|
Home : Advisories : NT drivers are potentially vulnerable to format string bug
Title: |
NT drivers are potentially vulnerable to format string bug |
Released by: |
Andrey Kolishak |
Date: |
21st February 2001 |
Printable version: |
Click here |
Many NT drivers are potentially vulnerable to "format string bug".
The problem is concerned with DbgPrint function that is used for debug
messages. Some drivers instead of directly call of this function use
additional intermediate functions. Those functions add a prefix to an
outputted string, resolve a string format and pass the final string to
DbgPrint. Note the DbgPrint also additionally resolves format
specifications. A typical intermediate function looks like this:
void DebugMessage(const char * format, ...)
{
char buf[1024];
int outLen;
ULONG PrefLen;
va_list argptr;
strcpy(buf, "DriverName: ");
PrefLen = strlen(buf);
va_start( argptr, format );
outLen = _vsnprintf( buf+PrefLen, sizeof(buf)-PrefLen, format, argptr );
va_end( argptr );
DbgPrint(buf);
}
As you can see it looks like clean code. But since DbgPrint function
uses string format resolving the DebugMessage function is vulnerable.
So the following function call is vulnerable:
DebugMessage("MajorFunction = %d, filename = "%-*S\n",
CurrentLocation->MajorFunction, FileObject->FileName. Length,
FileObject->FileName.Buffer);
All drivers that use such technique and retain the debug messages in
the release build are potentially vulnerable to format string
behaviors. Unfortunately researching of this problem shows that many
drivers use it. For example, NuMega's DriverWorks has a potentially
vulnerable class KTrace. In consequence all drivers written with
DriverWorks KTrace class and debug messages in the release build are
potentially vulnerable. The isapnp.sys driver coming with Windows 2000
also use such technique.
The bug is highly dangerous because it can leads to a possible patch
of the kernel memory. You can download the example of an attack on the
vulnerability here: http://www.securewave.com/ on "Free downloads"
section. The example contains a simple vulnerable driver that calls
DebugMessage as described above and a small user mode program that
exploits a driver vulnerability to patch the kernel. The patch allows
bypass all the system security checks. Thus any user can gain full
access for any file, install and start drivers and so on.
Andrey Kolishak mailto:andr@sandy.ru
|