-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: G DATA AntiVirus/InternetSecurity/TotalCare 2008 GDTdiIcpt.sys Memory Corruption Vulnerability Advisory ID: TKADV2008-008 Revision: 1.0 Release Date: 2008/09/17 Last Modified: 2008/09/17 Date Reported: 2007/11/29 Author: Tobias Klein (tk at trapkit.de) Affected Software: G DATA AntiVirus 2008 G DATA InternetSecurity 2008 G DATA TotalCare 2008 Remotely Exploitable: No Locally Exploitable: Yes Vendor URL: http://www.gdata.de/ Vendor Status: Vendor has released an updated version Patch development time: 294 days ====================== Vulnerability details: ====================== The kernel driver GDTdiIcpt.sys shipped with G DATA AntiVirus/Internet Security/TotalCare 2008 contains a vulnerability in the code that handles IOCTL requests. Exploitation of this vulnerability can result in: 1) local denial of service attacks (system crash due to a kernel panic), or 2) local execution of arbitrary code at the kernel level (complete system compromise) The issue can be triggered by sending a specially crafted IOCTL request. ====================== Technical description: ====================== The IOCTL call 0x8317001c of the GDTdiIcpt.sys kernel driver accepts user supplied input that doesn't get validated. In consequence it is possible to fill different kernel registers with arbitrary values. These register values are further on used as parameters for different functions of the windows kernel (e.g. KeSetEvent). If these parameters are carefully crafted it is possible to force the windows kernel into performing a memory corruption that leads to full control of the kernel execution flow. Disassembly of GDTdiIcpt.sys (Windows Vista 32bit version): [...] .text:00012510 cmp [ebp+arg_18], 8317001Ch [...] .text:0001251D mov ebx, [ebp+arg_10] <-- [1] .text:00012520 mov esi, [ebp+arg_8] .text:00012523 push 7 .text:00012525 pop ecx .text:00012526 mov edi, ebx .text:00012528 rep movsd .text:0001252A movsb .text:0001252B test byte ptr [ebx+2], 8 .text:0001252F jnz short loc_12598 [...] [1] The user controlled input gets copied into the EBX register without any input validation Example for an exploitable code path: [...] .text:00012531 mov esi, [ebx+3] <-- [2] [...] .text:00012566 mov edi, [esi+8] <-- [3] [...] .text:0001257E push 0 .text:00012580 push 0 .text:00012582 push dword ptr [edi] <-- [4] .text:00012584 call ds:KeSetEvent [...] [2] The ESI register is filled with the user supplied data (from EBX) [3] The EDI register is also filled with the user supplied data [4] The user supplied value of EDI is used as a parameter for the KeSetEvent kernel function With enough crafting, the user supplied argument to the KeSetEvent kernel function can be used to hijack the execution flow of the kernel. ========= Solution: ========= Upgrade to G DATA AntiVirus/InternetSecurity/TotalCare 2009. http://www.gdata.de/ ======== History: ======== 2007/11/29 - Vendor notified using info@gdata.de 2007/12/01 - Vendor response (Customer Support) 2007/12/03 - Vendor response (QA) 2007/12/03 - Asking for a PGP key 2007/12/06 - Vendor response with PGP key. Detailed vulnerability information sent to G DATA. 2007/12/17 - Status update request 2007/12/18 - Status update from vendor. Detailed information sent a 2nd time to G DATA. 2008/01/03 - Status update request 2008/01/03 - Status update from vendor 2007/02/12 - Status update request (no response) 2007/02/26 - Status update request (no response) 2007/02/28 - Status update from vendor 2008/09/17 - Update released by the vendor 2008/09/17 - Full technical details released to general public ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [1] http://www.gdata.de/ [2] http://www.trapkit.de/advisories/TKADV2008-008.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2008 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- wj8DBQFI0U8mkXxgcAIbhEERAltuAKCS4sgBzS+t7G2DBQAXQ/OgKzlr2ACbBpX2 uFw+/y+ruFlEIoGU/wd0GYo= =XRWj -----END PGP SIGNATURE-----