

Advisories

Zemana AntiLogger - Process Termination

5,5

Medium

Discovered by

Andres Roldan

Offensive Team, Fluid Attacks

Summary

Full name

Zemana AntiLogger v2.74.204.664 - Arbitrary Process Termination

Code name

Ellington

State

Public

Release date

14 de mar. de 2024

Affected product

Zemana AntiLogger

Vendor

Zemana Ltd.

Affected version(s)

Version 2.74.204.664

Vulnerability name

Arbitrary Process Termination

Vulnerability type

014. Insecure functionality

Remotely exploitable

CVSS v3.0 vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v3.0 base score

5.5

Exploit available

Yes

CVE ID(s)

CVE-2024-1853

Description

Zemana AntiLogger v2.74.204.664 is vulnerable to an Arbitrary Process Termination vulnerability by triggering the 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers.

Vulnerability

The 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers allow to kill arbitrary processes on the system where it's installed, by sending a process ID on the first DWORD of the lpInBuffer parameter request call.

In order to perform calls to any IOCTL of the zam64.sys and zamguard64.sys driver, a call to the IOCTL 0x80002010 must be performed with the current process ID as an authorized IOCTL process caller:

if ( IoctlCode != 0x80002010 )
{
 if ( IoctlCode + 0x7FFFDFAC > 0x10
    || (CurrentStackLocation = 0x11001i64, !_bittest((const int *)&CurrentStackLocation, IoctlCode + 0x7FFFDFAC)) )
    {
    if ( (unsigned int)sub_140009BE4(CurrentStackLocation, "Main.c") && !(unsigned int)sub_140009BEC(v6, 1i64) )
    {
        v3 = 0xC0000022;
        DnsPrint_RpcZoneInfo(
        7,
        (unsigned int)"Main.c",
        0x1E2,
        (unsigned int)"DeviceIoControlHandler",
        0xC0000022,
        "ProcessID %d is not authorized to send IOCTLs ",
        v6);
        goto LABEL_79

if ( IoctlCode != 0x80002010 )
{
 if ( IoctlCode + 0x7FFFDFAC > 0x10
    || (CurrentStackLocation = 0x11001i64, !_bittest((const int *)&CurrentStackLocation, IoctlCode + 0x7FFFDFAC)) )
    {
    if ( (unsigned int)sub_140009BE4(CurrentStackLocation, "Main.c") && !(unsigned int)sub_140009BEC(v6, 1i64) )
    {
        v3 = 0xC0000022;
        DnsPrint_RpcZoneInfo(
        7,
        (unsigned int)"Main.c",
        0x1E2,
        (unsigned int)"DeviceIoControlHandler",
        0xC0000022,
        "ProcessID %d is not authorized to send IOCTLs ",
        v6);
        goto LABEL_79

if ( IoctlCode != 0x80002010 )
{
 if ( IoctlCode + 0x7FFFDFAC > 0x10
    || (CurrentStackLocation = 0x11001i64, !_bittest((const int *)&CurrentStackLocation, IoctlCode + 0x7FFFDFAC)) )
    {
    if ( (unsigned int)sub_140009BE4(CurrentStackLocation, "Main.c") && !(unsigned int)sub_140009BEC(v6, 1i64) )
    {
        v3 = 0xC0000022;
        DnsPrint_RpcZoneInfo(
        7,
        (unsigned int)"Main.c",
        0x1E2,
        (unsigned int)"DeviceIoControlHandler",
        0xC0000022,
        "ProcessID %d is not authorized to send IOCTLs ",
        v6);
        goto LABEL_79

if ( IoctlCode != 0x80002010 )
{
 if ( IoctlCode + 0x7FFFDFAC > 0x10
    || (CurrentStackLocation = 0x11001i64, !_bittest((const int *)&CurrentStackLocation, IoctlCode + 0x7FFFDFAC)) )
    {
    if ( (unsigned int)sub_140009BE4(CurrentStackLocation, "Main.c") && !(unsigned int)sub_140009BEC(v6, 1i64) )
    {
        v3 = 0xC0000022;
        DnsPrint_RpcZoneInfo(
        7,
        (unsigned int)"Main.c",
        0x1E2,
        (unsigned int)"DeviceIoControlHandler",
        0xC0000022,
        "ProcessID %d is not authorized to send IOCTLs ",
        v6);
        goto LABEL_79

The handling decompiled code of the 0x80002048 IOCTL starts with:

case 0x80002048:
    v3 = sub_14001048C(SystemBuffer

case 0x80002048:
    v3 = sub_14001048C(SystemBuffer

case 0x80002048:
    v3 = sub_14001048C(SystemBuffer

case 0x80002048:
    v3 = sub_14001048C(SystemBuffer

The sub_14001048C routine calls sub_1400133D0:

