Zemana AntiLogger - Process Termination

Description

Zemana AntiLogger v2.74.204.664 is vulnerable to an Arbitrary Process Termination vulnerability by triggering the 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers.

Vulnerability

The 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers allow to kill arbitrary processes on the system where it's installed, by sending a process ID on the first DWORD of the lpInBuffer parameter request call.

In order to perform calls to any IOCTL of the zam64.sys and zamguard64.sys driver, a call to the IOCTL 0x80002010 must be performed with the current process ID as an authorized IOCTL process caller:

if ( IoctlCode != 0x80002010 )
{
 if ( IoctlCode + 0x7FFFDFAC > 0x10
    || (CurrentStackLocation = 0x11001i64, !_bittest((const int *)&CurrentStackLocation, IoctlCode + 0x7FFFDFAC)) )
    {
    if ( (unsigned int)sub_140009BE4(CurrentStackLocation, "Main.c") && !(unsigned int)sub_140009BEC(v6, 1i64) )
    {
        v3 = 0xC0000022;
        DnsPrint_RpcZoneInfo(
        7,
        (unsigned int)"Main.c",
        0x1E2,
        (unsigned int)"DeviceIoControlHandler",
        0xC0000022,
        "ProcessID %d is not authorized to send IOCTLs ",
        v6);
        goto LABEL_79

The handling decompiled code of the 0x80002048 IOCTL starts with:

case 0x80002048:
    v3 = sub_14001048C(SystemBuffer

The sub_14001048C routine calls sub_1400133D0:

__int64 __fastcall sub_14001048C(unsigned int *a1)
{
  return sub_1400133D0(*a1, a1[1], 6i64

The sub_1400133D0 is the vulnerable function:

ProcessHandle = 0i64;
v11 = 0;
v4 = 0xC0000001;
Timeout.QuadPart = 0xFFFFFFFFFF676980ui64;
if ( (unsigned int)sub_140005994((void *)pSystemBuffer, &v11) && v11 ) // [1]
{
 DnsPrint_RpcZoneInfo(
 5,
 (unsigned int)"ProcessHelper\\ProcessHelper.c",
 0x1ED,
 (unsigned int)"ZmnPhTerminateProcessById",
 0,
 "Critical process termination attempt blocked");
 return (unsigned int)v4;
}
v4 = sub_140013268(&ProcessHandle, pSystemBuffer, 1u, 1); // [2]
if ( v4 >= 0 )
{
    v4 = ZwTerminateProcess(ProcessHandle, 0);  // [3]

At [1] a check is perform to prevent critical processes termination. At [2] a handle of the process passed as an ID on the SystemBuffer is obtained. At [3] that handle is used as a parameter of the ZwTerminateProcess call which terminates the process.

Evidence of exploitation

Our security policy

We have reserved the ID CVE-2024-1853 to refer to this issue from now on.

Disclosure policy

System Information

• Version: Zemana AntiLogger v2.74.204.664

• Operating System: Windows

Mitigation

There is currently no patch available for this vulnerability.

References

• Vendor page https://zemana.com/

• Product page https://zemana.com/us/antilogger.html