Vulnerability of free cheetah wifi driver

Source: Internet
Author: User

Vulnerability of free cheetah wifi driver

Liebaonat_xp.sys, a free Wi-Fi computer version of cheetah, has the arbitrary address Write vulnerability. The write address can be controlled to execute arbitrary kernel commands.

When the IoControlCode sent to the device liebaonat_xp.sys is 0x830020F0, The liebaonat_xp.sys driver causes an arbitrary address Write vulnerability because the input and output parameters are not strictly verified, the write address is controllable/The Write Data Length is 4B, which can be used to execute arbitrary commands in the kernel.

When IoControlCode is 0x830020F0, InputBuffer is a kernel address pointer that can be predicted or even traversed in UserMode; InputBufferSize is sizeof (PVOID ); the OutputBuffer and OutputBufferSize of the driver test correspond to a user mode address of 4B. This vulnerability is caused by this vulnerability.
 

NTSTATUS __stdcall DeviceDispatch(PDEVICE_OBJECT DeviceObject, PIRP Irp){    PIO_STACK_LOCATION irpSp = IoGetCurrentStackLocation();    NTSTATUS Status = STATUS_SUCCESS;       PVOID* inputBuffer = Irp->AssociatedIrp.SystemBuffer;    PVOID* outputBuffer = Irp->AssociatedIrp.SystemBuffer;          ULONG  InputBufLength = irpSp->Parameters.DeviceIoControl.InputBufferLength;    ULONG  IoControlCode = irpSp->Parameters.DeviceIoControl.IoControlCode;    if(IoControlCode == 0x830020F0)    {        if ( InputBufLength >= 4 ) // wowo....        {            PVOID* lpBuf = CheckExploit(*inputBuffer, &IoControlCode);            if ( lpBuf )            {                *outputBuffer = lpBuf[143];                Status = STATUS_SUCCESS;            }            else            {                Status = NDIS_STATUS_ADAPTER_NOT_FOUND;            }            Irp->IoStatus.Status = Status;            Irp->IoStatus.Information = 4;            return Status;        }    }    ...}

 

// Example program: Execute 0xEB 0xFE to realize the kernel thread endless loop; // download link http://pan.baidu.com/s/1pJFy783
Solution:

Strictly verify the input and output buffer addresses and sizes.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.