Zemana AntiLogger - Kernel Memory Leak
Summary
| Name | Zemana AntiLogger v2.74.204.664 - Kernel Memory Leak |
| Code name | Gomez |
| Product | Zemana AntiLogger |
| Vendor | Zemana Ltd. |
| Affected versions | Version 2.74.204.664 |
| State | Public |
| Release date | 2024-03-14 |
Vulnerability
| Kind | Kernel Memory Leak |
| Rule | 037. Technical Information Leak |
| Remote | No |
| CVSSv3 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVSSv3 Base Score | 5.5 |
| Exploit available | Yes |
| CVE ID(s) | CVE-2024-2180 |
Description
Zemana AntiLogger v2.74.204.664 is vulnerable to a Memory Information Leak vulnerability by triggering the 0x80002020 IOCTL code of the zam64.sys and zamguard64.sys drivers.
Vulnerability
The 0x80002020 IOCTL code of the zam64.sys and zamguard64.sys drivers allow to leak the kernel base address, making the kASLR protection useless.
In order to perform calls to any IOCTL of the zam64.sys and zamguard64.sys driver, a call to the IOCTL 0x80002010 must be performed with the current process ID as an authorized IOCTL process caller:
if ( IoctlCode != 0x80002010 ) { if ( IoctlCode + 0x7FFFDFAC > 0x10
|| (CurrentStackLocation = 0x11001i64, !_bittest((const int *)&CurrentStackLocation, IoctlCode + 0x7FFFDFAC)) )
{
if ( (unsigned int)sub_140009BE4(CurrentStackLocation, "Main.c") && !(unsigned int)sub_140009BEC(v6, 1i64) )
{
v3 = 0xC0000022;
DnsPrint_RpcZoneInfo(
7,
(unsigned int)"Main.c",
0x1E2,
(unsigned int)"DeviceIoControlHandler",
0xC0000022,
"ProcessID %d is not authorized to send IOCTLs ",
v6);
goto LABEL_79;
}
}
}
The handling code of the 0x80002020 IOCTL calls sub_14000B828 which performs a call to ZwQuerySystemInformation, using SystemModuleInformation (0xB) as first parameter.
if ( ZwQuerySystemInformation(
SystemModuleInformation,
SystemInformationClassOutput,
NumberOfBytes,
(PULONG)&NumberOfBytes) < 0 )
The output buffer is populated with the information returned by ZwQuerySystemInformation. Notice the first returned QWORD:
PS C:\Users\admin\Desktop> .\PoC.exe
[+] Bytes returned: 29 (0x1d)
[+] Output (0): FFFFF80252600000
[+] Output (8): 526D65747379535C
[+] Output (16): 747379735C746F6F
[+] Output (24): 0000005C32336D65
It matches with the kernel base address as fetched from the debugger:
0: kd> lm m nt
Browse full module list
start end module name
fffff802`52600000 fffff802`53646000 nt
Our security policy
We have reserved the ID CVE-2024-2180 to refer to this issue from now on.
System Information
- Version: Zemana AntiLogger v2.74.204.664
- Operating System: Windows
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.
References
Vendor page https://zemana.com/
Product page https://zemana.com/us/antilogger.html
Timeline
2024-02-23
Vulnerability discovered.
2024-03-04
Vendor contacted.
2024-03-14
Public Disclosure.
