CyberLink PowerDVD #0day

1.Description:

The ntk_PowerDVD12.sys kernel driver distributed with CyberLing PowerDVD contains
an pool overflow vulnerability in the handling of IOCTL 0x9C402404.
Exploitation of this issue allows an attacker to execute arbitrary code
within the kernel.
An attacker would need local access to a vulnerable computer to exploit
this vulnerability.

2.Vulnerability details:

function at 0x0001906C is responsible for dispatching ioctl codes:

.text:0001906C ; int __stdcall ioctl_handler(int, PIRP Irp)
.text:0001906C ioctl_handler   proc near               ; DATA XREF: DriverEntry+CD o
.text:0001906C
.text:0001906C var_4FC         = dword ptr -4FCh
.text:0001906C var_FC          = byte ptr -0FCh
.text:0001906C var_84          = dword ptr -84h
.text:0001906C var_5C          = byte ptr -5Ch
.text:0001906C var_3C          = byte ptr -3Ch
.text:0001906C var_1C          = dword ptr -1Ch
.text:0001906C var_18          = dword ptr -18h
.text:0001906C inbuff_mem      = dword ptr -14h
.text:0001906C NumberOfBytes   = dword ptr -10h
.text:0001906C BaseAddress     = dword ptr -0Ch
.text:0001906C var_8           = dword ptr -8
.text:0001906C var_4           = dword ptr -4
.text:0001906C Irp             = dword ptr  0Ch
.text:0001906C
.text:0001906C                 push    ebp
.text:0001906D                 mov     ebp, esp
.text:0001906F                 sub     esp, 4FCh
.text:00019075                 push    ebx
.text:00019076                 push    esi
.text:00019077                 mov     esi, [ebp+Irp]
.text:0001907A                 mov     ebx, [esi+60h]
.text:0001907D                 mov     ecx, [ebx+8]
.text:00019080                 push    edi
.text:00019081                 xor     edi, edi
.text:00019083                 cmp     ecx, edi
.text:00019085                 mov     [ebp+NumberOfBytes], ecx
.text:00019088                 mov     eax, [ebx+4]
.text:0001908B                 mov     [ebp+var_1C], edi
.text:0001908E                 mov     [ebp+var_4], eax
.text:00019091                 jnz     short loc_1909F
.text:00019093                 mov     [ebp+var_1C], 0C000000Dh
.text:0001909A                 jmp     loc_19A03
.text:0001909F ; ---------------------------------------------------------------------------
.text:0001909F
.text:0001909F loc_1909F:                              ; CODE XREF: ioctl_handler+25 j
.text:0001909F                 mov     eax, [ebx+0Ch]
.text:000190A2                 cmp     eax, 9C402400h
.text:000190A7                 jz      loc_19852
.text:000190AD                 cmp     eax, 9C402404h
.text:000190B2                 jz      loc_1982D

[..]

.text:0001982D                 mov     edx, [ebp+Irp]
.text:00019830                 mov     eax, [edx+0Ch]
.text:00019833                 push    8
.text:00019835                 mov     byte ptr [eax], 0
.text:00019838                 lea     edi, [eax+1]
.text:0001983B                 pop     ecx
.text:0001983C                 mov     esi, offset unk_23D20
.text:00019841                 rep movsd <---- No check for inbuff size!!!





//The information contained within this publication is