Add ProbeFor[Read|Write] bypass #14
Comments
|
Hi @neitsa Thanks for the report. I'm aware about this issue. If you look the driver source, you may not find an instance where
I will be very happy to review and accept the pull requests. Thank you. |
|
Hi @neitsa Did I misunderstood your report? Let me know if that is the case. Thank you. |
|
Howdy @hacksysteam :)
Errr, yeah. I might not have been clear, sorry for that. I was asking for a feature request to add another vuln to the driver (just a dedicated ioctl would be enough) that would trigger a bug by leveraging a Exactly as the other current issues (which AFAIK are feature requests rather than proper "issues"). |
|
Ah! Now, I understood what you meant. :) It would be great to have one such vulnerability implemented. |
ProbeForRead and ProbeForWrite can be bypassed when the
Lengthargument is zero.There might be an exploitable condition after the probe if the length is fetched from somewhere else on a subsequent read / write operation on the probed buffer.
Some examples:
I've also seen it in some AV's drivers.
Cheers, and thanks for the driver & sources! o/
P.S: do you accept pull requests if I want to implement this 'feature'?
The text was updated successfully, but these errors were encountered: