Summary
API_SET_SECURE_PARAM fails to validate that a pointer passed is safe to read from.
Details
Api_SetSecureParam fails to sanitize incoming pointers, and implicitly trusts that the pointer the user has passed in is safe to read from. SetRegValue then reads an arbitrary address, which can be a kernel pointer, into a HKLM Security SBIE registry value. This can later be retrieved by API_GET_SECURE_PARAM.
This is very similar to the issue in API_GET_SECURE_PARAM.
data_len = args->param_size.val;
data = Mem_Alloc(Driver_Pool, data_len);
memcpy(data, args->param_data.val, data_len);The user controls param_data.val, and the data pointed to by this is memcopied into the registry hive.
This requires being called from a "signed" process, but this should be possible to bypass through process injection. I will look into this separately and e-mail you the results if I have time as this isn't really a security boundary but more of DRM protection protecting your registration scheme.
All incoming data needs to be validated.
PoC
Found via code review. Untested.
Impact
Arbitrary kernel read.
sgayou Reporter
Summary
API_SET_SECURE_PARAM fails to validate that a pointer passed is safe to read from.
Details
Api_SetSecureParam fails to sanitize incoming pointers, and implicitly trusts that the pointer the user has passed in is safe to read from. SetRegValue then reads an arbitrary address, which can be a kernel pointer, into a HKLM Security SBIE registry value. This can later be retrieved by API_GET_SECURE_PARAM.
This is very similar to the issue in API_GET_SECURE_PARAM.
The user controls param_data.val, and the data pointed to by this is memcopied into the registry hive.
This requires being called from a "signed" process, but this should be possible to bypass through process injection. I will look into this separately and e-mail you the results if I have time as this isn't really a security boundary but more of DRM protection protecting your registration scheme.
All incoming data needs to be validated.
PoC
Found via code review. Untested.
Impact
Arbitrary kernel read.