Trend Micro tmactmon. sys DOS Vulnerability Analysis (0day)

When tmactmon. sys receives an IRP with ioctl_code = 0x9100444f, it calls the Dispatch function for processing, as shown below .. Text: 00011116; int _ stdcall BugDispatch (int, PIRP ). text: 00011116 BugDispatch proc near; data xref: sub_11C4C + 16D o. text: 00011116. text: 00011116 inbuffer = dword ptr-1Ch. text: 00011116 UserBuffer = dword ptr-18h. text: 00011116 IoStatus = dword ptr-10h. text: 00011116 outbufferLength = dword ptr-0Ch. text: 00011116 inbufferLength = dword ptr-8. text: 00011116 var_4 = dword ptr-4. text: 00011116 Irp = Dword ptr 0Ch. text: 00011116. text: 00011116 mov edi, edi. text: 00011118 push ebp. text: 00011119 mov ebp, esp. text: 00011b sub esp. 1Ch stores inLength, outLength, inbuffer, UserBuffer, and other information at the end of the processing function, and CALLS sub_12BE2. We can see that the input parameter is the address where inbuffer is stored in the stack .. Text: 0001115E loc_1115E:; code xref: BugDispatch + 2A j. text: 0001115E mov edx, [eax + 10 h]. text: 00011161 mov [ebp + inbuffer], edx. text: 00011164 mov edx, [esi + 3Ch]. text: 00011167 mov [ebp + UserBuffer], edx. text: 0001116A mov edx, [eax + 8]. text: 0001116D mov [ebp + outbufferLength], edx. text: 00011170 mov edx, [eax + 4]. text: 00011173 mov [ebp + inbufferLength], edx. text: 00011176 mov [ebp + IoStatus], ecx. text: 00011179 Mov eax, [eax + 0Ch]. text: 0001117C mov [ebp + var_4], eax. text: 0001117F lea eax, [ebp + inbuffer]. text: 00011182 push eax. text: 00011183 call sub_12BE2sub_12BE2 function is mainly used to call the sub_12AE8 function to check the Buffer Zone sent from ring3. The code after decompiling the sub_12AE8 function is as follows. We can see that this function uses ProbeForRead and ProbeForWrite to strictly check the input and output buffer, and also checks whether ioctl is a process of the trend itself. Signed int _ thiscall sub_12AE8 (int this, int a2) {if (& inbuffer & (inLength |! Inbuffer) & (outLength |! OutBuffer) {if (exgetpreviusmode () = 1) {ProbeForRead (* (const void **) v3, * (_ DWORD *) (v3 + 16), 1u ); probeForWrite (* (PVOID *) (v3 + 4), * (_ DWORD *) (v3 + 20), 1u);} // omitting irrelevant code LABEL_13: if (! V7) {v5 = * (_ DWORD *) (v3 + 8); if (v5 & * (_ BYTE *) (v5 + 24 )) v2 = * (_ DWORD *) (v5 + 8 )! = (_ DWORD) PsGetCurrentProcessId ()? 0xC00000BB: 0; else v2 =-1073741637;} result = v2;} else {result =-1073741811;} return result;} after the check is passed, sub_1291C is called, sub_1291C will continue to call the sub_19814 function. The execution process of sub_19814 is as follows. Observe the assembly code in the red part. Because the content of ebp + arg_4 is dword [1] In inbuffer, you can specify it as 0x12210005, therefore, sub_19554 will be called for execution .. Text: 00019814; int _ stdcall sub_19814 (int, int, PVOID Object ). text: 00019814 sub_19814 proc near; code xref: v6 + 29 p. text: 00019814 var_20 = dword ptr-20h. text: 00019814 ms_exc = CPPEH_RECORD ptr-18h. text: 00019814 arg_0 = dword ptr 8. text: 00019814 arg_4 = dword ptr 0Ch. text: 00019814 Object = dword ptr 10h. text: 00019814. text: 00019814 push 10h. text: 00019816 push offset unk_1E1A8.text: 0001981B call _ SEH_prolog4.text: 00019820 mov esi, ecx. text: 00019822 lea eax, [esi + 14 h]. text: 00019825 mov [ebp + var_20], eax. text: 00019828 xor ecx, ecx. text: 0001982A inc ecx. text: 0001982B lock xadd [eax], ecx. text: 0001982F cmp [ebp + arg_4], 1221A007h. text: 00019836 jnz short loc_19885.text: 00019885 loc_19885:; code xref: sub_19814 + 22 j. text: 00019885 mov ebx, [ebp + Object]. text: 00019888 push ebx; Object. text: 00019 889 push [ebp + arg_4]; int. text: 0001988C mov ecx, esi. text: 0001988E call sub_19554sub_19554 the execution process is as follows, marked with red as an important jump. Because ecx = 0x12210005, it is executed to. text: 00019591. The content of ebp + Object is dword [3] In inbuffer. It can be specified as 0xffff0000. An error occurred while executing push dword ptr [esi]. The memory 0xffff0000 cannot be read .. Text: 00019554; int _ stdcall sub_19554 (int, PVOID Object ). text: 00019554 sub_19554 proc near; code xref: sub_19814 + 7A p. text: 00019554 arg_0 = dword ptr 8. text: 00019554 Object = dword ptr 0Ch. text: 00019554. text: 00019554 mov edi, edi. text: 00019556 push ebp. text: 00019557 mov ebp, esp. text: 00019559 mov ecx, [ebp + arg_0]; ecx = 0x12210005. text: 0001955C push ebx. text: 0001955D push esi. text: 0001955E push ed I. text: 0001955F mov eax, 12210006h. text: 00019564 cmp ecx, eax. text: 00019566 mov edi, 0E0000001h. text: 0001956B mov ebx, edi. text: 0001956D ja loc_19670.text: 00019573 jz loc_19645.text: 00019579 sub ecx, 12210001h. text: 0001957F jz loc_1961B.text: 00019585 dec ecx. text: 00019586 jz short loc_195E0.text: 00019588 sub ecx, 3. text: 0001958B jnz loc_196AC.text: 00019591 mov esi, [ebp + Object]. text: 00019594 test Esi, esi. text: 00019596 jz loc_196B1.text: 0001959C and [ebp + Object], ecx. text: 0001959F lea eax, [ebp + Object]. text: 000195A2 push eax. text: 000195A3 push dword ptr [esi]. text: 000195A5 call sub_194E6 the entire vulnerability analysis process shows that the vulnerability needs to be injected into the ring3 process of the trend itself, and sent to tmactmon. sys sends a maliciously crafted IRP request, where ioctl_code = 0x9100444f, inLength = 0x10, outLength = 0x10, inbuffer is, 0, 0 x, 0, 0, 0, 0, 0, 0, 0xff, 0xff. The above is the entire analysis process. Happy Hacking ~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer ~~~~~~~~~~~~~~~~~~~~~ The content involved in this article is only used for the research and study of software security technology. It is strictly prohibited to use it for adverse motives. No individual, group, or organization may use it for illegal purposes. I am not liable for user computer crashes and data loss caused by these codes, and are jointly and severally liable.