Home

Awesome

OpenVpn TAP Driver Pool Overflow

Credit

https://twitter.com/R00tkitSMM (firozimaysam@gmail.com) telegram username : https://telegram.me/firozi

this vulnerability is reported to OpenVpn.


successfully exploiting this vulnerability can help attacker to bypass driver singing enforcement in windows and Load Unsigned malicious Driver.


OpenVpn Tap Driver use NdisReadConfiguration for reading some Configuration from Registry. one of the obvious task before using any function, is you must read it's manual

NdisReadConfiguration manual

Note that NDIS does not validate values that a driver reads from the registry.
The caller of NdisReadConfiguration must therefore not make any assumptions about 
such values and must validate each value read from the registry.If the caller 
determines that a value is out of bounds, it should use a default value instead.

tap0901.sys (IDA-Pro output ) :

Keyword.Buffer = (PWSTR)"N";
NdisReadConfiguration(&Status, &ParameterValue, ConfigurationHandle, &Keyword, NdisParameterString);
if ( Status || (v2 = ParameterValue, ParameterValue->ParameterType != 2) )
{
  Status = -1073676267;
}
else
{
  v3 = ParameterValue->ParameterData.StringData.Length;
  *(_WORD *)(v1 + 32) = v3;
  v4 = *(_WORD *)(v1 + 32);
  *(_WORD *)(v1 + 34) = v3;
  *(_DWORD *)(v1 + 36) = v1 + 40;
  memcpy((void *)(v1 + 40), v2->ParameterData.StringData.Buffer, v4);

tap0901.sys read some config string from NetCfgInstanceId Value under

"\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\00XX"

key 00XX is something like 0012, Then it copy this string to alocated Pool,without properley cheking the size of string.

so if we change NetCfgInstanceId just before driver call NdisReadConfiguration, We Write a string more than size of the Buffer in allocated Pool.

good news is this Pool point to "MiniportAdapterContext" buffer and i think we can overwrite something interesting to get code execution in Ring0 or just overwrite pool metadata

a773b1fa 6a02            push    2
a773b1fc 8d45e8          lea     eax,[ebp-18h]
a773b1ff 50              push    eax
a773b200 ff7508          push    dword ptr [ebp+8]
a773b203 8d45f0          lea     eax,[ebp-10h]
a773b206 50              push    eax
a773b207 8d45fc          lea     eax,[ebp-4]
a773b20a 50              push    eax
a773b20b c745eceee073a7  mov     dword ptr [ebp-14h],offset tap0901+0x40ee (a773e0ee)
a773b212 ffd7            call    edi ;NdisReadConfiguration
a773b214 395dfc          cmp     dword ptr [ebp-4],ebx
a773b217 754e            jne     tap0901+0x1267 (a773b267)
a773b219 8b4df0          mov     ecx,dword ptr [ebp-10h]
a773b21c 833902          cmp     dword ptr [ecx],2
a773b21f 7546            jne     tap0901+0x1267 (a773b267)
a773b221 0fb74104        movzx   eax,word ptr [ecx+4]
a773b225 66894620        mov     word ptr [esi+20h],ax
a773b229 0fb75620        movzx   edx,word ptr [esi+20h]
a773b22d 66894622        mov     word ptr [esi+22h],ax
a773b231 8d4628          lea     eax,[esi+28h]
a773b234 52              push    edx ; size of buffer
a773b235 894624          mov     dword ptr [esi+24h],eax ; source memory  
a773b238 ff7108          push    dword ptr [ecx+8]
a773b23b 50              push    eax ; Destination memory 
a773b23c e8092b0000      call    tap0901+0x3d4a (a773dd4a) ; memcpy

eax is Destination pool pointer ,edx is size of copy as you see pool size is 538 and it was less than number of bytes we write to it

3: kd> r
eax=83b45af8 ebx=00000000 ecx=83a8c7c4 edx=0000ffff esi=83b45ad0 edi=898ac5c9
eip=a773b23c esp=8a6c64c4 ebp=8a6c6518 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246
tap0901+0x123c:
a773b23c e8092b0000      call    tap0901+0x3d4a (a773dd4a)
3: kd> !pool 83b45af8 
Pool page 83b45af8 region is Nonpaged pool
 83b45138 size:    8 previous size:    0  (Allocated)  Frag
 83b45140 size:  1b0 previous size:    8  (Free)       Free
 83b452f0 size:  208 previous size:  1b0  (Allocated)  Irp  Process: 856afd40
 83b454f8 size:  5d0 previous size:  208  (Allocated)  TapR
*83b45ac8 size:  538 previous size:  5d0  (Allocated) *TapA
	Owning component : Unknown (update pooltag.txt)

Usefull Breakpoints and outputs. NdisReadConfiguration lead to RtlQueryRegistryValues function.

