2 Diskeeper Remote Memory Disclosure
3 Credit: Pravus (pravus −a−t− hush −d−o−t− com)
4 Greetz: Scientology for making a remotely accessible disk
5 defragmenter. Felix, Jenna, and Isaac.
7 Vulnerability Description:
8 This vulnerability involves a memory comparison function that is
9 remotely, anonymously accessible via the remote procedure call in
10 the Diskeeper administrative interface. Using this, an attacker
11 can guess / brute force memory at any address in the process;
12 although passing a bad pointer will cause a memory read exception
13 and DoS the process. Since causing a Denial of Service for
14 Diskeeper is of minimal consequence, this write−up will focus on
15 the memory reading aspect.
17 By making use of shared user memory at 0x7FFE0000, an attacker can
18 learn information, such as Windows drive, path, and version. More
19 importantly for a targeted attack, an attacker can also get the
20 name, path, version and base address of all loaded modules in the
21 process. This would essentially defeat address space randomization
22 (ASLR) in Windows Vista, since loaded modules tend to have the same
23 preferred address in all processes for each boot of the system.
26 Diskeeper introduced their administrative interface in Diskeeper 9
27 and continued it in Diskeeper 10 and Diskeeper 2007. For the
28 purpose of this vulnerability I tested in Diskeeper 9 Professional
29 and Diskeeper 2007 Pro Premier. (Though I believe from
30 documentation that the Server Editions of each and both versions in
31 Diskeeper 10 are equally vulnerable.)
33 The administrative interface, DkService.exe, runs as a system
34 service that is by default configured to automatically start. It
35 listens on TCP port 31038 and has three RPC functions available.
36 Calling the opcode 0x01 RPC function (MIDL below) allows a remote,
37 anonymous memory comparison at an attacker provided address.
38 Simply pass the size of the data, the data, and the address to make
39 use of this.
42 /* opcod