Vulnerability Analysis of malformed WinPcap driver parameters

Text/figure gyzy [Department of Information Security, Jiangsu University & EST] ======================== ==========
Winpcap (Windows Packet Capture) is a free and public network access system on the Windows platform. It provides Win32 applications with the ability to access the underlying network. Winpcap cannot block, filter, or control the sending and receiving of data from other applications. It only listens to data transmitted over the shared network. It provides the following features that help implement the functionality of the Ethernet data stream monitoring software.
1) capture the original datagram, including the datagram sent/received and exchanged between hosts on the shared network;
2) filter out some special data packets according to custom rules before the data packets are sent to the application;
3) send the original datagram on the network;
4) collect statistics during network communication.
One fatal weakness of Winpcap is to allow non-administrator users to use its drivers. If the Administrator has used Ethereal and other WinPcap packet capture tools, and the driver is not manually uninstalled, attackers may exploit this vulnerability, such as unauthorized sniffing or even a blue screen player.
Anti-DDoS has introduced the concept of Local Elevation of Privilege through the driver in several previous journals, so I will not go into details here. WinPcap driver npf. sys does not verify the validity of the parameter when processing IOCTL 0x2347. As a result, the memory can be modified arbitrarily. However, because the covered content is always 0, if a 2 GB high write address is passed, this can cause a blue screen to become a machine.

Communication between Ring0 and Ring3
In a DOS Operating System, applications can directly deal with hardware, including I/O port read/write, interrupt requests and responses, and DMA operations. This kind of direct hardware operation provides some convenience for software design, but it also has some disadvantages. First, some illegal operations may rewrite the content of some hardware registers, causing the operating system to crash, making the operating system insecure and unstable in performance. Second, the portability of applications deteriorated. To ensure the security and stability of the operating system and the portability of applications, the Windows operating system does not allow applications to directly access the hardware resources of the system, but must rely on the corresponding device driver. The device driver can directly operate on the hardware. If two-way communication is implemented between the application and the device driver, the application can control the underlying hardware device. The communication between them includes two aspects: one is the data that the application sends to the device driver, and the other is the message that the device driver sends to the application. The former is easier to implement. After obtaining the handle of the device driver through the CreateFile () function, you can use Win32 functions, such as DeviceIoControl (), ReadFile (), or WriteFile () communication between applications and device drivers.

Vulnerability Analysis
In the base address Loading Function of ingress:

If (! Strcmp (lpBaseName, "ntoskrnl.exe "))
{
NtosBase = lpImageBases [I];
Printf ("NTOSKRNL Base found at % # p", NtosBase );
Break;
}
Specifically, win2k's ntoskrnl.exe is used for comparison. In the comments, it is indicated that the Poc is for XP, and I do not know whether the author is negligent or intentional. After this Bug is fixed, the code runs smoothly in my Windows XP, but the blue screen is displayed immediately, as shown in figure 1.
 
Figure 1
To accurately locate the error code, you must complete several tasks before running the POC. In "my computer-> properties-> startup and fault recovery", select "full memory Dump" for "Write debugging information". In this way, Windows will save the Crash Dump, this allows you to easily debug the error location with Windbg, set the Symbol Path of Windbg, and load MEMORY in C: Windows using the opencrash Dump of Windbg after restart. DMP. After the content shown in 2 appears, enter "! Analyze-v "to see the specific driver error information.

 
DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR: 0xBE
PROCESS_NAME: winpcap.exe
TRAP_FRAME: f9001ba4 -- (. trap fffffffff9001ba4)
ErrCode = 00000003
Eax = 8057e7ff ebx = 80e6a000 ecx = 00000000 edx = 00000010 esi = ffb495b0 edi = ffb49540
Eip = faf0bfdd esp = f9001c6 ebp = f9001c34 iopl = 0 nv up ei pl zr na pe nc
Cs = 0008 ss = 0010 ds = 0023 es = 0023 fs = 0030 gs = 0000 efl = 00010246
Npf + 0 xfdd:
Faf0bfdd 89480c mov dword ptr [eax + 0Ch], ecx ds: 0023: 8057e80b = 84a38055
Resetting default scope

