GEAR Software CD DVD Filter Driver Insecure Method Local Privilege Escalation
2008-10-24T00:00:00
ID GEARASPIWDM_PRIV_ESCALATION.NASL Type nessus Reporter Tenable Modified 2017-06-26T00:00:00
Description
The version of GEAR Software's CD DVD Filter kernel driver (GEARAspiWDM.sys) on the remote host contains an insecure method that allows a local user to make an unlimited number of calls to 'IoAttachDevice' from user-land, thereby enabling him to exploit a local privilege escalation flaw in the Microsoft Windows kernel in the 'IopfCompleteRequest' function.
Note that this driver may have been installed as part of a third-party application such as Apple iTunes, Norton 360, Norton Ghost, Norton Save and Restore, Backup Exec System Recovery, or Symantec LiveState Recovery.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(34488);
script_version("$Revision: 1.14 $");
script_cvs_date("$Date: 2017/06/26 21:16:43 $");
script_bugtraq_id(31089);
script_xref(name:"CERT", value:"146896");
script_name(english:"GEAR Software CD DVD Filter Driver Insecure Method Local Privilege Escalation");
script_summary(english:"Checks version of GEARAspiWDM.sys");
script_set_attribute(attribute:"synopsis", value:"The remote Windows host has a kernel driver with an insecure method.");
script_set_attribute(attribute:"description", value:
"The version of GEAR Software's CD DVD Filter kernel driver
(GEARAspiWDM.sys) on the remote host contains an insecure method that
allows a local user to make an unlimited number of calls to
'IoAttachDevice' from user-land, thereby enabling him to exploit a
local privilege escalation flaw in the Microsoft Windows kernel in the
'IopfCompleteRequest' function.
Note that this driver may have been installed as part of a third-party
application such as Apple iTunes, Norton 360, Norton Ghost, Norton
Save and Restore, Backup Exec System Recovery, or Symantec LiveState
Recovery.");
# https://web.archive.org/web/20081025061610/http://www.wintercore.com/advisories/advisory_W021008.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fea106d5");
script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/497131/30/0/threaded" );
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bb341a9b" );
script_set_attribute(attribute:"see_also", value:"http://www.symantec.com/avcenter/security/Content/2008.10.07a.html" );
script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT3025" );
script_set_attribute(attribute:"solution", value:
"Contact the appropriate vendor for an upgrade and verify that the
version of the kernel driver is 2.0.7.5 or later.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_publication_date", value:"2008/10/24");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2008-2017 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/WindowsVersion", "SMB/name", "SMB/login", "SMB/password");
script_require_ports(139, 445);
exit(0);
}
include("smb_func.inc");
include("smb_hotfixes.inc");
include("audit.inc");
name = kb_smb_name();
port = kb_smb_transport();
#if (!get_port_state(port)) exit(0);
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
#soc = open_sock_tcp(port);
#if (!soc) exit(0);
#session_init(socket:soc, hostname:name);
if(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
# Grab the file version of the affected file.
winroot = hotfix_get_systemroot();
if (!winroot) exit(1);
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:winroot);
sys = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\System32\drivers\GEARAspiWDM.sys", string:winroot);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
exit(0);
}
fh = CreateFile(
file:sys,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
ver = NULL;
if (!isnull(fh))
{
ver = GetFileVersion(handle:fh);
CloseFile(handle:fh);
}
NetUseDel();
