Vulnerability title: Arbitrary Code Execution in G Data TotalProtection 2014
Vendor: G Data
Product: TotalProtection 2014
Affected version: v184.108.40.206
Fixed version: N/A
Reported by: Kyriakos Economou
G Data TotalProtection 2014 v220.127.116.11 and possibly earlier versions are vulnerable to arbitrary code execution.
A local attacker is able to execute code as SYSTEM by exploiting a bug in the MiniIcpt.sys (v1.013046.218) device driver.
Other software from the same vendor using the affected driver may also be vulnerable to the same attack.
This vulnerability doesn’t currently allow elevation of privileges as the attacker needs administrator rights to trigger the bug.
In particular, IOCTL 0×83170180 leads to:
OR ECX, -1
LOCK XADD DWORD PTR [EAX], ECX
These two instructions are used to decrement a value stored in a memory location pointed by EAX, but in this case the value of EAX can be controlled through the IOCTL input buffer from userland.
Any value in writeable memory can be decremented at will by triggering the vulnerability multiple times.
The challenge in a scenario like this is to find a pointer that could later be used to control the EIP.
For example, a pointer to another function of the same module could be used through another IOCTL, if that pointer is stored to a known address such as in the range of the driver module itself.