NTIADV1004 - KV 2010 Multiple Local Denial of Service Vulnerabilities

Advisory NTIADV1004
KV 2010 Multiple Local Denial of Service Vulnerabilities
Vendor	Jiangmin Co. Ltd.
Affected Software	KV 2010 < 13.0.10.111
Affected Driver	Trojan and Registry Monitor - KRegEx.sys < 13.0.10.427
Date Reported	2010-02-04
Release Date	2010-05-04
Status	Fixed - KV 2010 - 13.0.10.111
Exploit	KRegEx_DoS.zip - Local Denial of Service Exploit (unavailable)
Disclosure Timeline	2010-02-04 - Vulnerability reported to vendor 2010-02-05 - Vulnerability reported to vendor (once again) 2010-02-05 - Vendor confirmed reported vulnerability 2010-02-09 - Vendor released first incomplete update (KRegEx.sys - 13.0.10.208) 2010-02-10 - Vendor released second incomplete update (KRegEx.sys - 13.0.10.210) 2010-03-19 - Status update request 2010-04-18 - Status update request 2010-04-23 - Vendor released third incomplete update (KRegEx.sys - 13.0.10.412) 2010-04-28 - Vendor relased fixed version (KRegEx.sys - 13.0.10.427) 2010-05-04 - Full technical details released to general public
Description
Device driver KRegEx.sys shipped with KV 2010 doesn't properly validate certain parameters passed to hooked services (NtCreateKey, NtOpenKey, NtDeleteKey, NtSetValueKey, NtDeleteValueKey), which allows local users to cause a Denial of Service. Device drivers doesn't check if the kernel function ExAllocatePool returns valid address. If user supplied parameters passed to the IOCTL handler will be maliciously crafted the ExAllocatePool will return null instead of valid allocated pool pointer.
Fixed in KRegEx.sys - 13.0.10.208
... .text:00011D17 __ioctl_0x88008068: .text:00011D17 push [ebp+InputBuffer] .text:00011D1A call GetUpperCaseString .text:00011D1F jmp __return_true ... .text:000108D6 ; int __stdcall GetUpperCaseString(int InputBuffer) .text:000108D6 GetUpperCaseString proc near .text:000108D6 .text:000108D6 InputBuffer = dword ptr 8 .text:000108D6 .text:000108D6 mov edi, edi .text:000108D8 push ebp .text:000108D9 mov ebp, esp .text:000108DB mov eax, Pool .text:000108E0 test eax, eax .text:000108E2 jz short __no_allocated_pool .text:000108E4 push eax .text:000108E5 call ds:ExFreePool .text:000108EB and Pool, 0 .text:000108F2 .text:000108F2 __no_allocated_pool: .text:000108F2 push edi .text:000108F3 mov edi, [ebp+InputBuffer] .text:000108F6 test edi, edi .text:000108F8 jz short __exit .text:000108FA cmp byte ptr [edi], 0 .text:000108FD jz short __exit .text:000108FF mov eax, edi .text:00010901 lea ecx, [eax+1] .text:00010904 .text:00010904 __loop1: .text:00010904 mov dl, [eax] .text:00010906 inc eax .text:00010907 test dl, dl .text:00010909 jnz short __loop1 .text:0001090B sub eax, ecx .text:0001090D push esi .text:0001090E inc eax .text:0001090F push eax ; NumberOfBytes .text:00010910 push 0 ; PoolType .text:00010912 call ds:ExAllocatePool .text:00010918 mov esi, eax .text:0001091A mov Pool, eax .text:0001091F mov ecx, edi .text:00010921 sub esi, edi .text:00010923 .text:00010923 __loop2: .text:00010923 mov dl, [ecx] .text:00010925 mov [esi+ecx], dl .text:00010928 inc ecx .text:00010929 test dl, dl .text:0001092B jnz short __loop2 .text:0001092D push eax .text:0001092E call strupr .text:00010933 pop esi .text:00010934 .text:00010934 __exit: .text:00010934 pop edi .text:00010935 pop ebp .text:00010936 retn 4 .text:00010936 GetUpperCaseString endp
Fixed in KRegEx.sys - 13.0.10.427
.text:0001149E ; int __stdcall HookNtOpenKey(int KeyHandle, int DesiredAccess, int ObjectAttributes) .text:0001149E HookNtOpenKey proc near .text:0001149E .text:0001149E Object = dword ptr -4 .text:0001149E KeyHandle = dword ptr 8 .text:0001149E DesiredAccess = dword ptr 0Ch .text:0001149E ObjectAttributes = dword ptr 10h .text:0001149E .text:0001149E mov edi, edi .text:000114A0 push ebp .text:000114A1 mov ebp, esp .text:000114A3 push ecx .text:000114A4 and [ebp+Object], 0 .text:000114A8 push esi .text:000114A9 mov esi, [ebp+ObjectAttributes] .text:000114AC test esi, esi .text:000114AE jnz short __parameter_exists .text:000114B0 push esi .text:000114B1 push [ebp+DesiredAccess] .text:000114B4 push [ebp+KeyHandle] .text:000114B7 call RealNtOpenKey .text:000114BD jmp short __exit .text:000114BF .text:000114BF __parameter_exists: .text:000114BF push ebx .text:000114C0 push edi .text:000114C1 mov edi, offset Lookaside .text:000114C6 push edi ; Lookaside .text:000114C7 call ExAllocateFromNPagedLookasideList .text:000114CC mov ebx, eax .text:000114CE test ebx, ebx .text:000114D0 jnz short __check .text:000114D2 push esi .text:000114D3 push [ebp+DesiredAccess] .text:000114D6 push [ebp+KeyHandle] .text:000114D9 call RealNtOpenKey .text:000114DF jmp short __restore_regs .text:000114E1 .text:000114E1 __check: .text:000114E1 push ebx .text:000114E2 push dword ptr [esi+8] ; SourceString .text:000114E5 push dword ptr [esi+4] ; Handle .text:000114E8 call ReferenceObject ...