[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : NT drivers are potentially vulnerable to format string bug

Title: NT drivers are potentially vulnerable to format string bug
Released by: Andrey Kolishak
Date: 21st February 2001
Printable version: Click here
Many NT drivers are potentially vulnerable to "format string bug".

The problem is concerned with DbgPrint function that is used for debug

messages. Some drivers instead of directly call of this function use

additional intermediate functions. Those functions add a prefix to an

outputted string, resolve a string format and pass the final string to

DbgPrint. Note the DbgPrint also additionally resolves format

specifications. A typical intermediate function looks like this:



void DebugMessage(const char * format, ...)

 {

     char buf[1024];

     int outLen;

     ULONG PrefLen;

     va_list argptr;



     strcpy(buf, "DriverName: ");

     PrefLen = strlen(buf);

     va_start( argptr, format );

     outLen = _vsnprintf( buf+PrefLen, sizeof(buf)-PrefLen, format, argptr );

     va_end( argptr );

     DbgPrint(buf);

 }



As you can see it looks like clean code. But since DbgPrint function

uses string format resolving the DebugMessage function is vulnerable.

So the following function call is vulnerable:



DebugMessage("MajorFunction = %d, filename = "%-*S\n",

 CurrentLocation->MajorFunction, FileObject->FileName. Length,

 FileObject->FileName.Buffer);



All drivers that use such technique and retain the debug messages in

the release build are potentially vulnerable to format string

behaviors. Unfortunately researching of this problem shows that many

drivers use it. For example, NuMega's DriverWorks has a potentially

vulnerable class KTrace. In consequence all drivers written with

DriverWorks KTrace class and debug messages in the release build are

potentially vulnerable. The isapnp.sys driver coming with Windows 2000

also use such technique.



The bug is highly dangerous because it can leads to a possible patch

of the kernel memory. You can download the example of an attack on the

vulnerability here: http://www.securewave.com/ on "Free downloads"

section. The example contains a simple vulnerable driver that calls

DebugMessage as described above and a small user mode program that

exploits a driver vulnerability to patch the kernel. The patch allows

bypass all the system security checks. Thus any user can gain full

access for any file, install and start drivers and so on.





 Andrey Kolishak                         mailto:andr@sandy.ru








(C) 1999-2000 All rights reserved.