Zemana AntiLogger - Process Termination

Summary

NameZemana AntiLogger v2.74.204.664 - Arbitrary Process Termination
Code nameEllington
ProductZemana AntiLogger
VendorZemana Ltd.
Affected versionsVersion 2.74.204.664
StatePublic
Release date2024-03-14

Vulnerability

KindArbitrary Process Termination
Rule014. Insecure functionality
RemoteNo
CVSSv3 VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSSv3 Base Score5.5
Exploit availableYes
CVE ID(s)CVE-2024-1853

Description

Zemana AntiLogger v2.74.204.664 is vulnerable to an Arbitrary Process Termination vulnerability by triggering the 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers.

Vulnerability

The 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers allow to kill arbitrary processes on the system where it's installed, by sending a process ID on the first DWORD of the lpInBuffer parameter request call.

In order to perform calls to any IOCTL of the zam64.sys and zamguard64.sys driver, a call to the IOCTL 0x80002010 must be performed with the current process ID as an authorized IOCTL process caller:

if ( IoctlCode != 0x80002010 ) { if ( IoctlCode + 0x7FFFDFAC > 0x10
    || (CurrentStackLocation = 0x11001i64, !_bittest((const int *)&CurrentStackLocation, IoctlCode + 0x7FFFDFAC)) )
    {
    if ( (unsigned int)sub_140009BE4(CurrentStackLocation, "Main.c") && !(unsigned int)sub_140009BEC(v6, 1i64) )
    {
        v3 = 0xC0000022;
        DnsPrint_RpcZoneInfo(
        7,
        (unsigned int)"Main.c",
        0x1E2,
        (unsigned int)"DeviceIoControlHandler",
        0xC0000022,
        "ProcessID %d is not authorized to send IOCTLs ",
        v6);
        goto LABEL_79;
    }
    }
}

The handling decompiled code of the 0x80002048 IOCTL starts with:

case 0x80002048:
    v3 = sub_14001048C(SystemBuffer);

The sub_14001048C routine calls sub_1400133D0:

__int64 __fastcall sub_14001048C(unsigned int *a1)
{
  return sub_1400133D0(*a1, a1[1], 6i64);
}

The sub_1400133D0 is the vulnerable function:

ProcessHandle = 0i64; v11 = 0; v4 = 0xC0000001; Timeout.QuadPart = 0xFFFFFFFFFF676980ui64; if ( (unsigned int)sub_140005994((void *)pSystemBuffer, &v11) && v11 ) // [1] { DnsPrint_RpcZoneInfo( 5, (unsigned int)"ProcessHelper\\ProcessHelper.c", 0x1ED, (unsigned int)"ZmnPhTerminateProcessById", 0, "Critical process termination attempt blocked"); return (unsigned int)v4; } v4 = sub_140013268(&ProcessHandle, pSystemBuffer, 1u, 1); // [2] if ( v4 >= 0 )
{
    v4 = ZwTerminateProcess(ProcessHandle, 0);  // [3]

At [1] a check is perform to prevent critical processes termination. At [2] a handle of the process passed as an ID on the SystemBuffer is obtained. At [3] that handle is used as a parameter of the ZwTerminateProcess call which terminates the process.

Evidence of exploitation

evidence1

Our security policy

We have reserved the ID CVE-2024-1853 to refer to this issue from now on.

System Information

  • Version: Zemana AntiLogger v2.74.204.664
  • Operating System: Windows

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.

References

Vendor page https://zemana.com/

Product page https://zemana.com/us/antilogger.html

Timeline

Time-lapse-logo

2024-02-23

Vulnerability discovered.

Time-lapse-logo

2024-03-04

Vendor contacted.

Time-lapse-logo

2024-03-14

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.