当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0145450
漏洞标题:
瑞星驱动protreg.sys存在一处DOS漏洞
相关厂商:
RiSing
漏洞作者:
iometer
提交时间:
2015-10-14 12:30
修复时间:
2016-01-12 15:48
公开时间:
2016-01-12 15:48
漏洞类型:
拒绝服务
危害等级:
自评Rank:
4
漏洞状态:
厂商已经确认
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-10-14: 细节已通知厂商并且等待厂商处理中
2015-10-14: 厂商已经确认,细节仅向厂商公开
2015-10-17: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-08: 细节向核心白帽子及相关领域专家公开
2015-12-18: 细节向普通白帽子公开
2015-12-28: 细节向实习白帽子公开
2016-01-12: 细节向公众公开

简要描述:

瑞星浏览器保护驱动protreg.sys,在Vista之后的系统上存在一处拒绝服务BUG,会导致系统BSOD.

详细说明:

瑞星浏览器保护驱动protreg.sys, 在NtBuildNumber>=6000的系统上会注册一个注册表回调,在该回调例程中对于注册表表根键的NtFlushKey的操作会触发一个

漏洞证明:

通过设置HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun下任意一个Value,其Name和Data的大小在0x400B, Data的大小大于0x220,就可以覆盖一处指针,该指针会被ExFree掉。

PCWSTR szKey_DisallowRun = L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun";
void __stdcall CMCALLBACK_BSOD_ROUTINE(PCWSTR KeyNameBuf)
{
	SIZE_T         KeyNameLength; 
	UNICODE_STRING KeyName; 
	ULONG          ResultLength = 0; 
	ULONG          i = 0; // [sp+10h] [bp-844h]@1
	PKEY_FULL_INFORMATION FullKeyInfo = NULL; 
	NTSTATUS Status = STATUS_UNSUCCESSFUL; 
	WCHAR    ValueNameBuf[256] = {0}; // [esp+1Ch] [ebp-838h] 
	WCHAR    ValueDataBuf[256] = {0}; // [esp+21Ch] [ebp-638h] 
	OBJECT_ATTRIBUTES obja = {0}; // [esp+420h] [ebp-434h]
	PKEY_VALUE_FULL_INFORMATION FullValueInfo = NULL; // [esp+438h]
	char           Unused[512] = {0}; 
	UNICODE_STRING ValueName; 
	ULONG          ValueNumbers = 0; 
	HANDLE         KeyHandle; 
	ULONG          Index = 0; 
	WCHAR          NameBuf[256] = {0}; 
	KeyNameLength = wcslen(KeyNameBuf);
	if ( KeyNameLength + wcslen(szKey_DisallowRun) + 1 <= 0x100 )
	{
		wcscpy(NameBuf, KeyNameBuf);
		wcscat(NameBuf, szKey_DisallowRun);
		RtlInitUnicodeString(&KeyName, NameBuf);
		InitializeObjectAttributes(&obja, &KeyName, OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, NULL, NULL);
		
		Status = ZwOpenKey(&KeyHandle, 0xF003Fu, &obja);
		if ( NT_SUCCESS(Status) )
		{
			Status = ZwQueryKey(KeyHandle, KeyFullInformation, 0, 0, &ResultLength);
			if ( Status == STATUS_BUFFER_OVERFLOW || Status == STATUS_BUFFER_TOO_SMALL )
			{
				FullKeyInfo = (PKEY_FULL_INFORMATION)ExAllocatePool(NonPagedPool, ResultLength);
				if ( FullKeyInfo )
				{
					Status = ZwQueryKey(KeyHandle, KeyFullInformation, FullKeyInfo, ResultLength, &ResultLength);
					if ( NT_SUCCESS(Status) )
					{
						ValueNumbers = FullKeyInfo->Values;
						FullValueInfo = ExAllocatePool(NonPagedPool, 0x418);
						if ( FullValueInfo )
						{
							for ( Index = 0; Index < ValueNumbers; ++Index )
							{
								Status = ZwEnumerateValueKey(
								KeyHandle,
								Index,
								KeyValueFullInformation,
								FullValueInfo,
								0x418u,
								&ResultLength);
								if ( NT_SUCCESS(Status) )
								{
									memset(ValueNameBuf, 0, 0x200);
									memset(ValueDataBuf, 0, 0x200);
									memcpy(ValueNameBuf, FullValueInfo->Name, FullValueInfo->NameLength);
									memcpy(ValueDataBuf, (PCH)FullValueInfo + FullValueInfo->DataOffset, FullValueInfo->DataLength);//Buffer over flow
									for ( i = 0; ProcessNameList2[i]; ++i )
									{
										if ( !wcsicmp(ProcessNameList2[i], ValueDataBuf) )
										{
											RtlInitUnicodeString(&ValueName, ValueNameBuf);
											Status = ZwDeleteValueKey(KeyHandle, &ValueName);
											if ( Status >= 0 )
											{
												--Index;
												--ValueNumbers;
											}
										}
									}
								}
							}
							ZwClose(KeyHandle);
							ExFreePoolWithTag(FullKeyInfo, 0);
							ExFreePoolWithTag(FullValueInfo, 0);//BSOD
						}
						else
						{
							Status = STATUS_INSUFFICIENT_RESOURCES;
							ZwClose(KeyHandle);
							ExFreePoolWithTag(FullKeyInfo, 0);
						}
					}
					else
					{
						ZwClose(KeyHandle);
						ExFreePoolWithTag(FullKeyInfo, 0);
					}
				}
				else
				{
					Status = STATUS_INSUFFICIENT_RESOURCES;
					ZwClose(KeyHandle);
				}
			}
		}
	}
}

修复方案:

严格把控缓冲区的大小,不要随意执行内存复制操作.

版权声明:转载请注明来源 iometer@乌云

>

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2015-10-14 15:51

厂商回复:

3Q

最新状态:

暂无