受影响系统:
ArcaBit Sp. z o.o. ArcaVir 2009
描述:
BUGTRAQ ID: 35100
ArcaVir是出自波兰的功能强大的反病毒程序。
ArcaVir杀毒软件产品所使用的ps_drv.sys驱动允许用户打开\\Device\\ps_drv设备并以METHOD_NEITHER缓冲模式发布IOCTL。本地用户可以通过向驱动传送内核地址作为参数来覆盖任意地址,执行任意内核态代码。以下是一个有漏洞的IOCTL示例:
seg000:00023F3C RootkitMemoryBlock proc near
seg000:00023F3C
seg000:00023F3C ArcaStruct = dword ptr -14h
seg000:00023F3C Buffer = dword ptr -10h
seg000:00023F3C InputBuffer = dword ptr -0Ch
seg000:00023F3C BufferLength = dword ptr -8
seg000:00023F3C Address = dword ptr -4
seg000:00023F3C
seg000:00023F3C push ebp
seg000:00023F3D mov ebp, esp
seg000:00023F3F sub esp, 14h
seg000:00023F42 mov [ebp+ArcaStruct], ecx
seg000:00023F45 push offset StrRootkitMemBlock ; "ROOTKIT_MEMBLOCK\n"
seg000:00023F4A call DbgPrint
seg000:00023F4F add esp, 4
seg000:00023F52 mov eax, [ebp+ArcaStruct]
seg000:00023F55 cmp [eax+_ARCA_STRUCT.InputBufferLength], 8
seg000:00023F5C jnz short @@invalid_input_buffer_size
seg000:00023F5E mov ecx, [ebp+ArcaStruct]
seg000:00023F61 cmp [ecx+_ARCA_STRUCT.Type3InputBuffer], 0
seg000:00023F68 jnz short @@check_passed_parameters
seg000:00023F6A
seg000:00023F6A @@invalid_input_buffer_size:
seg000:00023F6A push offset StrInvalidInputBufferSize ; "Zły rozmiar input bufora\n"
seg000:00023F6F call DbgPrint
seg000:00023F74 add esp, 4
seg000:00023F77 mov eax, STATUS_INVALID_BUFFER_SIZE
seg000:00023F7C jmp @@exit
seg000:00023F81
seg000:00023F81 @@check_passed_parameters:
seg000:00023F81 mov edx, [ebp+ArcaStruct]
seg000:00023F84 mov eax, [edx+_ARCA_STRUCT.Type3InputBuffer]
seg000:00023F8A mov ecx, [eax]
seg000:00023F8C mov edx, [eax+4]
seg000:00023F8F mov [ebp+InputBuffer], ecx
seg000:00023F92 mov [ebp+BufferLength], edx
seg000:00023F95 cmp [ebp+BufferLength], 0
seg000:00023F99 jnz short @@check_output_buffer
seg000:00023F9B push offset StrInvalidInputAddress ; "Zerowy rozmiar bufora do odczytu\n"
seg000:00023FA0 call DbgPrint
seg000:00023FA5 add esp, 4
seg000:00023FA8 mov eax, STATUS_INVALID_PARAMETER
seg000:00023FAD jmp @@exit
seg000:00023FB2
seg000:00023FB2 @@check_output_buffer:
seg000:00023FB2 mov eax, [ebp+ArcaStruct]
seg000:00023FB5 mov ecx, [eax+_ARCA_STRUCT.OutputBufferLength]
seg000:00023FBB cmp ecx, [ebp+BufferLength]
seg000:00023FBE jnz short @@invalid_output_buffer_size
seg000:00023FC0 mov edx, [ebp+ArcaStruct]
seg000:00023FC3 cmp [edx+_ARCA_STRUCT.UserBuffer], 0
seg000:00023FCA jnz short @@check_address
seg000:00023FCC
seg000:00023FCC @@invalid_output_buffer_size:
seg000:00023FCC push offset StrInvalidOutputBufferSize ; "Zły rozmiar output bufora\n"
seg000:00023FD1 call DbgPrint
seg000:00023FD6 add esp, 4
seg000:00023FD9 mov eax, STATUS_INVALID_BUFFER_SIZE
seg000:00023FDE jmp short @@exit
seg000:00023FE0
seg000:00023FE0 @@check_address:
seg000:00023FE0 mov eax, [ebp+InputBuffer]
seg000:00023FE3 mov [ebp+Buffer], eax
seg000:00023FE6 mov ecx, [ebp+BufferLength]
seg000:00023FE9 mov edx, [ebp+InputBuffer]
seg000:00023FEC lea eax, [edx+ecx-1]
seg000:00023FF0 mov [ebp+Address], eax
seg000:00023FF3 mov ecx, [ebp+Address]
seg000:00023FF6 push ecx
seg000:00023FF7 mov edx, [ebp+Buffer]
seg000:00023FFA push edx
seg000:00023FFB call CheckAddress
seg000:00024000 movsx eax, ax
seg000:00024003 test eax, eax
seg000:00024005 jnz short @@copy_memory
seg000:00024007 push offset StrInvalidMemoryRange ; "Niedostepny zakres pamięci\n"
seg000:0002400C call DbgPrint
seg000:00024011 add esp, 4
seg000:00024014 mov eax, STATUS_RANGE_NOT_FOUND
seg000:00024019 jmp short @@exit
seg000:0002401B
seg000:0002401B @@copy_memory:
seg000:0002401B mov ecx, [ebp+BufferLength]
seg000:0002401E push ecx
seg000:0002401F mov edx, [ebp+InputBuffer]
seg000:00024022 push edx
seg000:00024023 mov eax, [ebp+ArcaStruct]
seg000:00024026 mov ecx, [eax+_ARCA_STRUCT.UserBuffer]
seg000:0002402C push ecx
seg000:0002402D call memcpy
seg000:00024032 add esp, 0Ch
seg000:00024035 mov edx, [ebp+ArcaStruct]
seg000:00024038 mov eax, [edx+_ARCA_STRUCT.IoStatus]
seg000:0002403E mov ecx, [ebp+BufferLength]
seg000:00024041 mov [eax+_IO_STATUS_BLOCK.Information], ecx
seg000:00024044 mov edx, [ebp+ArcaStruct]
seg000:00024047 mov eax, [edx+_ARCA_STRUCT.IoStatus]
seg000:0002404D mov [eax+_IO_STATUS_BLOCK.Status], 0
seg000:00024053 xor eax, eax
seg000:00024055
seg000:00024055 @@exit:
seg000:00024055 mov esp, ebp
seg000:00024057 pop ebp
seg000:00024058 retn
seg000:00024058 RootkitMemoryBlock endp
<*来源:NT Internals
链接:http://ntinternals.org/ntiadv0814/ntiadv0814.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
http://milw0rm.com/sploits/2009-PsDrv_Exp.zip
建议:
厂商补丁:
ArcaBit Sp. z o.o.
——————
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
0 条评论。