Kingsoft Internet Security 9+ Null Pointer Dereference

Kingsoft Internet Security 9+ suffers from a denial of service vulnerability.


MD5 | 6cf0f45d53867f39a856713cfb7542d9

*****[ White Team Security (WTS) Security Advisory- ADV-01-03-2018 ]*****



Kingsoft Internet Security 9+ - Null Pointer Deference Kernel Driver KWatch3.sys

--------------------------------------------------------------------------------------------------------------

Author:

- Arjun Basnet from White Team Security (WTS) Research Team



*****[ Table of Contents ]*****



* Overview

* Detailed description

* Vulnerable IOCTL

* Timeline of disclosure



*****[ Overview]*****



* System affected : Kingsoft Internet Security 9+

* Software Version : 2010.06.23.247

* Impact : Allow an authorized but non-privileged local user to execute arbitrary code which cause denial of service.



*****[ Detailed description]*****



Null Pointer deference bug in the function called ObReferenceObjectByHandle in Kingsoft Internet Security 9+ kernel driver KWatch3.sys allows local non-privilege users to

crash the system. Bugcheck details below

------------------------------------------



*****[Vulnerable IOCTL]*****

0x80030030



*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************



Unknown bugcheck code (0)

Unknown bugcheck description

Arguments:

Arg1: 00000000

Arg2: 00000000

Arg3: 00000000

Arg4: 00000000



Debugging Details:

------------------



*** WARNING: Unable to verify checksum for Kernel_Driver_Fuzzer.exe

*** ERROR: Module load completed but symbols could not be loaded for Kernel_Driver_Fuzzer.exe



DUMP_CLASS: 1



DUMP_QUALIFIER: 0



BUILD_VERSION_STRING: 7601.17514.x86fre.win7sp1_rtm.101119-1850



DUMP_TYPE: 0



BUGCHECK_P1: 0



BUGCHECK_P2: 0



BUGCHECK_P3: 0



BUGCHECK_P4: 0



PROCESS_NAME: Kernel_Driver_Fuzzer.exe



FAULTING_IP:

KWatch3+1931

9813a931 8b3f mov edi,dword ptr [edi]



ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.



EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.



EXCEPTION_CODE_STR: c0000005



EXCEPTION_PARAMETER1: 00000000



EXCEPTION_PARAMETER2: 00000000



FOLLOWUP_IP:

KWatch3+1931

9813a931 8b3f mov edi,dword ptr [edi]



BUGCHECK_STR: ACCESS_VIOLATION



READ_ADDRESS: 00000000



DEFAULT_BUCKET_ID: NULL_DEREFERENCE



CPU_COUNT: 1



CPU_MHZ: 891



CPU_VENDOR: GenuineIntel



CPU_FAMILY: 6



CPU_MODEL: 3d



CPU_STEPPING: 4



CPU_MICROCODE: 6,3d,4,0 (F,M,S,R) SIG: 0'00000000 (cache) 0'00000000 (init)



CURRENT_IRQL: 0



ANALYSIS_SESSION_HOST: CSW-4001



ANALYSIS_SESSION_TIME: 03-18-2018 20:00:35.0429



ANALYSIS_VERSION: 10.0.16299.15 x86fre



LAST_CONTROL_TRANSFER: from 82957294 to 9813a931



STACK_TEXT:

WARNING: Stack unwind information not available. Following frames may be wrong.

a6a62ab8 82957294 00000000 a6a62ad8 82a3a77c KWatch3+0x1931

a6a62ac4 82a3a77c 0000001c 85a0fd48 a6a62bac nt!ExFreePoolWithTag+0x7f7

a6a62ad8 82a3a57e 0000001c 85a0fd01 001afcf0 nt!ExMapHandleToPointerEx+0x1c

a6a62b14 82a439d5 85a404c0 859823b8 85982428 nt!ObReferenceObjectByHandleWithTag+0xf6

a6a62b34 82a45dc8 869e42f0 85a404c0 00000000 nt!IopSynchronousServiceTail+0x1f8

a6a62bd0 82a4cd9d 869e42f0 859823b8 00000000 nt!IopXxxControlFile+0x6aa

a6a62c04 8287387a 0000001c 00000000 00000000 nt!NtDeviceIoControlFile+0x2a

a6a62c04 76e770b4 0000001c 00000000 00000000 nt!KiFastCallEntry+0x12a

0019fac0 76e75864 7514989d 0000001c 00000000 ntdll!KiFastSystemCallRet

0019fac4 7514989d 0000001c 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc

0019fb24 763da671 0000001c 80030030 001afcf0 KERNELBASE!DeviceIoControl+0xf6

0019fb50 00022f3e 0000001c 80030030 001afcf0 kernel32!DeviceIoControlImplementation+0x80

001dfcf8 0002518c 00000008 0020fe10 0020fe78 Kernel_Driver_Fuzzer+0x2f3e

001dfd40 763e3c45 7ffdf000 001dfd8c 76e937f5 Kernel_Driver_Fuzzer+0x518c

001dfd4c 76e937f5 7ffdf000 7649f14a 00000000 kernel32!BaseThreadInitThunk+0xe

001dfd8c 76e937c8 00025209 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70

001dfda4 00000000 00025209 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b





THREAD_SHA1_HASH_MOD_FUNC: e4be6252f97078994190e4adbba1a96f58895f14



THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 39866b2768c179268382e715ed5e95956f1b3a0b



THREAD_SHA1_HASH_MOD: 1092ff199f12a636b612ec3d1a4db2ddc045b337



FAULT_INSTR_CODE: ff853f8b



SYMBOL_STACK_INDEX: 0



SYMBOL_NAME: KWatch3+1931



FOLLOWUP_NAME: MachineOwner



MODULE_NAME: KWatch3



IMAGE_NAME: KWatch3.sys



DEBUG_FLR_IMAGE_TIMESTAMP: 49bef736



STACK_COMMAND: .thread ; .cxr ; kb



FAILURE_BUCKET_ID: ACCESS_VIOLATION_KWatch3+1931



BUCKET_ID: ACCESS_VIOLATION_KWatch3+1931



PRIMARY_PROBLEM_CLASS: ACCESS_VIOLATION_KWatch3+1931



TARGET_TIME: 2018-03-18T15:58:49.000Z



OSBUILD: 7601



OSSERVICEPACK: 1000



SERVICEPACK_NUMBER: 0



OS_REVISION: 0



SUITE_MASK: 272



PRODUCT_TYPE: 1



OSPLATFORM_TYPE: x86



OSNAME: Windows 7



OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS



OS_LOCALE:



USER_LCID: 0



OSBUILD_TIMESTAMP: 2010-11-20 12:42:46



BUILDDATESTAMP_STR: 101119-1850



BUILDLAB_STR: win7sp1_rtm



BUILDOSVER_STR: 6.1.7601.17514.x86fre.win7sp1_rtm.101119-1850



ANALYSIS_SESSION_ELAPSED_TIME: 40c8



ANALYSIS_SOURCE: KM



FAILURE_ID_HASH_STRING: km:access_violation_kwatch3+1931



FAILURE_ID_HASH: {e9cfce9f-7931-ad9e-e258-dbb277ebe372}



Followup: MachineOwner

---------





*****[ Timeline of disclosure]*****



23/03/2018 - Vendor was informed of the vulnerability. No response tried multiple times to reach out.

30/03/2018 - Release in Public



Regards,

WTS Research Team

[email protected]















Related Posts