Open neitsa opened 7 years ago
hacksysteam
commented
7 years ago Hi @neitsa
Thanks for the report. I'm aware about this issue.
If you look the driver source, you may not find an instance where Length argument of ProbeForRead function is attacker controlled.
P.S: do you accept pull requests if I want to implement this 'feature'?
I will be very happy to review and accept the pull requests.
Thank you.
hacksysteam
commented
7 years ago Hi @neitsa
Did I misunderstood your report?
Let me know if that is the case.
Thank you.
neitsa
commented
7 years ago Howdy @hacksysteam :)
Did I misunderstood your report?
Errr, yeah. I might not have been clear, sorry for that. I was asking for a feature request to add another vuln to the driver (just a dedicated ioctl would be enough) that would trigger a bug by leveraging a ProbeForRead or ProbeForWrite bypass.
Exactly as the other current issues (which AFAIK are feature requests rather than proper "issues").
hacksysteam
commented
7 years ago Ah! Now, I understood what you meant. :)
It would be great to have one such vulnerability implemented.
ProbeForRead and ProbeForWrite can be bypassed when the
Lengthargument is zero.There might be an exploitable condition after the probe if the length is fetched from somewhere else on a subsequent read / write operation on the probed buffer.
Some examples:
I've also seen it in some AV's drivers.
Cheers, and thanks for the driver & sources! o/
P.S: do you accept pull requests if I want to implement this 'feature'?