2016 m. vasario 9 d., antradienis

Local Microsoft Windows 7 / 8 / 10 Buffer Overflow via Third-Party USB-Driver (ser2co64.sys)

OS-S Security Advisory 2016–02-08
Prolific Ser2co64.sys Stack Buffer Overflow

Date: December 23th, 2015
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: Not assigned yet
CVSS:  7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Title: Local Microsoft Windows 7 / 8 / 10 Buffer Overflow via Third-Party USB-
Driver (ser2co64.sys)
Severity: Critical. The OS halts (BSOD). Arbitrary code execution propable.
Ease of Exploitation: Trivial
Vulnerability Type: Stack Buffer Overflow
Products: Windows 7 / 8 / 10 Ser2co64.sys driver
Vendor: Prolific Technology Inc.
Vendor contacted: December, 23rd 2016
PDF Advisory: https://os-s.net/advisories/oss-advisory-2016-04.pdf

Abstract:
The ser2co64.sys driver is vulnerable to a stack buffer overflow. If a malicious
USB device is presented, the buffer overflow occurs . This driver is digitally
signed by Microsoft and provided via Windows Update.

Detailed product description:
We confirmed the bug on the following system:
•       Microsoft Windows 7 (x86-64)
•       Microsoft Windows 8 (x86-64)
•       Microsoft Windows 10 (x86-64)

Ser2co64.sys driver:
-       Name:                           USB-to Serial Cable Driver
-       Version:                        3.3.0.1
-       Original filename:              SER2PL.SYS

Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo
(github.com/schumilo) using the following device descriptor:

[*] Device-Descriptor
  bLength:                      0x12
  bDescriptorType:              0x1
  bcdUSB:                       0x200
  bDeviceClass:                 0x1
  bDeviceSubClass:              0x0
  bDeviceProtocol:              0x0
  bMaxPacketSize:               0x40
  idVendor:                     0x50d
  idProduct:                    0x257
  bcdDevice:                    0x100
  iManufacturer:                0x1
  iProduct:                     0x2
  iSerialNumbers:               0x3
  bNumConfigurations:           0x1
        [*] Configuration-Descriptor
          bLength:                      0x9
          bDescriptorType:              0x2
          wTotalLength:                 0x27
          bNumInterfaces:               0x1
          bConfigurationValue:          0x1
          iConfiguration:               0x0
          bmAttributes:                 0x0
          bMaxPower:                    0x31
                [*] Interface-Descriptor
                  bLength:                      0x9
                  bDescriptorType:              0x4
                  bInterfaceNumber:             0x0
                  bAlternateSetting:            0x0
                  bNumEndpoints:                0x3
                  bInterfaceClass:              0x1
                  bInterfaceSubClass:           0x0
                  bInterfaceProtocol:           0x0
                        [*] Endpoint-Descriptor:
                          bLength:              0x7
                          bDescriptorType:      0x5
                          bEndpointAddress:     0x81
                          bmAttribut:           0x3
                          wMaxPacketSize:       0x404
                          bInterval:            0xc
                        [*] Endpoint-Descriptor:
                          bLength:              0x7
                          bDescriptorType:      0x5
                          bEndpointAddress:     0x1
                          bmAttribut:           0x2
                          wMaxPacketSize:       0x4
                          bInterval:            0xc
                        [*] Endpoint-Descriptor:
                          bLength:              0x7
                          bDescriptorType:      0x5
                          bEndpointAddress:     0x82
                          bmAttribut:           0x1
                          wMaxPacketSize:       0x4
                          bInterval:            0xc

[*] String-Descriptor (StringIndex: 0,1,2,3,4)
  bLength:                      0xc8
  bDescriptorType:              0x3
  stringData:                   0x41 x 198

We were able to establish the underlying cause for this crash. As shown in the
WinDbg-Report, a stack buffer overflow occurs by presenting a malicious USB
device due to a wrong usage of the WDF-function
WdfUSBTargetDeviceQueryString”  . The “NumCharacters” argument specifies the
number of characters, which the supplied buffer may hold. The ser2co64.sys
driver passes the argument 0x40, which happens to be the size of the defined
buffer. Unfortunately, the “NumCharactes” argument expects the number of
unicode-characters, which are 2 bytes instead of 1 byte per character in size.
This incorrect usage leads to a possible buffer overflow.  Any String bLength
value greater than 64 for the requested StringIndex 1 or 2 results in a crash
of the OS (BSOD).