# Check the version number.
if (!isnull(ver))
{
fix = split("2.0.7.5", sep:'.', keep:FALSE);
for (i=0; i<max_index(fix); i++)
fix[i] = int(fix[i]);
for (i=0; i<max_index(ver); i++)
if ((ver[i] < fix[i]))
{
if (report_verbosity)
{
report = string(
"\n",
"Path : ", winroot, "\\system32\\drivers\n",
"Version : ", ver[0], ".", ver[1], ".", ver[2], ".", ver[3], "\n"
);
security_hole(port:get_kb_item("SMB/transport"), extra:report);
}
else security_hole(get_kb_item("SMB/transport"));
break;
}
else if (ver[i] > fix[i])
break;
}
{"hash": "2910650dec5005e52c6a4791646918db93babe7125ca94082cfef24111446dc0", "naslFamily": "Windows", "id": "GEARASPIWDM_PRIV_ESCALATION.NASL", "lastseen": "2017-06-27T05:44:24", "viewCount": 0, "hashmap": [{"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "73d45b26eb7740b795aa608f6bb01584", "key": "description"}, {"hash": "d2cb7f478413b4a5e3103c17f8d2fc0f", "key": "href"}, {"hash": "b5f91fd925ac52cfc54c4cc88e3b11df", "key": "modified"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "57932f8aef4cfbd1e7ffc875c3ab4423", "key": "pluginID"}, {"hash": "9c7ff2bc275052ff2ee7d2ba964ccc9d", "key": "published"}, {"hash": "804e2a00fd877430dc583e012567c3bc", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "b923ecbe514c13227324d7ec97a7fcab", "key": "sourceData"}, {"hash": "eb737bef6cce167036ea1b0899d0cc93", "key": "title"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}], "bulletinFamily": "scanner", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"vulnersScore": 7.2}, "type": "nessus", "description": "The version of GEAR Software's CD DVD Filter kernel driver (GEARAspiWDM.sys) on the remote host contains an insecure method that allows a local user to make an unlimited number of calls to 'IoAttachDevice' from user-land, thereby enabling him to exploit a local privilege escalation flaw in the Microsoft Windows kernel in the 'IopfCompleteRequest' function.\n\nNote that this driver may have been installed as part of a third-party application such as Apple iTunes, Norton 360, Norton Ghost, Norton Save and Restore, Backup Exec System Recovery, or Symantec LiveState Recovery.", "title": "GEAR Software CD DVD Filter Driver Insecure Method Local Privilege Escalation", "history": [{"bulletin": {"hash": "7fdc36ea0300c188f99bd6d5131957b30fe08cdc14ccd610b29473c805106266", "naslFamily": "Windows", "id": "GEARASPIWDM_PRIV_ESCALATION.NASL", "lastseen": "2016-09-26T17:24:01", "enchantments": {}, "hashmap": [{"hash": "eb737bef6cce167036ea1b0899d0cc93", "key": "title"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "e0a1f0ee7cd7828d698f3f7e746777d8", "key": "sourceData"}, {"hash": "d3ce5e509cafe2937b800ae1ed5207aa", "key": "references"}, {"hash": "45b6304fd5844174e76557c2a8fc2f13", "key": "modified"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9c7ff2bc275052ff2ee7d2ba964ccc9d", "key": "published"}, {"hash": "57932f8aef4cfbd1e7ffc875c3ab4423", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d2cb7f478413b4a5e3103c17f8d2fc0f", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "73d45b26eb7740b795aa608f6bb01584", "key": "description"}], "bulletinFamily": "scanner", "history": [], "edition": 1, "type": "nessus", "description": "The version of GEAR Software's CD DVD Filter kernel driver (GEARAspiWDM.sys) on the remote host contains an insecure method that allows a local user to make an unlimited number of calls to 'IoAttachDevice' from user-land, thereby enabling him to exploit a local privilege escalation flaw in the Microsoft Windows kernel in the 'IopfCompleteRequest' function.\n\nNote that this driver may have been installed as part of a third-party application such as Apple iTunes, Norton 360, Norton Ghost, Norton Save and Restore, Backup Exec System Recovery, or Symantec LiveState Recovery.", "viewCount": 0, "title": "GEAR Software CD DVD Filter Driver Insecure Method Local Privilege Escalation", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.2", "cvelist": [], "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(34488);\n script_version(\"$Revision: 1.13 $\");\n script_cvs_date(\"$Date: 2015/01/12 17:12:44 $\");\n\n script_bugtraq_id(31089);\n script_xref(name:\"CERT\", value:\"146896\");\n\n script_name(english:\"GEAR Software CD DVD Filter Driver Insecure Method Local Privilege Escalation\");\n script_summary(english:\"Checks version of GEARAspiWDM.sys\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote Windows host has a kernel driver with an insecure method.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of GEAR Software's CD DVD Filter kernel driver\n(GEARAspiWDM.sys) on the remote host contains an insecure method that\nallows a local user to make an unlimited number of calls to\n'IoAttachDevice' from user-land, thereby enabling him to exploit a\nlocal privilege escalation flaw in the Microsoft Windows kernel in the\n'IopfCompleteRequest' function.\n\nNote that this driver may have been installed as part of a third-party\napplication such as Apple iTunes, Norton 360, Norton Ghost, Norton\nSave and Restore, Backup Exec System Recovery, or Symantec LiveState\nRecovery.