LAST_CONTROL_TRANSFER: from 8051cf07 to 804f9925

STACK_TEXT:
F9001b2c 8051cf07 000000be 8057e80b 0057e121 nt! KeBugCheckEx + 0x1b
F9001b8c 805406ec 00000001 8057e80b 00000000 nt! MmAccessFault + 0x8e7
F9001b8c faf0bfdd 00000001 8057e80b 00000000 nt! KiTrap0E + 0xcc
WARNING: Stack unwind information not available. Following frames may be wrong.
F9001c34 804eedf9 ffb457c0 ffb49540 806d12d0 npf + 0 xfdd
F9001c44 80574b42 ffb495b0 ffba12e0 ffb49540 nt! IopfCallDriver + 0x31
F9001c58 805759d1 ffb457c0 ffb49540 ffba12e0 nt! IopSynchronousServiceTail + 0x60
F9001d00 8056e33c 0000002c 00000000 00000000 nt! IopXxxControlFile + 0x5e7
F9001d34 8053d808 0000002c 00000000 00000000 nt! NtDeviceIoControlFile + 0x2a
F9001d34 7c92eb94 0000002c 00000000 00000000 nt! KiFastCallEntry + 0xf8
0012fe48 7c92d8ef 7c801671 2017002c 00000000 ntdll! KiFastSystemCallRet
0012fe4c 7c801671 2017002c 00000000 00000000 ntdll! ZwDeviceIoControlFile + 0xc
0012 feac 004015aa 0000002c 00002347 00000000 kernel32! DeviceIoControl + 0xdd
0012ff48 7c9306eb 00404515 00370000 00000009 winpcap + 0x15aa
00130160 00000000 00000002 00000024 ntdll! RtlAllocateHeap + 0 xeac

STACK_COMMAND: kb
FOLLOWUP_IP:
Npf + fdd
Faf0bfdd 89480c mov dword ptr [eax + 0Ch], ecx

SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: npf + fdd
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: npf
IMAGE_NAME: npf. sys
DEBUG_FLR_IMAGE_TIMESTAMP: 42efe135
FAILURE_BUCKET_ID: 0xBE_npf + fdd
BUCKET_ID: 0xBE_npf + fdd
Followup: MachineOwner
At a glance, the command "mov dword ptr [eax + 0Ch] and ecx" at 0xfaf0bfdd tries to write data into the read-only memory, leading to a blue screen. The next step is static analysis in IDA.

. Text: 00010FCC push 10 h
. Text: 00010FCE pop edx
. Text: 00010FCF cmp [esi + 4], edx
. Text: 00010FD2 jb loc_110C4
. Text: 00010FD8 mov eax, [edi + 3Ch]
// [Edi + 3Ch] UserBuffer content
. Text: 00010FDB xor ecx, ecx
. Text: 00010FDD mov [eax + 0Ch], ecx
. Text: 00010FE0 mov eax, [edi + 3Ch]
. Text: 00010FE3 mov [eax], ecx
. Text: 00010FE5 mov eax, [edi + 3Ch]
. Text: 00010FE8 mov [eax + 4], ecx
. Text: 00010FEB mov eax, [edi + 3Ch]
. Text: 0001020.mov [eax + 8], ecx

Four statements, 0x00010FDD, 0x00010FE3, 0x00010FE8, and 0x00010104, overwrite 16 bytes of memory. The preceding "xor ecx, ecx" causes ecx to be uncontrollable, otherwise, you can execute any code with the Ring0 permission. However, in the POC provided by the original author, it seems that the code can be executed. the Winpcap I use is of Version 3.1 and is self-contained in ethereal-setup-0.10.14, after an ethereal operation, the driver is loaded into the kernel. I don't know whether the version is different or not. Because the ecx in the above Code is obviously uncontrollable.
If ecx is controllable, You can overwrite the function address in SSDT, and then call the corresponding function in Ring3 to execute ShellCode. The ShellCode in Ring0 is quite different from the ShellCode in Ring3. in kernel mode, there are no ready-made APIs available in user mode, therefore, this is a relatively small area of research. In the next article, I will explain in detail how to use these drivers to execute practical ShellCode.

Summary
Through this vulnerability analysis, we learned how to debug the dump file on the blue screen and analyzed the cause of the vulnerability, I learned how the program in the user mode communicates with the kernel-mode driver. Here I want to provide some help to the readers of anti-DDoS pro. If there are errors or omissions, thank you for your correction.