G Data TotalCare 2011 - NtOpenKey Race Condition Vulnerability

2010-11-06T00:00:00
ID EDB-ID:15444
Type exploitdb
Reporter Nikita Tarakanov
Modified 2010-11-06T00:00:00

Description

G Data TotalCare 2011 - NtOpenKey Race Condition Vulnerability. Dos exploit for windows platform

                                        
                                            1.Description:

The HookCentre.sys kernel driver distributed with G Data TotalCare 2011
contains a race condition vulnerability in the handling arguments of
NtOpenkey function.
Exploitation of this issue allows an attacker to crash system(make infamous
BSoD) or gain escalated priviligies.
An attacker would need local access to a vulnerable computer to exploit this
vulnerability.


Affected application: G Data TotalCare 2011, up to date version 21.1.0.5.
Affected file: HookCentre.sys version 10.0.8.11.

2.Crash dump info:
kd> !analyze -v
*******************************************************************************
*
*
*                        Bugcheck
Analysis                                    *
*
*
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by
try-except,
it must be protected by a Probe.  Typically the address is just plain bad or
it
is pointing at freed memory.
Arguments:
Arg1: 90909090, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 80536913, If non-zero, the instruction address which referenced the
bad memory
    address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


READ_ADDRESS:  90909090

FAULTING_IP:
nt!memcpy+33
80536913 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE:  0

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  hookfuzz.exe

TRAP_FRAME:  f06f7c24 -- (.trap 0xfffffffff06f7c24)
ErrCode = 00000000
eax=909090ea ebx=0012ff08 ecx=00000016 edx=00000002 esi=90909090
edi=81ae5d2c
eip=80536913 esp=f06f7c98 ebp=f06f7ca0 iopl=0         nv up ei pl nz ac po
nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000
efl=00010212
nt!memcpy+0x33:
80536913 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

LAST_CONTROL_TRANSFER:  from 804f7b9d to 80527bdc

STACK_TEXT:
f06f7760 804f7b9d 00000003 90909090 00000000
nt!RtlpBreakWithStatusInstruction
f06f77ac 804f878a 00000003 00000000 c0484848 nt!KiBugCheckDebugBreak+0x19
f06f7b8c 804f8cb5 00000050 90909090 00000000 nt!KeBugCheck2+0x574
f06f7bac 8051cc4f 00000050 90909090 00000000 nt!KeBugCheckEx+0x1b
f06f7c0c 8054051c 00000000 90909090 00000000 nt!MmAccessFault+0x8e7
f06f7c0c 80536913 00000000 90909090 00000000 nt!KiTrap0E+0xcc
f06f7ca0 f9cbc7d5 81ae5d2c 90909090 0000005a nt!memcpy+0x33
WARNING: Stack unwind information not available. Following frames may be
wrong.
f06f7cc0 f9cbd818 0012ff08 0012ff08 00000000 HookCentre+0x7d5
f06f7cd8 f9cbddd2 00000001 00000188 000006cc HookCentre+0x1818
f06f7d28 f9cbe50b 00000188 000006cc 000007d8 HookCentre+0x1dd2
f06f7d50 8053d638 0012ff04 00020000 00000000 HookCentre+0x250b
f06f7d50 7c90e4f4 0012ff04 00020000 00000000 nt!KiFastCallEntry+0xf8
0012fec4 7c90d5bc 004010d0 0012ff04 00020000 ntdll!KiFastSystemCallRet
0012fec8 004010d0 0012ff04 00020000 0012feec ntdll!ZwOpenKey+0xc
0012ff70 00401622 00000001 00342e68 00342e98 hookfuzz!wmain+0xd0
0012ffc0 7c817067 fdd46ae8 01cb4211 7ffdd000
hookfuzz!__tmainCRTStartup+0x15e
0012fff0 00000000 00401679 00000000 78746341 kernel32!BaseProcessStart+0x23


STACK_COMMAND:  kb

FOLLOWUP_IP:
HookCentre+7d5
f9cbc7d5 83c40c          add     esp,0Ch

SYMBOL_STACK_INDEX:  7

SYMBOL_NAME:  HookCentre+7d5

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: HookCentre

IMAGE_NAME:  HookCentre.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4c75a6b8

FAILURE_BUCKET_ID:  0x50_HookCentre+7d5

BUCKET_ID:  0x50_HookCentre+7d5

Followup: MachineOwner
---------



3.PoC is in NtOpenKey_poc.zip file.

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/15444.zip (NtOpenKey_poc.zip)