G DATA AntiVirus/InternetSecurity/TotalCare 2008 GDTdiIcpt.sys Memory Corruption Vulnerability
24 Sep. 2008
Summary
The kernel driver GDTdiIcpt.sys shipped with G DATA AntiVirus/Internet Security/TotalCare 2008 contains a vulnerability in the code that handles IOCTL requests. Exploitation of this vulnerability can result in:
1) Local denial of service attacks (system crash due to a kernel panic), or
2) Local execution of arbitrary code at the kernel level (complete system compromise)
The issue can be triggered by sending a specially crafted IOCTL request.
Vulnerable Systems:
* G DATA AntiVirus 2008
* G DATA InternetSecurity 2008
* G DATA TotalCare 2008
Immune Systems:
* G DATA AntiVirus 2009
* G DATA InternetSecurity 2009
* G DATA TotalCare 2009
The IOCTL call 0x8317001c of the GDTdiIcpt.sys kernel driver accepts user supplied input that doesn't get validated. In consequence it is possible to fill different kernel registers with arbitrary values. These register values are further on used as parameters for different functions of the windows kernel (e.g. KeSetEvent). If these parameters are carefully crafted it is possible to force the windows kernel into performing a memory corruption that leads to full control of the kernel execution flow.
Disassembly of GDTdiIcpt.sys (Windows Vista 32bit version):
[...]
.text:00012510 cmp [ebp+arg_18], 8317001Ch
[...]
.text:0001251D mov ebx, [ebp+arg_10] <-- [1]
.text:00012520 mov esi, [ebp+arg_8]
.text:00012523 push 7
.text:00012525 pop ecx
.text:00012526 mov edi, ebx
.text:00012528 rep movsd
.text:0001252A movsb
.text:0001252B test byte ptr [ebx+2], 8
.text:0001252F jnz short loc_12598
[...]
[1] The user controlled input gets copied into the EBX register without any input validation
Example for an exploitable code path:
[...]
.text:00012531 mov esi, [ebx+3] <-- [2]
[...]
.text:00012566 mov edi, [esi+8] <-- [3]
[...]
.text:0001257E push 0
.text:00012580 push 0
.text:00012582 push dword ptr [edi] <-- [4]
.text:00012584 call ds:KeSetEvent
[...]
[2] The ESI register is filled with the user supplied data (from EBX)
[3] The EDI register is also filled with the user supplied data
[4] The user supplied value of EDI is used as a parameter for the KeSetEvent kernel function
With enough crafting, the user supplied argument to the KeSetEvent kernel function can be used to hijack the execution flow of the kernel.
Solution:
Upgrade to G DATA AntiVirus/InternetSecurity/TotalCare 2009 available at: http://www.gdata.de/
History:
2007/11/29 - Vendor notified using info@gdata.de
2007/12/01 - Vendor response (Customer Support)
2007/12/03 - Vendor response (QA)
2007/12/03 - Asking for a PGP key
2007/12/06 - Vendor response with PGP key. Detailed vulnerability information sent to G DATA.
2007/12/17 - Status update request
2007/12/18 - Status update from vendor. Detailed information sent a 2nd time to G DATA.
2008/01/03 - Status update request
2008/01/03 - Status update from vendor
2007/02/12 - Status update request (no response)
2007/02/26 - Status update request (no response)
2007/02/28 - Status update from vendor
2008/09/17 - Update released by the vendor
2008/09/17 - Full technical details released to general public
