Zemana AntiLogger - Kernel Memory Leak

Summary

NameZemana AntiLogger v2.74.204.664 - Kernel Memory Leak
Code nameGomez
ProductZemana AntiLogger
VendorZemana Ltd.
Affected versionsVersion 2.74.204.664
StatePublic
Release date2024-03-14

Vulnerability

KindKernel Memory Leak
Rule037. Technical Information Leak
RemoteNo
CVSSv3 VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSSv3 Base Score5.5
Exploit availableYes
CVE ID(s)CVE-2024-2180

Description

Zemana AntiLogger v2.74.204.664 is vulnerable to a Memory Information Leak vulnerability by triggering the 0x80002020 IOCTL code of the zam64.sys and zamguard64.sys drivers.

Vulnerability

The 0x80002020 IOCTL code of the zam64.sys and zamguard64.sys drivers allow to leak the kernel base address, making the kASLR protection useless.

In order to perform calls to any IOCTL of the zam64.sys and zamguard64.sys driver, a call to the IOCTL 0x80002010 must be performed with the current process ID as an authorized IOCTL process caller:

if ( IoctlCode != 0x80002010 ) { if ( IoctlCode + 0x7FFFDFAC > 0x10
    || (CurrentStackLocation = 0x11001i64, !_bittest((const int *)&CurrentStackLocation, IoctlCode + 0x7FFFDFAC)) )
    {
    if ( (unsigned int)sub_140009BE4(CurrentStackLocation, "Main.c") && !(unsigned int)sub_140009BEC(v6, 1i64) )
    {
        v3 = 0xC0000022;
        DnsPrint_RpcZoneInfo(
        7,
        (unsigned int)"Main.c",
        0x1E2,
        (unsigned int)"DeviceIoControlHandler",
        0xC0000022,
        "ProcessID %d is not authorized to send IOCTLs ",
        v6);
        goto LABEL_79;
    }
    }
}

The handling code of the 0x80002020 IOCTL calls sub_14000B828 which performs a call to ZwQuerySystemInformation, using SystemModuleInformation (0xB) as first parameter.

if ( ZwQuerySystemInformation(
        SystemModuleInformation,
        SystemInformationClassOutput,
        NumberOfBytes,
        (PULONG)&NumberOfBytes) < 0 )

The output buffer is populated with the information returned by ZwQuerySystemInformation. Notice the first returned QWORD:

PS C:\Users\admin\Desktop> .\PoC.exe
[+] Bytes returned: 29 (0x1d)
[+] Output (0): FFFFF80252600000
[+] Output (8): 526D65747379535C
[+] Output (16): 747379735C746F6F
[+] Output (24): 0000005C32336D65

It matches with the kernel base address as fetched from the debugger:

0: kd> lm m nt
Browse full module list
start             end                 module name
fffff802`52600000 fffff802`53646000   nt

Our security policy

We have reserved the ID CVE-2024-2180 to refer to this issue from now on.

System Information

  • Version: Zemana AntiLogger v2.74.204.664
  • Operating System: Windows

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.

References

Vendor page https://zemana.com/

Product page https://zemana.com/us/antilogger.html

Timeline

Time-lapse-logo

2024-02-23

Vulnerability discovered.

Time-lapse-logo

2024-03-04

Vendor contacted.

Time-lapse-logo

2024-03-14

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.