

Advisories

Zemana AntiLogger - Kernel Memory Leak

5.5

Medium

Discovered by

Andres Roldan

Offensive Team, Fluid Attacks

Summary

Full name

Zemana AntiLogger v2.74.204.664 - Kernel Memory Leak

Code name

Gomez

State

Public

Release date

Mar 14, 2024

Affected product

Zemana AntiLogger

Vendor

Zemana Ltd.

Affected version(s)

Version 2.74.204.664

Vulnerability name

Kernel Memory Leak

Vulnerability type

037. Technical Information Leak

Remotely exploitable

CVSS v3.0 vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v3.0 base score

5.5

Exploit available

Yes

CVE ID(s)

CVE-2024-2180

Description

Zemana AntiLogger v2.74.204.664 is vulnerable to a Memory Information Leak vulnerability by triggering the 0x80002020 IOCTL code of the zam64.sys and zamguard64.sys drivers.

Vulnerability

The 0x80002020 IOCTL code of the zam64.sys and zamguard64.sys drivers allow to leak the kernel base address, making the kASLR protection useless.

In order to perform calls to any IOCTL of the zam64.sys and zamguard64.sys driver, a call to the IOCTL 0x80002010 must be performed with the current process ID as an authorized IOCTL process caller:

if ( IoctlCode != 0x80002010 )
{
 if ( IoctlCode + 0x7FFFDFAC > 0x10
    || (CurrentStackLocation = 0x11001i64, !_bittest((const int *)&CurrentStackLocation, IoctlCode + 0x7FFFDFAC)) )
    {
    if ( (unsigned int)sub_140009BE4(CurrentStackLocation, "Main.c") && !(unsigned int)sub_140009BEC(v6, 1i64) )
    {
        v3 = 0xC0000022;
        DnsPrint_RpcZoneInfo(
        7,
        (unsigned int)"Main.c",
        0x1E2,
        (unsigned int)"DeviceIoControlHandler",
        0xC0000022,
        "ProcessID %d is not authorized to send IOCTLs ",
        v6);
        goto LABEL_79

The handling code of the 0x80002020 IOCTL calls sub_14000B828 which performs a call to ZwQuerySystemInformation, using SystemModuleInformation (0xB) as first parameter.

if ( ZwQuerySystemInformation(
        SystemModuleInformation,
        SystemInformationClassOutput,
        NumberOfBytes,
        (PULONG)&NumberOfBytes) < 0

The output buffer is populated with the information returned by ZwQuerySystemInformation. Notice the first returned QWORD:

PS C:\Users\admin\Desktop> .\PoC.exe
[+] Bytes returned: 29 (0x1d)
[+] Output (0): FFFFF80252600000
[+] Output (8): 526D65747379535C
[+] Output (16): 747379735C746F6F
[+]

It matches with the kernel base address as fetched from the debugger:

Our security policy

We have reserved the ID CVE-2024-2180 to refer to this issue from now on.

Disclosure policy

System Information

Version: Zemana AntiLogger v2.74.204.664
Operating System: Windows

Mitigation

There is currently no patch available for this vulnerability.

References

Vendor page https://zemana.com/
Product page https://zemana.com/us/antilogger.html

Timeline



Vulnerability discovered

Feb 23, 2024



Vendor contacted

Mar 4, 2024



Public disclosure

Mar 14, 2024

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Try for free

Contact sales

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Try for free

Contact sales

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Try for free

Contact sales

Solution

Plans

Resources

Advisories

Company

Select Language



Contact sales

Try for free

Select Language



Contact sales

Try for free

Solution

Plans

Resources

Advisories

Company

Select Language



Contact sales

Try for free

Select Language



Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.