閱讀文章 - 看板 Bugtraq - 批踢踢實業坊

發信人advisories@reversemode.com (Reversemode),

看板Bugtraq

標題[Reversemode advisory] CheckPoint Zonelabs - ZoneAlarm SRESCAN driver

發信站NCTU CSIE FreeBSD Server (Tue Apr 24 08:38:41 2007)

轉信站ptt!FreeBSD.csie.NCTU!not-for-mail

CHECK POINT ZONE LABS PRODUCTS MULTIPLE LOCAL PRIVILEGE ESCALATION VULNERABILITIES Rub幯 Santamarta <ruben@reversemode.com> 04.20.2007 Affected products: + ZoneAlarm (Srescan.sys v 5.0.155 and earlier ) Srescan.sys is exposed through the following Dos Device:総\.\SreScan鐮 Restricted accounts ,including guest users, can access privileged IOCTLs implemented within the driver affected. In addition to this potential risk factor, the driver does not validate user-mode buffers in Type3 , thus leading to local privilege escalation due to arbitrary Kernel memory overwrite. DosDevice: \\.\Srescan Driver: srescan.sys Version: 5.0.83.0 ------------------------- IOCTL 0x2220CF ..text:00013127 mov ecx, [ebp+arg_10] ..text:0001312A cmp dword ptr [ecx], 4 ; ..text:0001312D jnz short loc_1313F ..text:0001312F mov edx, [ebp+FileInformation] ..text:00013132 mov dword ptr [edx], 30000h ; edx controlled ..text:00013138 xor esi, esi ..text:0001313A mov [ebp+var_1C], esi ..text:0001313D jmp short loc_1315F ------------------------- IOCTL 0x22208F text:00014091 mov ebp, ds:ExAllocatePoolWithTag ..text:00014097 mov esi, 20000h ..text:0001409C push 31565244h ; Tag ..text:000140A1 push esi ; NumberOfBytes ..text:000140A2 push 0 ; PoolType ..text:000140A4 call ebp ; ExAllocatePoolWithTag ..text:000140A6 mov ebx, eax ..text:000140A8 test ebx, ebx ..text:000140AA jz short loc_140F3 ..text:000140AC mov edi, ds:ZwQuerySystemInformation ..text:000140B2 ..text:000140B2 loc_140B2: ; CODE XREF: sub_14070+81#j ..text:000140B2 lea ecx, [esp+1Ch+ReturnLength] ..text:000140B6 push ecx ; ReturnLength ..text:000140B7 push esi ; SystemInformationLength ..text:000140B8 push ebx ; SystemInformation ..text:000140B9 push 5 ; SystemInformationClass ..text:000140BB call edi ; ZwQuerySystemInformation ..text:000140BD cmp eax, 0C0000023h ..text:000140C2 mov [esp+1Ch+var_4], eax ..text:000140C6 jz short loc_140D6 ..text:000140C8 cmp eax, 80000005h ..text:000140CD jz short loc_140D6 ..text:000140CF cmp eax, 0C0000004h ..text:000140D4 jnz short loc_14102 ..text:0001411D loc_1411D: ; CODE XREF: sub_14070+112#j ..text:0001411D mov eax, [edx+44h] ..text:00014120 test eax, eax ..text:00014122 jz short loc_1417A [...] ..text:00014154 mov dword ptr [eax+4], 0 ..text:0001415B mov esi, [edx+3Ch] ..text:0001415E lea edi, [eax+0Ch] ; edi = OutputBuffer. Controlled ..text:00014161 mov eax, ecx ..text:00014163 shr ecx, 2 ..text:00014166 rep movsd ..text:00014168 mov ecx, eax ..text:0001416A mov eax, [esp+1Ch+var_8] ..text:0001416E and ecx, 3 ..text:00014171 inc eax ..text:00014172 rep movsb ..text:00014174 mov [esp+1Ch+var_8], eax ..text:00014178 mov edi, eax Exploits No exploits are released. Ethical security companies can contact for requesting samples : contact (at) reversemode (dot) com [email concealed] References: www.zonelabs.com http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=517 http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=48 (PDF) ----------- Reversemode Advanced Reverse Engineering Services www.reversemode.com