Avira Premium Security Suite – ‘NtCreateKey’ Race Condition

• Exploit Database
• 31 阅读

• 作者： Nikita Tarakanov
  日期： 2010-11-03
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15407/

• 1.Description:
  
  The avipbb.sys kernel driver distributed with Avira Premium Security Suite
  contains a race condition vulnerability in the handling paramaters of
  NtCreatekey function.
  Exploitation of this issue allows an attacker to crash system(make infamous
  BSoD) or gain escalated priviligies.
  An attacker would need local access to a vulnerable computer to exploit this
  vulnerability.
  
  
  Affected application: Avira Premium Security Suite, up to date version
  10.0.0.565.
  Affected file: avipbb.sys version 10.0.8.11.
  
  2.Crash dump info:
  kd> !analyze -v
  *******************************************************************************
  *
  *
  *Bugcheck
  Analysis*
  *
  *
  *******************************************************************************
  
  PAGE_FAULT_IN_NONPAGED_AREA (50)
  Invalid system memory was referenced.This cannot be protected by
  try-except,
  it must be protected by a Probe.Typically the address is just plain bad or
  it
  is pointing at freed memory.
  Arguments:
  Arg1: 90909090, memory referenced.
  Arg2: 00000000, value 0 = read operation, 1 = write operation.
  Arg3: 80536c53, If non-zero, the instruction address which referenced the
  bad memory
  address.
  Arg4: 00000000, (reserved)
  
  Debugging Details:
  ------------------
  
  
  READ_ADDRESS:90909090
  
  FAULTING_IP:
  nt!memmove+33
  80536c53 f3a5rep movs dword ptr es:[edi],dword ptr [esi]
  
  MM_INTERNAL_CODE:0
  
  DEFAULT_BUCKET_ID:DRIVER_FAULT
  
  BUGCHECK_STR:0x50
  
  PROCESS_NAME:hookfuzz.exe
  
  TRAP_FRAME:f0711bec -- (.trap 0xfffffffff0711bec)
  ErrCode = 00000000
  eax=9090912a ebx=e1297088 ecx=00000026 edx=00000002 esi=90909090
  edi=e1297088
  eip=80536c53 esp=f0711c60 ebp=f0711c68 iopl=0 nv up ei pl nz ac pe
  nc
  cs=0008ss=0010ds=0023es=0023fs=0030gs=0000
  efl=00010216
  nt!memmove+0x33:
  80536c53 f3a5rep movs dword ptr es:[edi],dword ptr [esi]
  Resetting default scope
  
  LAST_CONTROL_TRANSFER:from 804f7b9d to 80527bdc
  
  STACK_TEXT:
  f0711728 804f7b9d 00000003 90909090 00000000
  nt!RtlpBreakWithStatusInstruction
  f0711774 804f878a 00000003 00000000 c0484848 nt!KiBugCheckDebugBreak+0x19
  f0711b54 804f8cb5 00000050 90909090 00000000 nt!KeBugCheck2+0x574
  f0711b74 8051cc4f 00000050 90909090 00000000 nt!KeBugCheckEx+0x1b
  f0711bd4 8054051c 00000000 90909090 00000000 nt!MmAccessFault+0x8e7
  f0711bd4 80536c53 00000000 90909090 00000000 nt!KiTrap0E+0xcc
  f0711c68 80528107 e1297088 90909090 0000009a nt!memmove+0x33
  f0711c88 f105f0c7 e1297078 0000009a 01762aec
  nt!RtlAppendUnicodeStringToString+0x45
  WARNING: Stack unwind information not available. Following frames may be
  wrong.
  f0711cd8 f105f4d3 00000000 0012fea0 f0711d08 avipbb+0x80c7
  f0711d40 8053d638 0012fea8 00020019 0012feb0 avipbb+0x84d3
  f0711d40 7c90e4f4 0012fea8 00020019 0012feb0 nt!KiFastCallEntry+0xf8
  0012fe60 7c90d0dc 00401100 0012fea8 00020019 ntdll!KiFastSystemCallRet
  0012fe64 00401100 0012fea8 00020019 0012feb0 ntdll!ZwCreateKey+0xc
  0012ff70 0040158f 00000001 00342e28 00342e58 hookfuzz!wmain+0x100
  0012ffc0 7c817067 bc27f626 01cb7b6b 7ffdf000
  hookfuzz!__tmainCRTStartup+0x15e
  0012fff0 00000000 004015e6 00000000 78746341 kernel32!BaseProcessStart+0x23
  
  
  STACK_COMMAND:kb
  
  FOLLOWUP_IP:
  avipbb+80c7
  f105f0c7 3bc6cmp eax,esi
  
  SYMBOL_STACK_INDEX:8
  
  SYMBOL_NAME:avipbb+80c7
  
  FOLLOWUP_NAME:MachineOwner
  
  MODULE_NAME: avipbb
  
  IMAGE_NAME:avipbb.sys
  
  DEBUG_FLR_IMAGE_TIMESTAMP:4bfe7d8e
  
  FAILURE_BUCKET_ID:0x50_avipbb+80c7
  
  BUCKET_ID:0x50_avipbb+80c7
  
  Followup: MachineOwner
  ---------
  
  3.Proof of concept is in poc.zip file.
  
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15407.zip (poc.zip)