|
|
iPrint Client: nipplpt.sys Kernel Memory Corruption due to Unbounded sprintf in DeviceIoControl 0x162004 | ||||
| Project Member Reported by forshaw@google.com, Feb 27 2015 | Back to list | ||||
iPrint Client: nipplpt.sys Kernel Memory Corruption due to Unbounded sprintf in DeviceIoControl 0x162004
Platform: iPrint Client 5.99, tested on Windows 8.1 Update 32
Class: Elevation of Privilege
Summary:
The nipplpt.sys driver installed as part of iPrint Client on Windows is vulnerable to memory corruption vulnerability when handling DeviceIoControl code 0x162004 leading to the potential for elevation of privilege for any user on the system.
Description:
When handling DeviceIoControl code 0x162004 in the driver’s IRP_MJ_DEVICE_CONTROL handler a new thread is create to initialize a new device symlink. During that process if a path has been configured using code 0x16200C a call will be made to sprintf to copy that buffer into a buffer on the stack. The check is not bounds checks and as the buffer is only 128 characters in size it’s easy to corrupt stack memory. Compounding the issue the driver is not compiled with any stack cookies so this gives trivial control of EIP in kernel mode.
A couple of things to note, this doesn’t rely on any fixes for the overflow in 0x16200C as that specifies buffers of 2048 bytes whereas the buffer being copied into here is only 256 bytes. Also 0x16200C uses wide character strings while 0x162004 uses single byte strings, which doesn’t make much sense anyway.
The code in the driver is roughly:
WCHAR str[128];
if (device_no < 9 && device_names[device_no * 2048] != 0) {
sprintf(str, "%s", &device_names[device_no * 2048]); <- Memory corruption here
// ….
}
Proof of Concept:
I’ve provided a PoC as source code, it will need to be compiled with something like Visual Studio. It demonstrates corrupting the stack leading to an arbitrary control of EIP in the kernel. I’ve also attached the output from windbg on the crash. This has only been tested on 32 bit Windows platforms.
Expected Result:
The OS shouldn't crash
Observed Result:
The OS crashes with an invalid EIP at location 0x61616161.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Project Member
Comment 1
by
forshaw@google.com,
Mar 2 2015
,
May 28 2015
Correspondence Date: 22 May 2015 > Asked Novell for an update on this vulnerability as it's about to exceed the deadline
,
May 28 2015
Deadline exceeded -- automatically derestricting
,
Jun 4 2015
Issue has been resolved, according to vendor, by removing the vulnerable driver from version 6.0.0 onward. This was not documented in the release notes at https://www.novell.com/support/kb/doc.php?id=7008708
,
Jul 9 2015
Removed deadline exceeded as technically the bugs were fixed prior to the deadline. Although auto update is not enabled and there was no corresponding advisory warning customers to upgrade. |
|||||
| ► Sign in to add a comment | |||||
