Zemana AntiLogger - Process Termination
Summary
| Name | Zemana AntiLogger v2.74.204.664 - Arbitrary Process Termination |
| Code name | Ellington |
| Product | Zemana AntiLogger |
| Vendor | Zemana Ltd. |
| Affected versions | Version 2.74.204.664 |
| State | Public |
| Release date | 2024-03-14 |
Vulnerability
| Kind | Arbitrary Process Termination |
| Rule | 014. Insecure functionality |
| Remote | No |
| CVSSv3 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| CVSSv3 Base Score | 5.5 |
| Exploit available | Yes |
| CVE ID(s) | CVE-2024-1853 |
Description
Zemana AntiLogger v2.74.204.664 is vulnerable to
an Arbitrary Process Termination vulnerability by
triggering the 0x80002048 IOCTL code of the
zam64.sys and zamguard64.sys drivers.
Vulnerability
The 0x80002048 IOCTL code of the
zam64.sys and zamguard64.sys drivers allow to kill
arbitrary processes on the system where it's installed, by
sending a process ID on the first DWORD of the
lpInBuffer parameter request call.
In order to perform calls to any IOCTL of the
zam64.sys and zamguard64.sys driver, a call to the
IOCTL 0x80002010 must be performed
with the current process ID as an authorized IOCTL process
caller:
if ( IoctlCode != 0x80002010 )
{
if ( IoctlCode + 0x7FFFDFAC > 0x10
|| (CurrentStackLocation = 0x11001i64, !_bittest((const int *)&CurrentStackLocation, IoctlCode + 0x7FFFDFAC)) )
{
if ( (unsigned int)sub_140009BE4(CurrentStackLocation, "Main.c") && !(unsigned int)sub_140009BEC(v6, 1i64) )
{
v3 = 0xC0000022;
DnsPrint_RpcZoneInfo(
7,
(unsigned int)"Main.c",
0x1E2,
(unsigned int)"DeviceIoControlHandler",
0xC0000022,
"ProcessID %d is not authorized to send IOCTLs ",
v6);
goto LABEL_79;
}
}
}
The handling decompiled code of the 0x80002048 IOCTL
starts with:
case 0x80002048:
v3 = sub_14001048C(SystemBuffer);
The sub_14001048C routine calls sub_1400133D0:
__int64 __fastcall sub_14001048C(unsigned int *a1)
{
return sub_1400133D0(*a1, a1[1], 6i64);
}
The sub_1400133D0 is the vulnerable function:
ProcessHandle = 0i64;
v11 = 0;
v4 = 0xC0000001;
Timeout.QuadPart = 0xFFFFFFFFFF676980ui64;
if ( (unsigned int)sub_140005994((void *)pSystemBuffer, &v11) && v11 ) // [1]
{
DnsPrint_RpcZoneInfo(
5,
(unsigned int)"ProcessHelper\\ProcessHelper.c",
0x1ED,
(unsigned int)"ZmnPhTerminateProcessById",
0,
"Critical process termination attempt blocked");
return (unsigned int)v4;
}
v4 = sub_140013268(&ProcessHandle, pSystemBuffer, 1u, 1); // [2]
if ( v4 >= 0 )
{
v4 = ZwTerminateProcess(ProcessHandle, 0); // [3]
At [1] a check is perform to prevent critical processes
termination. At [2] a handle of the process passed as an ID
on the SystemBuffer is obtained. At [3] that handle is
used as a parameter of the ZwTerminateProcess call which
terminates the process.
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2024-1853 to refer to this issue from now on.
System Information
- Version: Zemana AntiLogger v2.74.204.664
- Operating System: Windows
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.
References
Vendor page https://zemana.com/
Product page https://zemana.com/us/antilogger.html
Timeline
2024-02-23
Vulnerability discovered.
2024-03-04
Vendor contacted.
2024-03-14
Public Disclosure.
