iPrint Client: nipplpt.sys Kernel Memory Corruption due to Unbounded swprintf in DeviceIoControl 0x16200C
Platform: iPrint Client 5.99, tested on Windows 8.1 Update 32
Class: Elevation of Privilege

Summary:
The nipplpt.sys driver installed as part of iPrint Client on Windows is vulnerable to memory corruption vulnerability when handling DeviceIoControl code 0x16200C leading to the potential for elevation of privilege for any user on the system. 

Description:

When handling DeviceIoControl code 0x16200C in the driver’s IRP_MJ_DEVICE_CONTROL handler a call to swprintf is made copying a user-mode provided string into a fixed data section buffer. This string is not bounds checked which means it’s possible to overflow the buffer and corrupt following structures. The driver does store a few critical structures after these buffers including an initialized Semaphore object which when corrupted would allow further manipulation of kernel memory. 

The code in the driver is roughly:

if (DeviceControlCode == 0x16200C) {
	LPBYTE buffer = Irp->AssociatedIrp.SystemBuffer;
	unsigned int code = buffer[0] - 48;

	if (code < 9) {
		WCHAR* str = &device_names[code * 2048];
		if(*str == 0) {
			swprintf(str, L"%s", buffer + 1); <- Memory corruption here
		}
	}
}

Proof of Concept:

I’ve provided a PoC as source code, it will need to be compiled with something like Visual Studio. It demonstrates corrupting the semaphore structure leading to an arbitrary read AV in the kernel. I’ve also attached the output from windbg on the crash. This has only been tested on 32 bit Windows platforms. 

Expected Result:
The OS shouldn't crash

Observed Result:
The OS crashes with a read AV in kernel memory to location 0x61616161. 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
 

NovellDriverTest.cpp 1.1 KB Download

crash.txt 2.7 KB View Download