Symantec full disk encryption software burst 0day vulnerabilities-vulnerability warning-the black bar safety net

ID MYHACK58:62201336628
Type myhack58
Reporter 佚名
Modified 2013-01-09T00:00:00


Recently, foreign security research organization Nikita Tarakanov said in Symantec PGP Whole Disk Encryption, full disk encryption software found 0day vulnerabilities, the software kernel driver pgpwded. sys contains a cover of any memory of the vulnerability, execute arbitrary code, The affected version of software is Symantec PGP Desktop 10.2.0 Build 2 5 9 9 The.

Symantec via a blog post confirmed that the version of the software does a security problem, but the use of more cumbersome, and limited to running in Windows XP and in Windows 2 0 0 3 systems, successful exploitation of the vulnerability requires a computer local access rights.

Researcher Kelvin Kwan referred to as“the vulnerability to trigger a scene very difficult, and successful use must enter some error state, but the successful use of words may allow an attacker to execute arbitrary code, access to higher level permissions”. The vulnerability details are as follows:

function at 0x10024C20 is responsible for dispatching ioctl codes:

. text:10024C20 ; int __thiscall ioctl_handler_deep(int this, int ioctl, PVOID inbuff, unsigned int inbuff_size, unsigned int outbuff_size, PDWORD bytes_to_return) . text:10024C20 ioctl_handler_deep proc near ; CODE XREF: sub_10007520+6Ap . text:10024C20 . text:10024C20 DestinationString= UNICODE_STRING ptr-3Ch . text:10024C20 var_31 = byte ptr-31h . text:10024C20 var_30 = dword ptr-30h . text:10024C20 some_var = dword ptr-2Ch . text:10024C20 var_28 = dword ptr-28h . text:10024C20 var_24 = byte ptr-24h . text:10024C20 var_5 = byte ptr -5 . text:10024C20 var_4 = dword ptr -4 . text:10024C20 ioctl = dword ptr 8 . text:10024C20 inbuff = dword ptr 0Ch . text:10024C20 inbuff_size = dword ptr 10h . text:10024C20 outbuff_size = dword ptr 14h . text:10024C20 bytes_to_return = dword ptr 18h . text:10024C20 . text:10024C20 push ebp . text:10024C21 mov ebp, esp . text:10024C23 sub esp, 3Ch . text:10024C26 mov eax, BugCheckParameter2 . text:10024C2B xor eax, ebp . text:10024C2D mov [ebp+var_4], eax . text:10024C30 mov eax, [ebp+ioctl] . text:10024C33 push ebx . text:10024C34 mov ebx, [ebp+inbuff] . text:10024C37 push esi . text:10024C38 mov esi, [ebp+bytes_to_return] . text:10024C3B add eax, 7FFDDFD8h . text:10024C40 push edi . text:10024C41 mov edi, ecx . text:10024C43 mov [ebp+some_var], esi . text:10024C46 mov [ebp+var_28], 0 . text:10024C4D cmp eax, 0A4h ; switch 1 6 5 cases . text:10024C52 ja loc_10025B18 ; jumptable 10024C5F default case . text:10024C58 movzx eax, ds:byte_10025BF0[eax] . text:10024C5F jmp ds:off_10025B50[eax*4] ; switch jump


0x80022058 case: no check for outbuff_size == 0! <--- FLAW!

. text:10024F5A lea ecx, [edi+958h] . text:10024F60 call sub_100237B0 . text:10024F65 mov [ebp+some_var], eax . text:10024F68 test eax, eax . text:10024F6A jnz short loc_10024F7D . text:10024F6C mov dword ptr [ebx], 0FFFFCFFAh . text:10024F72 mov dword ptr [esi], 10h <--- bytes to copy to output buffer

next in IofComplete request will be rep movsd at pointer, that is under attacker's control

Due the type of vulnerability (METHO_BUFFERED with output_size == 0) exploit works only on Winows XP/2k3, cause in later Windows OS I/O manager doesn't craft IRP if ioctl is METHOD_BUFFERED and output_size == 0.

Symantec indicated in a 2 month patch to fix the vulnerability.

Related reading:

Symantec PGP Whole Disk Encryption provides organizations with comprehensive high performance full disk encryption for desktops, laptops and removable media on all data user files, swap files, system files, hidden files, etc for full-disk encryption. The full disk encryption software can make the data from unauthorized access, so as to intellectual property, customer and partner data to provide a strongsecurity. Protected system by the PGP Universal Server centralized management, which simplifies deployment, policy creation, distribution and reporting process.