MS15-010/MS15-014 の解析 とアップデート公開
| L7585A8E0: lea eax,[ebp-00000254h] push eax push ebx push edi push [ebp-00000234h] call [SETUPAPI_dll_DelayImport_SetupFindFirstLineW] test eax,eax jz L7585B04D mov eax,[ebp+14h] fld qword ptr [ebp-00000244h] and eax,00000001h mov [ebp-0000023Ch],eax lea eax,[ebp-00000228h] push eax jz L7585A92C push ebx push ecx push ecx fstp qword ptr [esp] push esi call SUB_L758561B1 mov [ebp-00000208h],eax jmp L7585A95F L7585A92C: test byte ptr [ebp+14h],02h fld qword ptr [ebp-00000244h] |
まず XP SP3のアセンブラ1
| L7585A8E0: lea eax,[ebp-00000258h] push eax push ebx push edi push [ebp-00000234h] call [SETUPAPI_dll_DelayImport_SetupFindFirstLineW] test eax,eax jz L7585B0EF mov eax,[ebp+14h] fld qword ptr [ebp-00000248h] and eax,00000001h mov [ebp-00000240h],eax lea eax,[ebp-00000224h] push eax jz L7585A94C push ebx push ecx push ecx fstp qword ptr [esp] push esi call SUB_L758561B1 mov [ebp-00000208h],eax mov eax,[ebp+14h] and eax,00000002h mov [ebp-0000023Ch],eax jz L7585A987 push SWC7585B228_Registry_Values push edi call [msvcrt.dll!_wcsicmp] test eax,eax pop ecx pop ecx jz L7585A96D jmp L7585A987 L7585A94C: push 00000002h push ecx push ecx fstp qword ptr [esp] push esi call SUB_L758561B1 mov [ebp-00000208h],eax mov eax,[ebp+14h] and eax,00000002h mov [ebp-0000023Ch],eax jz L7585A987 L7585A96D: fld qword ptr [ebp-00000248h] lea eax,[ebp-00000210h] |
修正されたバージョン
これをWindows 2000に適用すると
| L767CFFBA: lea eax,[ebp-34h] push eax push ebx push [ebp+08h] push [ebp+0Ch] call [SETUPAPI_dll_DelayImport_SetupFindFirstLineW] test eax,eax jz L767D046B cmp [ebp+14h],ebx lea eax,[ebp-14h] push eax jz L767CFFDF push ebx jmp L767CFFE1 L767CFFDF: push 00000002h L767CFFE1: fld qword ptr [ebp-24h] push ecx push ecx fstp qword ptr [esp] push edi call SUB_L767CC94D mov esi,eax ;該当処理 |
Windows 2000はと思ったら、そもそも参照してるフラグが存在しないことが判明。
脆弱性なし
| L7585AEEC: cmp [ebp-0000023Ch],ebx;;;;;;;;;;;;;;;;;;;;; jnz L7585AF6E test byte ptr [ebp+14h],02h jz L7585AF6E cmp [ebp-00000214h],ebx jz L7585AF6E cmp esi,ebx jz L7585AF09 push esi jmp L7585AF10 |
| L7585AF14: cmp [ebp-0000023Ch],ebx;;;;;;;;;;;;;;;;;;;; jz L7585AF8C cmp [ebp-00000210h],ebx jz L7585AF8C lea eax,[ebp-00000204h] push SWC7585B168_MACHINE_System_CurrentControlSet push eax call [msvcrt.dll!_wcsicmp] test eax,eax pop ecx pop ecx jnz L7585AF8C cmp esi,ebx mov eax,esi jnz L7585AF48 lea eax,[ebp-00000204h] L7585AF48: mov ecx,[ebp-0000020Ch] push ebx add ecx,ecx push ecx push edi push ebx push eax push [ebp-00000210h] call SUB_L75858D2B cmp eax,ebx mov [ebp-00000208h],eax jz L7585AF8C lea eax,[ebp-00000204h] push eax push 00001C7Bh push [ebp-00000208h] call SUB_L75826AF3 push eax push 00000001h call SUB_L75854463 add esp,00000010h L7585AF8C: cmp [ebp-00000240h],ebx jnz L7585B010 cmp [ebp-0000023Ch],ebx jz L7585B010 cmp [ebp-00000210h],ebx jz L7585B010 cmp esi,ebx jz L7585AFAB push esi jmp L7585AFB2 |
