" v& I0 F$ Y% M& _2 e( U 6 E3 d3 @* s# b+ t" m! {; V
% K5 z$ v: H8 K9 I R/ g
function at 0x10024C20 is responsible for dispatching ioctl codes:# ] Q" i* ~0 h
4 Q/ V% m1 b5 b& S3 |- E
.text:10024C20 ; int __thiscall ioctl_handler_deep(int this, int ioctl, PVOID inbuff, unsigned int inbuff_size, unsigned int outbuff_size, PDWORD bytes_to_return)* n4 ^, Z j2 L' s- N$ K. \. K
.text:10024C20 ioctl_handler_deep proc near ; CODE XREF: sub_10007520+6Ap 8 Z1 w: [1 Z) m9 G( ?.text:10024C20 $ i& U# H( l; j& i4 f.text:10024C20 DestinationString= UNICODE_STRING ptr -3Ch 0 I3 s. [! x8 u% n" x4 J.text:10024C20 var_31 = byte ptr -31h % E6 v( b/ a' K7 ~% d. _.text:10024C20 var_30 = dword ptr -30h3 r1 M$ W6 }( s0 H& x
.text:10024C20 some_var = dword ptr -2Ch5 J' O: ]2 E5 K+ p
.text:10024C20 var_28 = dword ptr -28h / i' L1 J, W7 }! W.text:10024C20 var_24 = byte ptr -24h 1 g2 K7 ?5 \8 T6 c5 }.text:10024C20 var_5 = byte ptr -50 f( n& {' H$ z$ [
.text:10024C20 var_4 = dword ptr -4 $ p6 G& i' u, ^: K.text:10024C20 ioctl = dword ptr 8% B+ c" |/ i7 ?0 C3 ?6 X
.text:10024C20 inbuff = dword ptr 0Ch& w! D- y1 i- L$ |: X8 O
.text:10024C20 inbuff_size = dword ptr 10h ' R, ?$ ^2 D" b+ D1 T3 F.text:10024C20 outbuff_size = dword ptr 14h 1 @. N( H# R# c: }3 K. G.text:10024C20 bytes_to_return = dword ptr 18h2 q7 M4 m* b% d g
.text:10024C20 % G* E3 }4 J' i! @! j3 E/ J1 o.text:10024C20 push ebp) Q$ {+ E0 u: ~# ~
.text:10024C21 mov ebp, esp 3 c5 z) G% w9 }/ |% I.text:10024C23 sub esp, 3Ch- a. r; u+ \8 G
.text:10024C26 mov eax, BugCheckParameter29 T3 y& Q3 |, T; Q3 B
.text:10024C2B xor eax, ebp : _0 S4 c- j. R& N/ n0 _/ l.text:10024C2D mov [ebp+var_4], eax 4 A1 b" z( h' S, G; ].text:10024C30 mov eax, [ebp+ioctl] 6 M, ~- k, J+ A$ S7 d.text:10024C33 push ebx- |) K' \% b. d8 y6 R; K
.text:10024C34 mov ebx, [ebp+inbuff] # [& T' A% q4 g& j6 j.text:10024C37 push esi 0 z: y1 K5 D. k4 S E; E O.text:10024C38 mov esi, [ebp+bytes_to_return] + i" ~' ]& u% {- _" O$ e" s# Z.text:10024C3B add eax, 7FFDDFD8h 4 n, M, `' L/ W6 ]+ z3 U; b.text:10024C40 push edi " S A. S; e, L! t+ e.text:10024C41 mov edi, ecx; G S8 [4 h. B, A+ d
.text:10024C43 mov [ebp+some_var], esi* U) } k6 }/ L& f# _+ L
.text:10024C46 mov [ebp+var_28], 0; V% g# u. T, F/ R' o
.text:10024C4D cmp eax, 0A4h ; switch 165 cases ! X# F7 M" i; y2 W.text:10024C52 ja loc_10025B18 ; jumptable 10024C5F default case + @8 G+ i. `. n% Z2 j.text:10024C58 movzx eax, ds:byte_10025BF0[eax]9 J9 _! }4 d. R8 r
.text:10024C5F jmp dsff_10025B50[eax*4] ; switch jump% F6 c9 ]2 D( q) `$ f: q0 b. m
7 z# O2 O& r9 C% |
[..] ) u2 k! {8 l4 W& i9 v0 a& X3 H9 f8 k" X6 H3 o) _, K5 s
0x80022058 case: no check for outbuff_size == 0! <--- FLAW!% p" @) R* r; N1 V% V% g1 I, A1 |
* p P' C2 m& e.text:10024F5A lea ecx, [edi+958h] ; j- e5 a* }2 Z9 V.text:10024F60 call sub_100237B0 , j3 U5 K3 r( ~. X.text:10024F65 mov [ebp+some_var], eax , S0 Q* A+ \3 A9 c.text:10024F68 test eax, eax 3 v7 o% X0 M1 t" Z0 I.text:10024F6A jnz short loc_10024F7D( c6 E) _1 _# c* @, A
.text:10024F6C mov dword ptr [ebx], 0FFFFCFFAh K: v1 Q: N& E/ k.text:10024F72 mov dword ptr [esi], 10h <--- bytes to copy to output buffer - d( ]1 i& k+ k! Q/ a6 ]+ f/ G) h" n' D2 k3 O8 P
next in IofComplete request will be rep movsd at pointer, that is under attacker's control/ q7 g! l7 [& v P( n
: O1 e; |% s; `& n _1 `: y; RDue the type of vulnerability (METHO_BUFFERED with output_size == 0) exploit works only on Winows XP/2k3, cause in later Windows OS I/O manager doesn't craft IRP if ioctl is METHOD_BUFFERED and output_size == 0. ! W+ |- ~, ~3 W- r) t2 [7 Z
3 m4 E: a& I3 b( J7 F
Symantec表示在2月份的补丁包中修复该漏洞。0 Q) A, W. ~: Z
: }- Z8 W0 T( n& M相关阅读: - ^+ n9 s) q) X8 u9 v$ R0 a1 ?0 a( Y
赛门铁克的 PGP Whole Disk Encryption 为企业提供了全面的高性能完整磁盘加密功能,可对台式机、笔记本电脑和可移动介质上的所有数据(用户文件、交换文件、系统文件、隐藏文件等)进行完整磁盘加密。该完整磁盘加密软件可让数据免遭未经授权的访问,从而为知识产权、客户和合作伙伴数据提供强大的安全防护。受保护的系统可由 PGP Universal Server 集中管理,这就简化了部署、策略创建、分发和报告过程。6 n9 x$ ?' m8 P5 ?* v9 b4 T