Add ProbeFor[Read|Write] bypass

[neitsa]

ProbeForRead and ProbeForWrite can be bypassed when the Length argument is zero.

There might be an exploitable condition after the probe if the length is fetched from somewhere else on a subsequent read / write operation on the probed buffer.

Some examples:

• MS08-025
• MS08-066

I've also seen it in some AV's drivers.

Cheers, and thanks for the driver & sources! o/

P.S: do you accept pull requests if I want to implement this 'feature'?

[hacksysteam]

Hi @neitsa

Thanks for the report. I'm aware about this issue.

If you look the driver source, you may not find an instance where Length argument of ProbeForRead function is attacker controlled.

P.S: do you accept pull requests if I want to implement this 'feature'?

I will be very happy to review and accept the pull requests.

Thank you.

[hacksysteam]

Hi @neitsa

Did I misunderstood your report?

Let me know if that is the case.

Thank you.

[neitsa]

Howdy @hacksysteam :)

Did I misunderstood your report?

Errr, yeah. I might not have been clear, sorry for that. I was asking for a feature request to add another vuln to the driver (just a dedicated ioctl would be enough) that would trigger a bug by leveraging a ProbeForRead or ProbeForWrite bypass.

Exactly as the other current issues (which AFAIK are feature requests rather than proper "issues").

[hacksysteam]

Ah! Now, I understood what you meant. :)

It would be great to have one such vulnerability implemented.