NT drivers are potentially vulnerable to format string bug

2001-02-22T00:00:00
ID SECURITYVULNS:DOC:1310
Type securityvulns
Reporter Securityvulns
Modified 2001-02-22T00:00:00

Description

Many NT drivers are potentially vulnerable to "format string bug". The problem is concerned with DbgPrint function that is used for debug messages. Some drivers instead of directly call of this function use additional intermediate functions. Those functions add a prefix to an outputted string, resolve a string format and pass the final string to DbgPrint. Note the DbgPrint also additionally resolves format specifications. A typical intermediate function looks like this:

void DebugMessage(const char * format, ...) { char buf[1024]; int outLen; ULONG PrefLen; va_list argptr;

 strcpy(buf, "DriverName: ");
 PrefLen = strlen(buf);
 va_start( argptr, format );
 outLen = _vsnprintf( buf+PrefLen, sizeof(buf)-PrefLen, format, argptr );
 va_end( argptr );
 DbgPrint(buf);

}

As you can see it looks like clean code. But since DbgPrint function uses string format resolving the DebugMessage function is vulnerable. So the following function call is vulnerable:

DebugMessage("MajorFunction = %d, filename = "%-*S\n", CurrentLocation->MajorFunction, FileObject->FileName. Length, FileObject->FileName.Buffer);

All drivers that use such technique and retain the debug messages in the release build are potentially vulnerable to format string behaviors. Unfortunately researching of this problem shows that many drivers use it. For example, NuMega's DriverWorks has a potentially vulnerable class KTrace. In consequence all drivers written with DriverWorks KTrace class and debug messages in the release build are potentially vulnerable. The isapnp.sys driver coming with Windows 2000 also use such technique.

The bug is highly dangerous because it can leads to a possible patch of the kernel memory. You can download the example of an attack on the vulnerability here: http://www.securewave.com/ on "Free downloads" section. The example contains a simple vulnerable driver that calls DebugMessage as described above and a small user mode program that exploits a driver vulnerability to patch the kernel. The patch allows bypass all the system security checks. Thus any user can gain full access for any file, install and start drivers and so on.

Andrey Kolishak mailto:andr@sandy.ru