Windows XP core driver secdrv.sys a local elevation of privilege vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62200717394
Type myhack58
Reporter 佚名
Modified 2007-10-26T00:00:00


Windows XP core driver secdrv.sys a local elevation of privilege vulnerability

Author: Polymorphours Email: Homepage: Date: 2007-10-23

This kernel provide the right 0day found a period of days, is said to have recently been Symantec the Pick and reported to the MS, After internal discussion, it was decided to put the details released, the intention is and everyone together to discuss and learn together with improve. This vulnerability The program is only for learning to use, to abuse this vulnerability to cause harm, Whitecell organization and I am not responsible for it. Hereby the prestigious of.

In the analysis Windows each driver, inadvertently found a vulnerability that lets Any user to elevate to SYSTEM privileges. The vulnerability occurs in the driver secdrv.sys the IRP_MJ_DEVICE_CONTROL The processing routine, because the lack of the necessary for the necessary parameters to be checked, cause you can write any byte to any of the core memory, Result in D. o. S or elevation of privileges. The following is a vulnerability in the code analysis piece:

The DISPATCH handler

loc_11D60: ; DATA XREF: sub_11AA6+8Bo . text:00011D60 push esi . text:00011D61 mov esi, [esp+0Ch] . text:00011D65 push edi . text:00011D66 xor edi, edi . text:00011D68 mov eax, [esi+60h] . text:00011D6B and dword ptr [esi+18h], 0 . text:00011D6F and dword ptr [esi+1Ch], 0 . text:00011D73 mov al, [eax] . text:00011D75 test al, al . text:00011D77 jz short loc_11D85 . text:00011D77 . text:00011D79 cmp al, 0Eh . text:00011D7B jnz short loc_11D85 . text:00011D7B . text:00011D7D push esi . text:00011D7E call sub_11CD8 ;-> processing IRP_MJ_DEVICE_CONTROL . text:00011D7E . text:00011D83 mov edi, eax . text:00011D83 . text:00011D85 . text:00011D85 loc_11D85: ; CODE XREF: . text:00011D77j . text:00011D85 ; . text:00011D7Bj . text:00011D85 xor dl, dl . text:00011D87 mov ecx, esi . text:00011D89 call ds:IofCompleteRequest . text:00011D8F mov eax, edi . text:00011D91 pop edi . text:00011D92 pop esi . text:00011D93 retn 8

The problematic function:

. text:00011CD8 sub_11CD8 proc near ; CODE XREF: . text:00011D7Ep . text:00011CD8 . text:00011CD8 arg_0 = dword ptr 8 . text:00011CD8 . text:00011CD8 push ebx . text:00011CD9 mov ebx, [esp+arg_0] . text:00011CDD push ebp . text:00011CDE push esi . text:00011CDF mov eax, [ebx+60h] . text:00011CE2 push edi . text:00011CE3 cmp dword ptr [eax+0Ch], 0CA002813h . text:00011CEA jz short loc_11D07 ; -> processing 0CA002813H control word . text:00011CEA . text:00011CEC mov eax, dword_12364 . text:00011CF1 xor edi, edi . text:00011CF3 cmp eax, edi . text:00011CF5 jnz short loc_11CFE . text:00011CF5 . text:00011CF7 mov eax, 0C0000010h . text:00011CFC jmp short loc_11D39 . text:00011CFC . text:00011CFE; --------------------------------------------------------------------------- . text:00011CFE . text:00011CFE loc_11CFE: ; CODE XREF: sub_11CD8+1Dj . text:00011CFE lea ecx, [ebx+18h] . text:00011D01 push ecx . text:00011D02 push ebx . text:00011D03 call eax . text:00011D05 jmp short loc_11D59 . text:00011D05 . text:00011D07; --------------------------------------------------------------------------- . text:00011D07 . text:00011D07 loc_11D07: ; CODE XREF: sub_11CD8+12j . text:00011D07 xor edi, edi . text:00011D09 mov [ebx+18h], edi . text:00011D0C mov [ebx+1Ch], edi . text:00011D0F mov ebp, [eax+4] . text:00011D12 mov esi, [eax+10h] . text:00011D15 cmp [eax+8], ebp . text:00011D18 jnz short loc_11D34 . text:00011D18 . text:00011D1A push dword ptr [esi+0Ch] . text:00011D1D lea eax, [esi+10h] . text:00011D20 push eax . text:00011D21 mov eax, dword_12358 . text:00011D26 push eax . text:00011D27 push dword ptr [esi+4] . text:00011D2A push dword ptr [esi] . text:00011D2C call dword ptr [eax+10h] ; -> this function does not check the input and output . text:00011D2F cmp eax, 0Ah . text:00011D32 jz short loc_11D41 ; -> if the function returns 0Ah then copy . text:00011D32 . text:00011D34 . text:00011D34 loc_11D34: ; CODE XREF: sub_11CD8+40j . text:00011D34 mov eax, 0C0000001h . text:00011D34 . text:00011D39 . text:00011D39 loc_11D39: ; CODE XREF: sub_11CD8+24j . text:00011D39 mov [ebx+18h], eax . text:00011D3C mov [ebx+1Ch], edi . text:00011D3F jmp short loc_11D59 . text:00011D3F . text:00011D41; --------------------------------------------------------------------------- . text:00011D41 . text:00011D41 loc_11D41: ; CODE XREF: sub_11CD8+5Aj . text:00011D41 mov edi, [ebx+3Ch] ; -> not before the UserBuffer check, direct copy the data to UserBuffer . text:00011D44 mov ecx, ebp . text:00011D46 mov eax, ecx . text:00011D48 shr ecx, 2 . text:00011D4B rep movsd . text:0 0 0 11D4D mov ecx, eax . text:00011D4F and ecx, 3 . text:00011D52 xor eax, eax . text:00011D54 rep movsb . text:00011D56 mov [ebx+1Ch], ebp . text:00011D56 . text:00011D59 . text:00011D59 loc_11D59: ; CODE XREF: sub_11CD8+2Dj . text:00011D59 ; sub_11CD8+67j . text:00011D59 pop edi . text:00011D5A pop esi . text:00011D5B pop ebp . text:00011D5C pop ebx . text:00011D5D retn 4 . text:00011D5D . text:00011D5D sub_11CD8 endp

After seeing the vulnerability in a piece of code, we know that this vulnerability is actually very good use

Use Method 1:

And before the Symtdi. sys. rights, vulnerabilities, going to HOOK a less frequently used system call, and then Our own starting system calls, to make the system run our privileged code

Use Method 2:

Since there is no write to the data limitation, we can directly in the GDT add a call to the door, or in the HOOK IDT In the interrupt processing routine (note that multi-CPU case)

WSS(Whitecell Security Systems), a non-profit folk art organization, is committed to a variety of system security technology research. Stick to the traditional hacker Spirit, the pursuit of the art of fine pure. WSS home page:<> WSS Forum:<>