Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1310
HistoryFeb 22, 2001 - 12:00 a.m.

NT drivers are potentially vulnerable to format string bug

2001-02-2200:00:00
vulners.com
31
JSON

Many NT drivers are potentially vulnerable to "format string bug".
The problem is concerned with DbgPrint function that is used for debug
messages. Some drivers instead of directly call of this function use
additional intermediate functions. Those functions add a prefix to an
outputted string, resolve a string format and pass the final string to
DbgPrint. Note the DbgPrint also additionally resolves format
specifications. A typical intermediate function looks like this:

void DebugMessage(const char * format, …)
{
char buf[1024];
int outLen;
ULONG PrefLen;
va_list argptr;

 strcpy(buf, "DriverName: ");
 PrefLen = strlen(buf);
 va_start( argptr, format );
 outLen = _vsnprintf( buf+PrefLen, sizeof(buf)-PrefLen, format, argptr );
 va_end( argptr );
 DbgPrint(buf);

}

As you can see it looks like clean code. But since DbgPrint function
uses string format resolving the DebugMessage function is vulnerable.
So the following function call is vulnerable:

DebugMessage("MajorFunction = %d, filename = "%-*S\n",
CurrentLocation->MajorFunction, FileObject->FileName. Length,
FileObject->FileName.Buffer);

All drivers that use such technique and retain the debug messages in
the release build are potentially vulnerable to format string
behaviors. Unfortunately researching of this problem shows that many
drivers use it. For example, NuMega's DriverWorks has a potentially
vulnerable class KTrace. In consequence all drivers written with
DriverWorks KTrace class and debug messages in the release build are
potentially vulnerable. The isapnp.sys driver coming with Windows 2000
also use such technique.

The bug is highly dangerous because it can leads to a possible patch
of the kernel memory. You can download the example of an attack on the
vulnerability here: http://www.securewave.com/ on "Free downloads"
section. The example contains a simple vulnerable driver that calls
DebugMessage as described above and a small user mode program that
exploits a driver vulnerability to patch the kernel. The patch allows
bypass all the system security checks. Thus any user can gain full
access for any file, install and start drivers and so on.

Andrey Kolishak mailto:[email protected]

JSON