2: kd> !handle 800009e0 

PROCESS 839ce020  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00185000  ObjectTable: 8a401b78  HandleCount: 529.
    Image: System

Kernel handle table at 8d94e000 with 529 entries in use

800009e0: Object: a7ba6a18  GrantedAccess: 000f003f Entry: 8caf63c0
Object: a7ba6a18  Type: (839e77f0) Key
    ObjectHeader: a7ba6a00 (new version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0012

2: kd> p
nt!RtlQueryRegistryValues+0x26d:
81832470 8944240c        mov     dword ptr [esp+0Ch],eax
2: kd> ln 1832470

BSOD output :

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 03851576, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 89a76e75, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS:  03851576 

CURRENT_IRQL:  2

FAULTING_IP: 
tcpip!TcpTcbHeaderSend+20f
89a76e75 668907          mov     word ptr [edi],ax

DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR:  0xD1

PROCESS_NAME:  System

TRAP_FRAME:  8078f778 -- (.trap 0xffffffff8078f778)
ErrCode = 00000002
eax=038524c0 ebx=83b4a268 ecx=ff578963 edx=00000024 esi=83aed008 edi=03851576
eip=89a76e75 esp=8078f7ec ebp=8078f8ac iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
tcpip!TcpTcbHeaderSend+0x20f:
89a76e75 668907          mov     word ptr [edi],ax        ds:0023:03851576=????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 816e1195 to 8166ecf8

STACK_TEXT:  
8078f8ac 89a67201 83aed008 00000010 00000002 tcpip!TcpTcbHeaderSend+0x20f
8078f8e0 89a620dc 83aed008 00000000 00000000 tcpip!TcpAcceptFin+0x6c
8078f8f8 89a7336a 83aed008 8078fa58 83aed008 tcpip!TcpAllowFin+0x56
8078f978 89a825dc 84829f40 83aed008 8078f9a0 tcpip!TcpTcbCarefulDatagram+0x16d5
8078f9e4 89a828fc 84829f40 83aed008 0078fa58 tcpip!TcpTcbReceive+0x228
8078fa4c 89a71a80 84792588 84827080 848270f4 tcpip!TcpMatchReceive+0x237
8078fa9c 89a62e2e 84829f40 8482700c 00005000 tcpip!TcpPreValidatedReceive+0x263
8078fab0 89a89563 8078facc 00000007 00000007 tcpip!TcpNlClientReceivePreValidatedDatagrams+0x15
8078fad4 89a89a68 8078fae0 00000000 00000007 tcpip!IppDeliverPreValidatedListToProtocol+0x33
8078fb70 89aa5c44 8529f778 00000000 839d74c0 tcpip!IpFlcReceivePreValidatedPackets+0x437
8078fb98 81693624 85242410 2228e0f1 847d1418 tcpip!FlReceiveNetBufferListChainCalloutRoutine+0xfc
8078fc00 89aa5cee 89aa5b48 8078fc28 00000000 nt!KeExpandKernelStackAndCalloutEx+0x132
8078fc3c 8989d18d 8529a002 85241400 00000000 tcpip!FlReceiveNetBufferListChain+0x7c
8078fc74 8988b670 8529b708 85241410 00000000 ndis!ndisMIndicateNetBufferListsToOpen+0x188
8078fc9c 8988b5e7 00000000 85241410 84a620e0 ndis!ndisIndicateSortedNetBufferLists+0x4a
8078fe18 89836ca5 84a620e0 00000000 00000000 ndis!ndisMDispatchReceiveNetBufferLists+0x129
8078fe34 8988ba2e 84a620e0 85241410 00000000 ndis!ndisMTopReceiveNetBufferLists+0x2d
8078fe5c 89836c1e 84a620e0 85241410 00000000 ndis!ndisMIndicateReceiveNetBufferListsInternal+0x62
8078fe84 8daf87f4 84a620e0 85241410 00000000 ndis!NdisMIndicateReceiveNetBufferLists+0x52
8078fecc 8daf777e 00000000 85255e38 00000001 E1G60I32!RxProcessReceiveInterrupts+0x108
8078fee4 8988b309 01d11008 00000000 8078ff10 E1G60I32!E1000HandleInterrupt+0x80
8078ff20 898369f4 85255e4c 00255e38 00000000 ndis!ndisMiniportDpc+0xe2
8078ff48 8166b9f5 85255e4c 85255e38 00000000 ndis!ndisInterruptDpc+0xaf
8078ffa4 8166b858 8172dd20 839d74c0 00000000 nt!KiExecuteAllDpcs+0xf9
8078fff4 8166b01c 8a6be874 00000000 00000000 nt!KiRetireDpcList+0xd5
8078fff8 8a6be874 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2c
WARNING: Frame IP not in any known module. Following frames may be wrong.
8166b01c 00000000 0000001a 00d6850f bb830000 0x8a6be874


STACK_COMMAND:  .trap 0xffffffff8078f778 ; kb

FOLLOWUP_IP: 
E1G60I32!RxProcessReceiveInterrupts+108
8daf87f4 8b45e8          mov     eax,dword ptr [ebp-18h]

SYMBOL_STACK_INDEX:  13

SYMBOL_NAME:  E1G60I32!RxProcessReceiveInterrupts+108

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: E1G60I32

IMAGE_NAME:  E1G60I32.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  483de743

FAILURE_BUCKET_ID:  0xD1_E1G60I32!RxProcessReceiveInterrupts+108

BUCKET_ID:  0xD1_E1G60I32!RxProcessReceiveInterrupts+108

Followup: MachineOwner
---------