|Main Archive Page > Month Archives > full-disclosure-uk archives|
Please find attached a detailed advisory of the vulnerability.
Alternatively, the advisory can also be found at: http://www.trapkit.de/advisories/TKADV2008-008.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Advisory: G DATA AntiVirus/InternetSecurity/TotalCare 2008 GDTdiIcpt.sys Memory Corruption Vulnerability Advisory ID: TKADV2008-008 Revision: 1.0 Release Date: 2008/09/17 Last Modified: 2008/09/17 Date Reported: 2007/11/29 Author: Tobias Klein (tk at trapkit.de) Affected Software: G DATA AntiVirus 2008 G DATA InternetSecurity 2008 G DATA TotalCare 2008 Remotely Exploitable: No
Locally Exploitable: Yes Vendor URL: http://www.gdata.de/ Vendor Status: Vendor has released an updated version Patch development time: 294 days
The kernel driver GDTdiIcpt.sys shipped with G DATA AntiVirus/Internet Security/TotalCare 2008 contains a vulnerability in the code that handles IOCTL requests. Exploitation of this vulnerability can result in:
The issue can be triggered by sending a specially crafted IOCTL request.
The IOCTL call 0x8317001c of the GDTdiIcpt.sys kernel driver accepts user supplied input that doesn't get validated. In consequence it is possible to fill different kernel registers with arbitrary values. These register values are further on used as parameters for different functions of the windows kernel (e.g. KeSetEvent). If these parameters are carefully crafted it is possible to force the windows kernel into performing a memory corruption that leads to full control of the kernel execution flow.
Disassembly of GDTdiIcpt.sys (Windows Vista 32bit version):
.text:00012510 cmp [ebp+arg_18], 8317001Ch
.text:0001251D mov ebx, [ebp+arg_10] <-- 
.text:00012520 mov esi, [ebp+arg_8]
.text:00012523 push 7
.text:00012525 pop ecx
.text:00012526 mov edi, ebx
.text:00012528 rep movsd
.text:0001252B test byte ptr [ebx+2], 8
.text:0001252F jnz short loc_12598
 The user controlled input gets copied into the EBX register without
any input validation
Example for an exploitable code path:
.text:00012531 mov esi, [ebx+3] <-- 
.text:00012566 mov edi, [esi+8] <-- 
.text:0001257E push 0
.text:00012580 push 0
.text:00012582 push dword ptr [edi] <-- 
.text:00012584 call ds:KeSetEvent
[...]  The ESI register is filled with the user supplied data (from EBX)  The EDI register is also filled with the user supplied data  The user supplied value of EDI is used as a parameter for the
KeSetEvent kernel function
With enough crafting, the user supplied argument to the KeSetEvent kernel function can be used to hijack the execution flow of the kernel.
Upgrade to G DATA AntiVirus/InternetSecurity/TotalCare 2009.
time to G DATA. 2008/01/03 - Status update request 2008/01/03 - Status update from vendor 2007/02/12 - Status update request (no response) 2007/02/26 - Status update request (no response) 2007/02/28 - Status update from vendor 2008/09/17 - Update released by the vendor 2008/09/17 - Full technical details released to general public
Vulnerability found and advisory written by Tobias Klein.
Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release
The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Copyright 2008 Tobias Klein. All rights reserved.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----