp+LocalBuffer]
.text:0001161E mov ecx, [eax]
.text:00011620 push ecx
.text:00011621 mov edx, [ebp+LocalBuffer]
.text:00011624 add edx, 8
.text:00011627 push edx
.text:00011628 mov eax, [ebp+UserBuffer]
.text:0001162B push eax
.text:0001162C call memcpy
...
| |