exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Kingsoft Internet Security 9+ Null Pointer Dereference

Kingsoft Internet Security 9+ Null Pointer Dereference
Posted Mar 30, 2018
Authored by Arjun Basnet

Kingsoft Internet Security 9+ suffers from a denial of service vulnerability.

tags | advisory, denial of service
SHA-256 | 910af9004d7da7e4f6e3f759dbf7114e87cecb39d09afc808493289caa619d3b

Kingsoft Internet Security 9+ Null Pointer Dereference

Change Mirror Download
*****[ White Team Security (WTS) Security Advisory- ADV-01-03-2018 ]*****



Kingsoft Internet Security 9+ - Null Pointer Deference Kernel Driver KWatch3.sys

--------------------------------------------------------------------------------------------------------------

Author:

- Arjun Basnet from White Team Security (WTS) Research Team



*****[ Table of Contents ]*****



* Overview

* Detailed description

* Vulnerable IOCTL

* Timeline of disclosure



*****[ Overview]*****



* System affected : Kingsoft Internet Security 9+

* Software Version : 2010.06.23.247

* Impact : Allow an authorized but non-privileged local user to execute arbitrary code which cause denial of service.



*****[ Detailed description]*****



Null Pointer deference bug in the function called ObReferenceObjectByHandle in Kingsoft Internet Security 9+ kernel driver KWatch3.sys allows local non-privilege users to

crash the system. Bugcheck details below

------------------------------------------



*****[Vulnerable IOCTL]*****

0x80030030



*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************



Unknown bugcheck code (0)

Unknown bugcheck description

Arguments:

Arg1: 00000000

Arg2: 00000000

Arg3: 00000000

Arg4: 00000000



Debugging Details:

------------------



*** WARNING: Unable to verify checksum for Kernel_Driver_Fuzzer.exe

*** ERROR: Module load completed but symbols could not be loaded for Kernel_Driver_Fuzzer.exe



DUMP_CLASS: 1



DUMP_QUALIFIER: 0



BUILD_VERSION_STRING: 7601.17514.x86fre.win7sp1_rtm.101119-1850



DUMP_TYPE: 0



BUGCHECK_P1: 0



BUGCHECK_P2: 0



BUGCHECK_P3: 0



BUGCHECK_P4: 0



PROCESS_NAME: Kernel_Driver_Fuzzer.exe



FAULTING_IP:

KWatch3+1931

9813a931 8b3f mov edi,dword ptr [edi]



ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.



EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.



EXCEPTION_CODE_STR: c0000005



EXCEPTION_PARAMETER1: 00000000



EXCEPTION_PARAMETER2: 00000000



FOLLOWUP_IP:

KWatch3+1931

9813a931 8b3f mov edi,dword ptr [edi]



BUGCHECK_STR: ACCESS_VIOLATION



READ_ADDRESS: 00000000



DEFAULT_BUCKET_ID: NULL_DEREFERENCE



CPU_COUNT: 1



CPU_MHZ: 891



CPU_VENDOR: GenuineIntel



CPU_FAMILY: 6



CPU_MODEL: 3d



CPU_STEPPING: 4



CPU_MICROCODE: 6,3d,4,0 (F,M,S,R) SIG: 0'00000000 (cache) 0'00000000 (init)



CURRENT_IRQL: 0



ANALYSIS_SESSION_HOST: CSW-4001



ANALYSIS_SESSION_TIME: 03-18-2018 20:00:35.0429



ANALYSIS_VERSION: 10.0.16299.15 x86fre



LAST_CONTROL_TRANSFER: from 82957294 to 9813a931



STACK_TEXT:

WARNING: Stack unwind information not available. Following frames may be wrong.

