[TKADV2008-008] G DATA AntiVirus/InternetSecurity/TotalCare 2008 GDTdiIcpt.sys Memory Corruption Vulnerability

[Tobias Klein <tk () trapkit de>]

Please find attached a detailed advisory of the vulnerability.

Alternatively, the advisory can also be found at:
http://www.trapkit.de/advisories/TKADV2008-008.txt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:               G DATA AntiVirus/InternetSecurity/TotalCare 2008 
                        GDTdiIcpt.sys Memory Corruption Vulnerability
Advisory ID:            TKADV2008-008
Revision:               1.0              
Release Date:           2008/09/17 
Last Modified:          2008/09/17 
Date Reported:          2007/11/29
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      G DATA AntiVirus 2008
                        G DATA InternetSecurity 2008
                        G DATA TotalCare 2008
Remotely Exploitable:   No
Locally Exploitable:    Yes 
Vendor URL:             http://www.gdata.de/
Vendor Status:          Vendor has released an updated version         
Patch development time: 294 days


======================
Vulnerability details:
======================

The kernel driver GDTdiIcpt.sys shipped with G DATA AntiVirus/Internet 
Security/TotalCare 2008 contains a vulnerability in the code that handles 
IOCTL requests. Exploitation of this vulnerability can result in:

1) local denial of service attacks (system crash due to a kernel panic), or

2) local execution of arbitrary code at the kernel level (complete system 
   compromise)

The issue can be triggered by sending a specially crafted IOCTL request.


======================
Technical description:
======================

The IOCTL call 0x8317001c of the GDTdiIcpt.sys kernel driver accepts user 
supplied input that doesn't get validated. In consequence it is possible to
fill different kernel registers with arbitrary values. These register 
values are further on used as parameters for different functions of the 
windows kernel (e.g. KeSetEvent). If these parameters are carefully crafted
it is possible to force the windows kernel into performing a memory 
corruption that leads to full control of the kernel execution flow.

Disassembly of GDTdiIcpt.sys (Windows Vista 32bit version):

[...]
.text:00012510                 cmp     [ebp+arg_18], 8317001Ch
[...]
.text:0001251D                 mov     ebx, [ebp+arg_10]  <-- [1]
.text:00012520                 mov     esi, [ebp+arg_8]
.text:00012523                 push    7
.text:00012525                 pop     ecx
.text:00012526                 mov     edi, ebx
.text:00012528                 rep movsd
.text:0001252A                 movsb
.text:0001252B                 test    byte ptr [ebx+2], 8
.text:0001252F                 jnz     short loc_12598
[...]

[1] The user controlled input gets copied into the EBX register without
    any input validation

Example for an exploitable code path:   

[...]   
.text:00012531                 mov     esi, [ebx+3]  <-- [2]
[...]
.text:00012566                 mov     edi, [esi+8]  <-- [3]
[...]
.text:0001257E                 push    0             
.text:00012580                 push    0              
.text:00012582                 push    dword ptr [edi]  <-- [4]
.text:00012584                 call    ds:KeSetEvent
[...]

[2] The ESI register is filled with the user supplied data (from EBX)
[3] The EDI register is also filled with the user supplied data
[4] The user supplied value of EDI is used as a parameter for the 
    KeSetEvent kernel function

With enough crafting, the user supplied argument to the KeSetEvent kernel 
function can be used to hijack the execution flow of the kernel.


========= 
Solution: 
=========

  Upgrade to G DATA AntiVirus/InternetSecurity/TotalCare 2009.
  
  http://www.gdata.de/
  

======== 
History: 
========

  2007/11/29 - Vendor notified using info () gdata de
  2007/12/01 - Vendor response (Customer Support)
  2007/12/03 - Vendor response (QA)
  2007/12/03 - Asking for a PGP key
  2007/12/06 - Vendor response with PGP key. Detailed vulnerability
               information sent to G DATA.
  2007/12/17 - Status update request
  2007/12/18 - Status update from vendor. Detailed information sent a 2nd
               time to G DATA.
  2008/01/03 - Status update request
  2008/01/03 - Status update from vendor
  2007/02/12 - Status update request (no response)  
  2007/02/26 - Status update request (no response)
  2007/02/28 - Status update from vendor
  2008/09/17 - Update released by the vendor 
  2008/09/17 - Full technical details released to general public


======== 
Credits: 
========

  Vulnerability found and advisory written by Tobias Klein.


=========== 
References: 
===========

  [1] http://www.gdata.de/  
  [2] http://www.trapkit.de/advisories/TKADV2008-008.txt


======== 
Changes: 
========

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release
  

===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


================== 
PGP Signature Key: 
==================

  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

  
Copyright 2008 Tobias Klein. All rights reserved.


-----BEGIN PGP SIGNATURE-----

wj8DBQFI0U8mkXxgcAIbhEERAltuAKCS4sgBzS+t7G2DBQAXQ/OgKzlr2ACbBpX2
uFw+/y+ruFlEIoGU/wd0GYo=
=XRWj
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/