HackSysExtremeVulnerableDriver icon indicating copy to clipboard operation
HackSysExtremeVulnerableDriver copied to clipboard
verified publisher icon hacksysteam

Add ProbeFor[Read|Write] bypass

Open neitsa opened this issue 9 years ago • 4 comments

ProbeForRead and ProbeForWrite can be bypassed when the Length argument is zero.

There might be an exploitable condition after the probe if the length is fetched from somewhere else on a subsequent read / write operation on the probed buffer.

Some examples:

I've also seen it in some AV's drivers.

Cheers, and thanks for the driver & sources! o/

P.S: do you accept pull requests if I want to implement this 'feature'?

neitsa avatar Dec 19 '16 14:12 neitsa

Hi @neitsa

Thanks for the report. I'm aware about this issue.

If you look the driver source, you may not find an instance where Length argument of ProbeForRead function is attacker controlled.

P.S: do you accept pull requests if I want to implement this 'feature'?

I will be very happy to review and accept the pull requests.

Thank you.

hacksysteam avatar Dec 19 '16 15:12 hacksysteam

Hi @neitsa

Did I misunderstood your report?

Let me know if that is the case.

Thank you.

hacksysteam avatar Dec 20 '16 05:12 hacksysteam

Howdy @hacksysteam :)

Did I misunderstood your report?

Errr, yeah. I might not have been clear, sorry for that. I was asking for a feature request to add another vuln to the driver (just a dedicated ioctl would be enough) that would trigger a bug by leveraging a ProbeForRead or ProbeForWrite bypass.

Exactly as the other current issues (which AFAIK are feature requests rather than proper "issues").

neitsa avatar Dec 20 '16 10:12 neitsa

Ah! Now, I understood what you meant. :)

It would be great to have one such vulnerability implemented.

hacksysteam avatar Dec 20 '16 12:12 hacksysteam