a6a62ab8 82957294 00000000 a6a62ad8 82a3a77c KWatch3+0x1931

a6a62ac4 82a3a77c 0000001c 85a0fd48 a6a62bac nt!ExFreePoolWithTag+0x7f7

a6a62ad8 82a3a57e 0000001c 85a0fd01 001afcf0 nt!ExMapHandleToPointerEx+0x1c

a6a62b14 82a439d5 85a404c0 859823b8 85982428 nt!ObReferenceObjectByHandleWithTag+0xf6

a6a62b34 82a45dc8 869e42f0 85a404c0 00000000 nt!IopSynchronousServiceTail+0x1f8

a6a62bd0 82a4cd9d 869e42f0 859823b8 00000000 nt!IopXxxControlFile+0x6aa

a6a62c04 8287387a 0000001c 00000000 00000000 nt!NtDeviceIoControlFile+0x2a

a6a62c04 76e770b4 0000001c 00000000 00000000 nt!KiFastCallEntry+0x12a

0019fac0 76e75864 7514989d 0000001c 00000000 ntdll!KiFastSystemCallRet

0019fac4 7514989d 0000001c 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc

0019fb24 763da671 0000001c 80030030 001afcf0 KERNELBASE!DeviceIoControl+0xf6

0019fb50 00022f3e 0000001c 80030030 001afcf0 kernel32!DeviceIoControlImplementation+0x80

001dfcf8 0002518c 00000008 0020fe10 0020fe78 Kernel_Driver_Fuzzer+0x2f3e

001dfd40 763e3c45 7ffdf000 001dfd8c 76e937f5 Kernel_Driver_Fuzzer+0x518c

001dfd4c 76e937f5 7ffdf000 7649f14a 00000000 kernel32!BaseThreadInitThunk+0xe

001dfd8c 76e937c8 00025209 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70

001dfda4 00000000 00025209 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b





THREAD_SHA1_HASH_MOD_FUNC: e4be6252f97078994190e4adbba1a96f58895f14



THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 39866b2768c179268382e715ed5e95956f1b3a0b



THREAD_SHA1_HASH_MOD: 1092ff199f12a636b612ec3d1a4db2ddc045b337



FAULT_INSTR_CODE: ff853f8b



SYMBOL_STACK_INDEX: 0



SYMBOL_NAME: KWatch3+1931



FOLLOWUP_NAME: MachineOwner



MODULE_NAME: KWatch3



IMAGE_NAME: KWatch3.sys



DEBUG_FLR_IMAGE_TIMESTAMP: 49bef736



STACK_COMMAND: .thread ; .cxr ; kb



FAILURE_BUCKET_ID: ACCESS_VIOLATION_KWatch3+1931



BUCKET_ID: ACCESS_VIOLATION_KWatch3+1931



PRIMARY_PROBLEM_CLASS: ACCESS_VIOLATION_KWatch3+1931



TARGET_TIME: 2018-03-18T15:58:49.000Z



OSBUILD: 7601



OSSERVICEPACK: 1000



SERVICEPACK_NUMBER: 0



OS_REVISION: 0



SUITE_MASK: 272



PRODUCT_TYPE: 1



OSPLATFORM_TYPE: x86



OSNAME: Windows 7



OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS



OS_LOCALE:



USER_LCID: 0



OSBUILD_TIMESTAMP: 2010-11-20 12:42:46



BUILDDATESTAMP_STR: 101119-1850



BUILDLAB_STR: win7sp1_rtm



BUILDOSVER_STR: 6.1.7601.17514.x86fre.win7sp1_rtm.101119-1850



ANALYSIS_SESSION_ELAPSED_TIME: 40c8



ANALYSIS_SOURCE: KM



FAILURE_ID_HASH_STRING: km:access_violation_kwatch3+1931



FAILURE_ID_HASH: {e9cfce9f-7931-ad9e-e258-dbb277ebe372}



Followup: MachineOwner

---------





*****[ Timeline of disclosure]*****



23/03/2018 - Vendor was informed of the vulnerability. No response tried multiple times to reach out.

30/03/2018 - Release in Public



Regards,

WTS Research Team

rnd@whiteteamsec.com














Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close