__int64 __fastcall sub_14001048C(unsigned int *a1)
{
  return sub_1400133D0(*a1, a1[1], 6i64

__int64 __fastcall sub_14001048C(unsigned int *a1)
{
  return sub_1400133D0(*a1, a1[1], 6i64

__int64 __fastcall sub_14001048C(unsigned int *a1)
{
  return sub_1400133D0(*a1, a1[1], 6i64

__int64 __fastcall sub_14001048C(unsigned int *a1)
{
  return sub_1400133D0(*a1, a1[1], 6i64

The sub_1400133D0 is the vulnerable function:

ProcessHandle = 0i64;
v11 = 0;
v4 = 0xC0000001;
Timeout.QuadPart = 0xFFFFFFFFFF676980ui64;
if ( (unsigned int)sub_140005994((void *)pSystemBuffer, &v11) && v11 ) // [1]
{
 DnsPrint_RpcZoneInfo(
 5,
 (unsigned int)"ProcessHelper\\ProcessHelper.c",
 0x1ED,
 (unsigned int)"ZmnPhTerminateProcessById",
 0,
 "Critical process termination attempt blocked");
 return (unsigned int)v4;
}
v4 = sub_140013268(&ProcessHandle, pSystemBuffer, 1u, 1); // [2]
if ( v4 >= 0 )
{
    v4 = ZwTerminateProcess(ProcessHandle, 0);  // [3]

ProcessHandle = 0i64;
v11 = 0;
v4 = 0xC0000001;
Timeout.QuadPart = 0xFFFFFFFFFF676980ui64;
if ( (unsigned int)sub_140005994((void *)pSystemBuffer, &v11) && v11 ) // [1]
{
 DnsPrint_RpcZoneInfo(
 5,
 (unsigned int)"ProcessHelper\\ProcessHelper.c",
 0x1ED,
 (unsigned int)"ZmnPhTerminateProcessById",
 0,
 "Critical process termination attempt blocked");
 return (unsigned int)v4;
}
v4 = sub_140013268(&ProcessHandle, pSystemBuffer, 1u, 1); // [2]
if ( v4 >= 0 )
{
    v4 = ZwTerminateProcess(ProcessHandle, 0);  // [3]

ProcessHandle = 0i64;
v11 = 0;
v4 = 0xC0000001;
Timeout.QuadPart = 0xFFFFFFFFFF676980ui64;
if ( (unsigned int)sub_140005994((void *)pSystemBuffer, &v11) && v11 ) // [1]
{
 DnsPrint_RpcZoneInfo(
 5,
 (unsigned int)"ProcessHelper\\ProcessHelper.c",
 0x1ED,
 (unsigned int)"ZmnPhTerminateProcessById",
 0,
 "Critical process termination attempt blocked");
 return (unsigned int)v4;
}
v4 = sub_140013268(&ProcessHandle, pSystemBuffer, 1u, 1); // [2]
if ( v4 >= 0 )
{
    v4 = ZwTerminateProcess(ProcessHandle, 0);  // [3]

ProcessHandle = 0i64;
v11 = 0;
v4 = 0xC0000001;
Timeout.QuadPart = 0xFFFFFFFFFF676980ui64;
if ( (unsigned int)sub_140005994((void *)pSystemBuffer, &v11) && v11 ) // [1]
{
 DnsPrint_RpcZoneInfo(
 5,
 (unsigned int)"ProcessHelper\\ProcessHelper.c",
 0x1ED,
 (unsigned int)"ZmnPhTerminateProcessById",
 0,
 "Critical process termination attempt blocked");
 return (unsigned int)v4;
}
v4 = sub_140013268(&ProcessHandle, pSystemBuffer, 1u, 1); // [2]
if ( v4 >= 0 )
{
    v4 = ZwTerminateProcess(ProcessHandle, 0);  // [3]

At [1] a check is perform to prevent critical processes termination. At [2] a handle of the process passed as an ID on the SystemBuffer is obtained. At [3] that handle is used as a parameter of the ZwTerminateProcess call which terminates the process.

Evidence of exploitation

Our security policy

We have reserved the ID CVE-2024-1853 to refer to this issue from now on.

Disclosure policy

System Information

Version: Zemana AntiLogger v2.74.204.664
Operating System: Windows

Mitigation

There is currently no patch available for this vulnerability.

References

Vendor page https://zemana.com/
Product page https://zemana.com/us/antilogger.html

Credits

The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.

Timeline



23 de fev. de 2024

Vulnerability discovered



4 de mar. de 2024

Vendor contacted



14 de mar. de 2024

Public disclosure

Does your application use this vulnerable software?

During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

Start free trial

As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.

Consulta IA sobre Fluid Attacks