Zemana AntiLogger - Process Termination
Summary
| Name | Zemana AntiLogger v2.74.204.664 - Arbitrary Process Termination |
| Code name | Ellington |
| Product | Zemana AntiLogger |
| Vendor | Zemana Ltd. |
| Affected versions | Version 2.74.204.664 |
| State | Public |
| Release date | 2024-03-14 |
Vulnerability
| Kind | Arbitrary Process Termination |
| Rule | 014. Insecure functionality |
| Remote | No |
| CVSSv3 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| CVSSv3 Base Score | 5.5 |
| Exploit available | Yes |
| CVE ID(s) | CVE-2024-1853 |
Description
Zemana AntiLogger v2.74.204.664 is vulnerable to an Arbitrary Process Termination vulnerability by triggering the 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers.
Vulnerability
The 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers allow to kill arbitrary processes on the system where it's installed, by sending a process ID on the first DWORD of the lpInBuffer parameter request call.
In order to perform calls to any IOCTL of the zam64.sys and zamguard64.sys driver, a call to the IOCTL 0x80002010 must be performed with the current process ID as an authorized IOCTL process caller:
if ( IoctlCode != 0x80002010 ) { if ( IoctlCode + 0x7FFFDFAC > 0x10
|| (CurrentStackLocation = 0x11001i64, !_bittest((const int *)&CurrentStackLocation, IoctlCode + 0x7FFFDFAC)) )
{
if ( (unsigned int)sub_140009BE4(CurrentStackLocation, "Main.c") && !(unsigned int)sub_140009BEC(v6, 1i64) )
{
v3 = 0xC0000022;
DnsPrint_RpcZoneInfo(
7,
(unsigned int)"Main.c",
0x1E2,
(unsigned int)"DeviceIoControlHandler",
0xC0000022,
"ProcessID %d is not authorized to send IOCTLs ",
v6);
goto LABEL_79;
}
}
}
The handling decompiled code of the 0x80002048 IOCTL starts with:
case 0x80002048:
v3 = sub_14001048C(SystemBuffer);
The sub_14001048C routine calls sub_1400133D0:
__int64 __fastcall sub_14001048C(unsigned int *a1)
{
return sub_1400133D0(*a1, a1[1], 6i64);
}
The sub_1400133D0 is the vulnerable function:
ProcessHandle = 0i64; v11 = 0; v4 = 0xC0000001; Timeout.QuadPart = 0xFFFFFFFFFF676980ui64; if ( (unsigned int)sub_140005994((void *)pSystemBuffer, &v11) && v11 ) // [1] { DnsPrint_RpcZoneInfo( 5, (unsigned int)"ProcessHelper\\ProcessHelper.c", 0x1ED, (unsigned int)"ZmnPhTerminateProcessById", 0, "Critical process termination attempt blocked"); return (unsigned int)v4; } v4 = sub_140013268(&ProcessHandle, pSystemBuffer, 1u, 1); // [2] if ( v4 >= 0 )
{
v4 = ZwTerminateProcess(ProcessHandle, 0); // [3]
At [1] a check is perform to prevent critical processes termination. At [2] a handle of the process passed as an ID on the SystemBuffer is obtained. At [3] that handle is used as a parameter of the ZwTerminateProcess call which terminates the process.
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2024-1853 to refer to this issue from now on.
System Information
- Version: Zemana AntiLogger v2.74.204.664
- Operating System: Windows
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.
References
Vendor page https://zemana.com/
Product page https://zemana.com/us/antilogger.html
Timeline
2024-02-23
Vulnerability discovered.
2024-03-04
Vendor contacted.
2024-03-14
Public Disclosure.