If the stack-canary secret is obtained during runtime, this bug allows
arbitrary code execution by connecting a crafted USB device. In such case,
this vulnerability is impacting confidentiality, integrity, and availability

...
000000000001b467         mov        al, byte [ds:rbx+bDeviceClass]
000000000001b46d         lea        edi, dword [ds:rsi+0x40]                    ;
NumCharacters
000000000001b470         cmp        al, 0x2
000000000001b472         jne        0x1b47c
...

...
000000000001b4c8         mov        rdx, qword [ds:rbx+Request]
000000000001b4cf         mov        rcx, qword [ds:UsbDevice]
000000000001b4d6         mov        word [ss:rsp+var_80], 0x409                 ;
LangID
000000000001b4dd         lea        rax, qword [ss:rsp+NumCharactes]
000000000001b4e2         mov        byte [ss:rsp+var_88], 0x2                   ;
StringIndex (2)
000000000001b4e7         mov        qword [ss:rsp+var_90], rax
000000000001b4ec         lea        rax, qword [ss:rsp+buffer_64b]
; String
000000000001b4f1         xor        r9d, r9d
000000000001b4f4         xor        r8d, r8d
000000000001b4f7         mov        qword [ss:rsp+var_98], rax
000000000001b4fc         call       qword [ds:
WdfUSBTargetDeviceQueryString]
; incorrect usage
...

...
000000000001b552         mov        byte [ss:rsp+var_88], bpl                   ;
StringIndex (1)
000000000001b557         mov        qword [ss:rsp+var_90], rax
000000000001b55c         lea        rax, qword [ss:rsp+buffer_64b]
000000000001b561         xor        r9d, r9d
000000000001b564         xor        r8d, r8d
000000000001b567         mov        qword [ss:rsp+var_98], rax
000000000001b56c         call       qword [ds:WdfUSBTargetDeviceQueryString]
; incorrect usage
...

Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This
firmware will emulate the defective USB device and exploit the buffer overflow
(DoS).All Microsoft Windows versions tested will automatically download and
install the ser2co64.sys driver.
To prevent the automated delivery of the payload,  a jumper may be used to
connect port D3 and 3V3!

Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware,
only physical access to the system is required.

Vendor Communication
We contacted Prolific and Microsoft on the December, 23th 2015.
We did not receive any response, yet. In accordance with our Responsible
Disclosure Policy, we publish this Security Advisory.

WinDbg Report:

*******************************************************************************
*
*
*                        Bugcheck Analysis
*
*
*
*******************************************************************************

DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer.  This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned.  This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious
user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 0000f80128ad0290, Actual security check cookie from the stack
Arg2: 0000f80128ad3673, Expected security check cookie
Arg3: ffff07fed752c98c, Complement of the expected security check cookie
Arg4: 0000000000000000, zero

Debugging Details:
------------------

DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING:  10586.0.amd64fre.th2_release.151029-1700
SYSTEM_MANUFACTURER:  Gigabyte Technology Co., Ltd.
SYSTEM_PRODUCT_NAME:  GA-MA74GM-S2H
BIOS_VENDOR:  Award Software International, Inc.
BIOS_VERSION:  F2
BIOS_DATE:  12/31/2008
BASEBOARD_MANUFACTURER:  Gigabyte Technology Co., Ltd.
BASEBOARD_PRODUCT:  GA-MA74GM-S2H
BASEBOARD_VERSION:  x.x
DUMP_TYPE:  1
BUGCHECK_P1: f80128ad0290
BUGCHECK_P2: f80128ad3673
BUGCHECK_P3: ffff07fed752c98c
BUGCHECK_P4: 0
SECURITY_COOKIE:  Expected 0000f80128ad3673 found 0000f80128ad0290
CPU_COUNT: 2
CPU_MHZ: bbe
CPU_VENDOR:  AuthenticAMD
CPU_FAMILY: f
CPU_MODEL: 43
CPU_STEPPING: 3
DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
BUGCHECK_STR:  0xF7
PROCESS_NAME:  System
CURRENT_IRQL:  0
ANALYSIS_SESSION_HOST:  DESKTOP-68IENUU
ANALYSIS_SESSION_TIME:  12-17-2015 07:16:05.0688
ANALYSIS_VERSION: 10.0.10586.567 amd64fre
LOCK_ADDRESS:  fffff800e630b420 -- (!locks fffff800e630b420)

