Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code| ID: 781 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Variant |
Description
The software defines an IOCTL that uses METHOD_NEITHER for I/O,
but it does not validate or incorrectly validates the addresses that are
provided.
Extended DescriptionWhen an IOCTL uses the METHOD_NEITHER option for I/O control, it is the
responsibility of the IOCTL to validate the addresses that have been
supplied to it. If validation is missing or incorrect, attackers can supply
arbitrary memory addresses, leading to code execution or a denial of
service.
Likelihood of Exploit: Low to Medium
Applicable PlatformsLanguage: OftenLanguage: CLanguage: OftenLanguage: C++Operating System: SometimesOperating System: Windows XPOperating System: SometimesOperating System: Windows 2000Operating System: SometimesOperating System: Windows Vista
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| IntegrityAvailabilityConfidentiality | Modify memoryRead memoryExecute unauthorized code or
commandsDoS: crash / exit /
restart | An attacker may be able to access memory that belongs to another
process or user. If the attacker can control the contents that the IOCTL
writes, it may lead to code execution at high privilege levels. At the
least, a crash can occur. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Implementation | | If METHOD_NEITHER is required for the IOCTL, then ensure that all
user-space addresses are properly validated before they are first
accessed. The ProbeForRead and ProbeForWrite routines are available for
this task. Also properly protect and manage the user-supplied buffers,
since the I/O Manager does not do this when METHOD_NEITHER is being
used. See References. | | |
| Architecture and Design | | If possible, avoid using METHOD_NEITHER in the IOCTL and select
methods that effectively control the buffer size, such as
METHOD_BUFFERED, METHOD_IN_DIRECT, or METHOD_OUT_DIRECT. | | |
| Architecture and DesignImplementation | | If the IOCTL is part of a driver that is only intended to be accessed
by trusted users, then use proper access control for the associated
device or device namespace. See References. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-781 CanPrecede CWE-822 | Weakness | CWE-699 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2006-2373 : Driver for file-sharing and messaging protocol allows attackers to execute arbitrary code.
- CVE-2009-0686 : Anti-virus product does not validate addresses, allowing attackers to gain SYSTEM privileges.
- CVE-2009-0824 : DVD software allows attackers to cause a crash.
- CVE-2008-5724 : Personal firewall allows attackers to gain SYSTEM privileges.
- CVE-2007-5756 : chain: device driver for packet-capturing software allows access to an unintended IOCTL with resultant array index error.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:
- Ruben Santamarta .Exploiting Common Flaws in Drivers. 2007-07-11.
- Yuriy Bulygin .Remote and Local Exploitation of Network
Drivers. 2007-08-01.
- Anibal Sacco .Windows driver vulnerabilities: the METHOD_NEITHER
odyssey. Published on October 2008.
- Microsoft .Buffer Descriptions for I/O Control Codes.
- Microsoft .Using Neither Buffered Nor Direct I/O.
- Microsoft .Securing Device Objects.
- Piotr Bania ..
