*****[ White Team Security (WTS) Security Advisory- ADV-01-03-2018 ]***** Kingsoft Internet Security 9+ - Null Pointer Deference Kernel Driver KWatch3.sys -------------------------------------------------------------------------------------------------------------- Author: - Arjun Basnet from White Team Security (WTS) Research Team *****[ Table of Contents ]***** * Overview * Detailed description * Vulnerable IOCTL * Timeline of disclosure *****[ Overview]***** * System affected : Kingsoft Internet Security 9+ * Software Version : 2010.06.23.247 * Impact : Allow an authorized but non-privileged local user to execute arbitrary code which cause denial of service. *****[ Detailed description]***** Null Pointer deference bug in the function called ObReferenceObjectByHandle in Kingsoft Internet Security 9+ kernel driver KWatch3.sys allows local non-privilege users to crash the system. Bugcheck details below ------------------------------------------ *****[Vulnerable IOCTL]***** 0x80030030 ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Unknown bugcheck code (0) Unknown bugcheck description Arguments: Arg1: 00000000 Arg2: 00000000 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ *** WARNING: Unable to verify checksum for Kernel_Driver_Fuzzer.exe *** ERROR: Module load completed but symbols could not be loaded for Kernel_Driver_Fuzzer.exe DUMP_CLASS: 1 DUMP_QUALIFIER: 0 BUILD_VERSION_STRING: 7601.17514.x86fre.win7sp1_rtm.101119-1850 DUMP_TYPE: 0 BUGCHECK_P1: 0 BUGCHECK_P2: 0 BUGCHECK_P3: 0 BUGCHECK_P4: 0 PROCESS_NAME: Kernel_Driver_Fuzzer.exe FAULTING_IP: KWatch3+1931 9813a931 8b3f mov edi,dword ptr [edi] ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE_STR: c0000005 EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000000 FOLLOWUP_IP: KWatch3+1931 9813a931 8b3f mov edi,dword ptr [edi] BUGCHECK_STR: ACCESS_VIOLATION READ_ADDRESS: 00000000 DEFAULT_BUCKET_ID: NULL_DEREFERENCE CPU_COUNT: 1 CPU_MHZ: 891 CPU_VENDOR: GenuineIntel CPU_FAMILY: 6 CPU_MODEL: 3d CPU_STEPPING: 4 CPU_MICROCODE: 6,3d,4,0 (F,M,S,R) SIG: 0'00000000 (cache) 0'00000000 (init) CURRENT_IRQL: 0 ANALYSIS_SESSION_HOST: CSW-4001 ANALYSIS_SESSION_TIME: 03-18-2018 20:00:35.0429 ANALYSIS_VERSION: 10.0.16299.15 x86fre LAST_CONTROL_TRANSFER: from 82957294 to 9813a931 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. a6a62ab8 82957294 00000000 a6a62ad8 82a3a77c KWatch3+0x1931 a6a62ac4 82a3a77c 0000001c 85a0fd48 a6a62bac nt!ExFreePoolWithTag+0x7f7 a6a62ad8 82a3a57e 0000001c 85a0fd01 001afcf0 nt!ExMapHandleToPointerEx+0x1c a6a62b14 82a439d5 85a404c0 859823b8 85982428 nt!ObReferenceObjectByHandleWithTag+0xf6 a6a62b34 82a45dc8 869e42f0 85a404c0 00000000 nt!IopSynchronousServiceTail+0x1f8 a6a62bd0 82a4cd9d 869e42f0 859823b8 00000000 nt!IopXxxControlFile+0x6aa a6a62c04 8287387a 0000001c 00000000 00000000 nt!NtDeviceIoControlFile+0x2a a6a62c04 76e770b4 0000001c 00000000 00000000 nt!KiFastCallEntry+0x12a 0019fac0 76e75864 7514989d 0000001c 00000000 ntdll!KiFastSystemCallRet 0019fac4 7514989d 0000001c 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc 0019fb24 763da671 0000001c 80030030 001afcf0 KERNELBASE!DeviceIoControl+0xf6 0019fb50 00022f3e 0000001c 80030030 001afcf0 kernel32!DeviceIoControlImplementation+0x80 001dfcf8 0002518c 00000008 0020fe10 0020fe78 Kernel_Driver_Fuzzer+0x2f3e 001dfd40 763e3c45 7ffdf000 001dfd8c 76e937f5 Kernel_Driver_Fuzzer+0x518c 001dfd4c 76e937f5 7ffdf000 7649f14a 00000000 kernel32!BaseThreadInitThunk+0xe 001dfd8c 76e937c8 00025209 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70 001dfda4 00000000 00025209 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b THREAD_SHA1_HASH_MOD_FUNC: e4be6252f97078994190e4adbba1a96f58895f14 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 39866b2768c179268382e715ed5e95956f1b3a0b THREAD_SHA1_HASH_MOD: 1092ff199f12a636b612ec3d1a4db2ddc045b337 FAULT_INSTR_CODE: ff853f8b SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: KWatch3+1931 FOLLOWUP_NAME: MachineOwner MODULE_NAME: KWatch3 IMAGE_NAME: KWatch3.sys DEBUG_FLR_IMAGE_TIMESTAMP: 49bef736 STACK_COMMAND: .thread ; .cxr ; kb FAILURE_BUCKET_ID: ACCESS_VIOLATION_KWatch3+1931 BUCKET_ID: ACCESS_VIOLATION_KWatch3+1931 PRIMARY_PROBLEM_CLASS: ACCESS_VIOLATION_KWatch3+1931 TARGET_TIME: 2018-03-18T15:58:49.000Z OSBUILD: 7601 OSSERVICEPACK: 1000 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 272 PRODUCT_TYPE: 1 OSPLATFORM_TYPE: x86 OSNAME: Windows 7 OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 2010-11-20 12:42:46 BUILDDATESTAMP_STR: 101119-1850 BUILDLAB_STR: win7sp1_rtm BUILDOSVER_STR: 6.1.7601.17514.x86fre.win7sp1_rtm.101119-1850 ANALYSIS_SESSION_ELAPSED_TIME: 40c8 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:access_violation_kwatch3+1931 FAILURE_ID_HASH: {e9cfce9f-7931-ad9e-e258-dbb277ebe372} Followup: MachineOwner --------- *****[ Timeline of disclosure]***** 23/03/2018 - Vendor was informed of the vulnerability. No response tried multiple times to reach out. 30/03/2018 - Release in Public Regards, WTS Research Team rnd@whiteteamsec.com