Resource @ nt!PiEngineLock (0xfffff800e630b420)    Exclusively owned
                Contention Count = 120
                NumberOfExclusiveWaiters = 1
                 Threads: ffffe000461cb040-01<*>
                 Threads Waiting On Exclusive Access:
                                                        ffffe0004557b040

1 total locks, 1 locks currently held

PNP_TRIAGE:
        Lock address  : 0xfffff800e630b420
        Thread Count  : 1
        Thread address: 0xffffe000461cb040
        Thread wait   : 0x777a

LAST_CONTROL_TRANSFER:  from fffff80128acd0be to fffff800e6155f80

STACK_TEXT:
ffffd001`55390248 fffff801`28acd0be : 00000000`000000f7 0000f801`28ad0290
0000f801`28ad3673 ffff07fe`d752c98c : nt!KeBugCheckEx
ffffd001`55390250 fffff801`28acb67e : fffff801`28ad1f10 00000000`00000001
fffff801`28ad1ef0 00000000`00000000 : ser2co64+0xd0be
ffffd001`55390290 fffff801`28ad8cb5 : ffffe000`46f8b970 ffffe000`46f8bc60
00000000`00000002 00000000`00000000 : ser2co64+0xb67e
ffffd001`55390350 fffff801`25eb5dc2 : ffffe000`47b3b2a0 00000000`00000004
00000000`00000000 ffffe000`47b3b2a0 : ser2co64+0x18cb5
ffffd001`55390390 fffff801`25ecfbd9 : ffffe000`4652fc50 ffffe000`4652fc50
00000000`00000000 00000000`00000000 :
Wdf01000!FxPkgPnp::PnpPrepareHardware+0xc2 [d:
\th\minkernel\wdf\framework\shared\irphandlers\pnp\pnpstatemachine.cpp @ 3571]
ffffd001`553903d0 fffff801`25eb5ff9 : ffffe000`47b3b201 ffffe000`47b3b2a0
00000000`00000108 fffff801`25f35eb0 :
Wdf01000!FxPkgPnp::PnpEventHardwareAvailable+0x69 [d:
\th\minkernel\wdf\framework\shared\irphandlers\pnp\pnpstatemachine.cpp @ 1396]
ffffd001`55390410 fffff801`25eb3cdf : ffffe000`47b3b3f8 ffffd001`00000000
00000000`00000000 00000000`00000000 :
Wdf01000!FxPkgPnp::PnpProcessEventInner+0x1c9 [d:
\th\minkernel\wdf\framework\shared\irphandlers\pnp\pnpstatemachine.cpp @ 1150]
ffffd001`553904c0 fffff801`25eb28be : 00000000`00000000 ffffe000`47b3b2a0
ffffe000`4652fc50 00000000`00000000 : Wdf01000!FxPkgPnp::PnpProcessEvent+0x1ef
[d:\th\minkernel\wdf\framework\shared\irphandlers\pnp\pnpstatemachine.cpp @
933]
ffffd001`55390560 fffff801`25eadff2 : ffffe000`47b3b2a0 ffffd001`553906c0
00000000`00000000 ffffe000`46f8b970 : Wdf01000!FxPkgPnp::_PnpStartDevice+0x1e
[d:\th\minkernel\wdf\framework\shared\irphandlers\pnp\fxpkgpnp.cpp @ 1845]
ffffd001`55390590 fffff801`25ea11b1 : ffffe000`481d1c10 ffffe000`46f8b970
00000000`00000000 ffffd001`55390710 : Wdf01000!FxPkgPnp::Dispatch+0xb2 [d:
\th\minkernel\wdf\framework\shared\irphandlers\pnp\fxpkgpnp.cpp @ 654]
ffffd001`55390600 fffff801`27b575e4 : ffffd001`553906c0 00000000`00000000
00000000`00000000 00000000`00000000 :
Wdf01000!FxDevice::DispatchWithLock+0x111 [d:
\th\minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1402]
ffffd001`55390660 fffff801`27b5722c : ffffe000`481d1c10 ffffe000`4652fc50
ffffe000`458f7270 00000000`00000200 : serenum!Serenum_FDO_PnP+0x3a4
ffffd001`553906e0 fffff800`e63c7a7d : ffffe000`458f7200 ffffd001`55390704
00000000`00000000 00000000`00000000 : serenum!Serenum_PnP+0x3c
ffffd001`55390710 fffff800`e6017e14 : ffffe000`458f7270 00000000`00000000
ffffe000`47dd24f0 00000000`00000000 : nt!PnpAsynchronousCall+0xe5
ffffd001`55390750 fffff800`e6107ae4 : 00000000`00000000 ffffe000`458f7270
fffff800`e6017970 fffff800`e6017970 : nt!PnpSendIrp+0x54
ffffd001`553907c0 fffff800`e64f7c73 : ffffe000`45f2a010 ffffe000`47dd24f0
00000000`00000000 00000000`00000000 : nt!PnpStartDevice+0x88
ffffd001`55390850 fffff800`e64f7b5f : ffffe000`45f2a010 ffffd001`55390a20
00000000`00000000 ffffe000`45f2a010 : nt!PnpStartDeviceNode+0xdb
ffffd001`553908e0 fffff800`e64dc927 : ffffe000`45f2a010 00000000`00000001
00000000`00000001 ffffe000`46a9ad30 : nt!PipProcessStartPhase1+0x53
ffffd001`55390920 fffff800`e64afc95 : ffffe000`46936fb0 00000000`00000001
ffffd001`55390c59 fffff800`e64db563 : nt!PipProcessDevNodeTree+0x40b
ffffd001`55390ba0 fffff800`e60fb702 : 00000001`00000003 00000000`00000000
00000000`00000000 00000000`ffff62e9 : nt!PiProcessReenumeration+0xa1
ffffd001`55390bf0 fffff800`e607eb79 : ffffe000`461cb040 fffff800`e6309ec0
fffff800`e63a7340 ffffe000`00000000 : nt!PnpDeviceActionWorker+0x166
ffffd001`55390cc0 fffff800`e601d125 : 00000204`a83b7dfe 00000000`00000080
ffffe000`4547a700 ffffe000`461cb040 : nt!ExpWorkerThread+0xe9
ffffd001`55390d50 fffff800`e615b126 : fffff800`e6331180 ffffe000`461cb040
fffff800`e601d0e4 00000000`00000000 : nt!PspSystemThreadStartup+0x41
ffffd001`55390da0 00000000`00000000 : ffffd001`55391000 ffffd001`5538b000
00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16


