Zemana AntiLogger - Kernel Memory Leak

Description

Zemana AntiLogger v2.74.204.664 is vulnerable to a Memory Information Leak vulnerability by triggering the 0x80002020 IOCTL code of the zam64.sys and zamguard64.sys drivers.

Vulnerability

The 0x80002020 IOCTL code of the zam64.sys and zamguard64.sys drivers allow to leak the kernel base address, making the kASLR protection useless.

In order to perform calls to any IOCTL of the zam64.sys and zamguard64.sys driver, a call to the IOCTL 0x80002010 must be performed with the current process ID as an authorized IOCTL process caller:

if ( IoctlCode != 0x80002010 )
{
 if ( IoctlCode + 0x7FFFDFAC > 0x10
    || (CurrentStackLocation = 0x11001i64, !_bittest((const int *)&CurrentStackLocation, IoctlCode + 0x7FFFDFAC)) )
    {
    if ( (unsigned int)sub_140009BE4(CurrentStackLocation, "Main.c") && !(unsigned int)sub_140009BEC(v6, 1i64) )
    {
        v3 = 0xC0000022;
        DnsPrint_RpcZoneInfo(
        7,
        (unsigned int)"Main.c",
        0x1E2,
        (unsigned int)"DeviceIoControlHandler",
        0xC0000022,
        "ProcessID %d is not authorized to send IOCTLs ",
        v6);
        goto LABEL_79

if ( IoctlCode != 0x80002010 )
{
 if ( IoctlCode + 0x7FFFDFAC > 0x10
    || (CurrentStackLocation = 0x11001i64, !_bittest((const int *)&CurrentStackLocation, IoctlCode + 0x7FFFDFAC)) )
    {
    if ( (unsigned int)sub_140009BE4(CurrentStackLocation, "Main.c") && !(unsigned int)sub_140009BEC(v6, 1i64) )
    {
        v3 = 0xC0000022;
        DnsPrint_RpcZoneInfo(
        7,
        (unsigned int)"Main.c",
        0x1E2,
        (unsigned int)"DeviceIoControlHandler",
        0xC0000022,
        "ProcessID %d is not authorized to send IOCTLs ",
        v6);
        goto LABEL_79

if ( IoctlCode != 0x80002010 )
{
 if ( IoctlCode + 0x7FFFDFAC > 0x10
    || (CurrentStackLocation = 0x11001i64, !_bittest((const int *)&CurrentStackLocation, IoctlCode + 0x7FFFDFAC)) )
    {
    if ( (unsigned int)sub_140009BE4(CurrentStackLocation, "Main.c") && !(unsigned int)sub_140009BEC(v6, 1i64) )
    {
        v3 = 0xC0000022;
        DnsPrint_RpcZoneInfo(
        7,
        (unsigned int)"Main.c",
        0x1E2,
        (unsigned int)"DeviceIoControlHandler",
        0xC0000022,
        "ProcessID %d is not authorized to send IOCTLs ",
        v6);
        goto LABEL_79

if ( IoctlCode != 0x80002010 )
{
 if ( IoctlCode + 0x7FFFDFAC > 0x10
    || (CurrentStackLocation = 0x11001i64, !_bittest((const int *)&CurrentStackLocation, IoctlCode + 0x7FFFDFAC)) )
    {
    if ( (unsigned int)sub_140009BE4(CurrentStackLocation, "Main.c") && !(unsigned int)sub_140009BEC(v6, 1i64) )
    {
        v3 = 0xC0000022;
        DnsPrint_RpcZoneInfo(
        7,
        (unsigned int)"Main.c",
        0x1E2,
        (unsigned int)"DeviceIoControlHandler",
        0xC0000022,
        "ProcessID %d is not authorized to send IOCTLs ",
        v6);
        goto LABEL_79

The handling code of the 0x80002020 IOCTL calls sub_14000B828 which performs a call to ZwQuerySystemInformation, using SystemModuleInformation (0xB) as first parameter.

if ( ZwQuerySystemInformation(
        SystemModuleInformation,
        SystemInformationClassOutput,
        NumberOfBytes,
        (PULONG)&NumberOfBytes) < 0

if ( ZwQuerySystemInformation(
        SystemModuleInformation,
        SystemInformationClassOutput,
        NumberOfBytes,
        (PULONG)&NumberOfBytes) < 0

if ( ZwQuerySystemInformation(
        SystemModuleInformation,
        SystemInformationClassOutput,
        NumberOfBytes,
        (PULONG)&NumberOfBytes) < 0

if ( ZwQuerySystemInformation(
        SystemModuleInformation,
        SystemInformationClassOutput,
        NumberOfBytes,
        (PULONG)&NumberOfBytes) < 0

The output buffer is populated with the information returned by ZwQuerySystemInformation. Notice the first returned QWORD:

PS C:\Users\admin\Desktop> .\PoC.exe
[+] Bytes returned: 29 (0x1d)
[+] Output (0): FFFFF80252600000
[+] Output (8): 526D65747379535C
[+] Output (16): 747379735C746F6F
[+]

PS C:\Users\admin\Desktop> .\PoC.exe
[+] Bytes returned: 29 (0x1d)
[+] Output (0): FFFFF80252600000
[+] Output (8): 526D65747379535C
[+] Output (16): 747379735C746F6F
[+]

PS C:\Users\admin\Desktop> .\PoC.exe
[+] Bytes returned: 29 (0x1d)
[+] Output (0): FFFFF80252600000
[+] Output (8): 526D65747379535C
[+] Output (16): 747379735C746F6F
[+]

PS C:\Users\admin\Desktop> .\PoC.exe
[+] Bytes returned: 29 (0x1d)
[+] Output (0): FFFFF80252600000
[+] Output (8): 526D65747379535C
[+] Output (16): 747379735C746F6F
[+]

It matches with the kernel base address as fetched from the debugger:

Our security policy

We have reserved the ID CVE-2024-2180 to refer to this issue from now on.

Disclosure policy

System Information

• Version: Zemana AntiLogger v2.74.204.664

• Operating System: Windows

Mitigation

There is currently no patch available for this vulnerability.

References

• Vendor page https://zemana.com/

• Product page https://zemana.com/us/antilogger.html

Credits

The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.