Windows XPの修正版
| L767D03BE: |
Windows 2000はXPの修正版で入る辺りから丸ごとない…
どうやら、レジストリ値に関する処理にそもそも対応してないようだ。
関連するレジストリはこれ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\requiresecuritysignature
レジストリ エントリの値が 0 に設定されている場合、または対応するグループ ポリシー設定が無効にされている場合
この値の読み込みでセキュリティバイパスが起こるとされている。
次が、ksecdd.sys の解析
| lea eax,[ebp-000000C4h] push eax call [ntoskrnl.exe!SeCaptureSubjectContext] lea eax,[ebp-000000C4h] push eax call [ntoskrnl.exe!SeLockSubjectContext] mov eax,[ebp-000000C4h] cmp eax,edi jnz L000209B9 mov eax,[ebp-000000BCh] L000209B9: lea ecx,[ebp-000000B0h] push ecx push eax call [ntoskrnl.exe!SeQueryAuthenticationIdToken] mov esi,eax lea eax,[ebp-000000C4h] |
旧バージョン
| lea eax,[ebp-000000C4h] push eax call [ntoskrnl.exe!SeCaptureSubjectContext] lea eax,[ebp-000000C4h] push eax call [ntoskrnl.exe!SeLockSubjectContext] mov eax,[ebp-000000C4h] cmp eax,edi jz XXX cmp [ebp-000000C0h],esi jg L000209BF mov esi,C00000A5h jmp L000209CF XXX: mov eax,[ebp-000000BCh] L000209BF: lea ecx,[ebp-000000B0h] push ecx push eax call [ntoskrnl.exe!SeQueryAuthenticationIdToken] mov esi,eax L000209CF: lea eax,[ebp-000000C4h] |
新バージョン
| L00019BD0: lea eax,[ebp-20h] push eax call jmp_ntoskrnl.exe!SeCaptureSubjectContext lea eax,[ebp-20h] push eax call jmp_ntoskrnl.exe!SeLockSubjectContext mov eax,[ebp-20h] test eax,eax jnz L00019BEC mov eax,[ebp-18h] L00019BEC: lea ecx,[ebp-08h] push ecx push eax call jmp_ntoskrnl.exe!SeQueryAuthenticationIdToken mov esi,eax lea eax,[ebp-20h] push eax call jmp_ntoskrnl.exe!SeUnlockSubjectContext lea eax,[ebp-20h] push eax call jmp_ntoskrnl.exe!SeReleaseSubjectContext test esi,esi jge L00019C15 mov eax,esi jmp L00019CAC |
Windows 2000
| L00019BD0: lea eax,[ebp-20h] push eax call jmp_ntoskrnl.exe!SeCaptureSubjectContext lea eax,[ebp-20h] push eax call jmp_ntoskrnl.exe!SeLockSubjectContext mov eax,[ebp-20h] test eax,eax jmp XXX L00019BEC: lea ecx,[ebp-08h] push ecx push eax call jmp_ntoskrnl.exe!SeQueryAuthenticationIdToken mov esi,eax L00019BF8: lea eax,[ebp-20h] push eax call jmp_ntoskrnl.exe!SeUnlockSubjectContext lea eax,[ebp-20h] push eax call jmp_ntoskrnl.exe!SeReleaseSubjectContext test esi,esi jge L00019C15 mov eax,esi j mp L00019CAC XXX: jnz L00015B8C mov eax,[ebp-18h] jmp L00019BEC L00015B8C: cmp [ebp-1Ch],esi jge L00019BEC mov esi,C00000A5h jmp L00019BF8 |
Windows 2000 修正
MS15-010のみ、WLUに公開しました
Translate
;が続いてる箇所がありますが、これには意味があるんでしょうか?
解析時にメモ書いてた残骸ですね、気にしなくても大丈夫です・ω・