STACK_COMMAND:  kb
THREAD_SHA1_HASH_MOD_FUNC:  f4f5bae4d9ad04ab97c90bc2a676b58d2f75a89d
THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  d47bbca00809a763134ff7bef6c61512ffc01318
THREAD_SHA1_HASH_MOD:  5c4655ab0700f60ba15e2ca5a5de330b1c6bd244

FOLLOWUP_IP:
ser2co64+d0be
fffff801`28acd0be cc              int     3

FAULT_INSTR_CODE:  cccccccc
SYMBOL_STACK_INDEX:  1
SYMBOL_NAME:  ser2co64+d0be
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: ser2co64
IMAGE_NAME:  ser2co64.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  47a1334c
BUCKET_ID_FUNC_OFFSET:  d0be
FAILURE_BUCKET_ID:  0xF7_MISSING_GSFRAME_ser2co64!Unknown_Function
BUCKET_ID:  0xF7_MISSING_GSFRAME_ser2co64!Unknown_Function
PRIMARY_PROBLEM_CLASS:  0xF7_MISSING_GSFRAME_ser2co64!Unknown_Function
TARGET_TIME:  2015-12-17T05:58:12.000Z
OSBUILD:  10586
OSSERVICEPACK:  0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK:  272
PRODUCT_TYPE:  1
OSPLATFORM_TYPE:  x64
OSNAME:  Windows 10
OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID:  0
OSBUILD_TIMESTAMP:  2015-10-30 03:15:45
BUILDDATESTAMP_STR:  151029-1700
BUILDLAB_STR:  th2_release
BUILDOSVER_STR:  10.0.10586.0.amd64fre.th2_release.151029-1700
ANALYSIS_SESSION_ELAPSED_TIME: 23cc
ANALYSIS_SOURCE:  KM
FAILURE_ID_HASH_STRING:  km:0xf7_missing_gsframe_ser2co64!unknown_function
FAILURE_ID_HASH:  {f0c18b7a-b764-aed1-b7d6-9f6515a68c5a}
Followup:     MachineOwner
---------

Komentarų nėra:

Rašyti komentarą