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.wintercore.com/advisories/advisory_W021008.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/497131/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bb341a9b\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.symantec.com/avcenter/security/Content/2008.10.07a.html\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://support.apple.com/kb/HT3025\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Contact the appropriate vendor for an upgrade and verify that the\nversion of the kernel driver is 2.0.7.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/10/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2015 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/WindowsVersion\", \"SMB/name\", \"SMB/login\", \"SMB/password\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"audit.inc\");\n\nname = kb_smb_name();\nport = kb_smb_transport();\n#if (!get_port_state(port)) exit(0);\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\n#soc = open_sock_tcp(port);\n#if (!soc) exit(0);\n\n#session_init(socket:soc, hostname:name);\nif(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\n# Grab the file version of the affected file.\nwinroot = hotfix_get_systemroot();\nif (!winroot) exit(1);\n\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:winroot);\nsys = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\System32\\drivers\\GEARAspiWDM.sys\", string:winroot);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\nif (rc != 1)\n{\n NetUseDel();\n exit(0);\n}\n\nfh = CreateFile(\n file:sys,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n);\nver = NULL;\nif (!isnull(fh))\n{\n ver = GetFileVersion(handle:fh);\n CloseFile(handle:fh);\n}\nNetUseDel();\n\n\n# Check the version number.\nif (!isnull(ver))\n{\n fix = split(\"2.0.7.5\", sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(ver); i++)\n if ((ver[i] < fix[i]))\n {\n if (report_verbosity)\n {\n report = string(\n \"\\n\",\n \"Path : \", winroot, \"\\\\system32\\\\drivers\\n\",\n \"Version : \", ver[0], \".\", ver[1], \".\", ver[2], \".\", ver[3], \"\\n\"\n );\n security_hole(port:get_kb_item(\"SMB/transport\"), extra:report);\n }\n else security_hole(get_kb_item(\"SMB/transport\"));\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n", "published": "2008-10-24T00:00:00", "pluginID": "34488", "references": ["http://support.apple.com/kb/HT3025", "http://www.nessus.org/u?bb341a9b", "http://www.wintercore.com/advisories/advisory_W021008.html", "http://www.securityfocus.com/archive/1/497131/30/0/threaded", "http://www.symantec.com/avcenter/security/Content/2008.10.07a.html"], "reporter": "Tenable", "modified": "2015-01-12T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=34488"}, "lastseen": "2016-09-26T17:24:01", "edition": 1, "differentElements": ["references", "modified", "sourceData"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(34488);\n script_version(\"$Revision: 1.14 $\");\n script_cvs_date(\"$Date: 2017/06/26 21:16:43 $\");\n\n script_bugtraq_id(31089);\n script_xref(name:\"CERT\", value:\"146896\");\n\n script_name(english:\"GEAR Software CD DVD Filter Driver Insecure Method Local Privilege Escalation\");\n script_summary(english:\"Checks version of GEARAspiWDM.sys\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote Windows host has a kernel driver with an insecure method.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of GEAR Software's CD DVD Filter kernel driver\n(GEARAspiWDM.sys) on the remote host contains an insecure method that\nallows a local user to make an unlimited number of calls to\n'IoAttachDevice' from user-land, thereby enabling him to exploit a\nlocal privilege escalation flaw in the Microsoft Windows kernel in the\n'IopfCompleteRequest' function.\n\nNote that this driver may have been installed as part of a third-party\napplication such as Apple iTunes, Norton 360, Norton Ghost, Norton\nSave and Restore, Backup Exec System Recovery, or Symantec LiveState\nRecovery.\");\n # https://web.archive.org/web/20081025061610/http://www.wintercore.com/advisories/advisory_W021008.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fea106d5\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/497131/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bb341a9b\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.symantec.com/avcenter/security/Content/2008.10.07a.html\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://support.apple.com/kb/HT3025\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Contact the appropriate vendor for an upgrade and verify that the\nversion of the kernel driver is 2.0.7.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/10/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/WindowsVersion\", \"SMB/name\", \"SMB/login\", \"SMB/password\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"audit.inc\");\n\nname = kb_smb_name();\nport = kb_smb_transport();\n#if (!get_port_state(port)) exit(0);\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\n#soc = open_sock_tcp(port);\n#if (!soc) exit(0);\n\n#session_init(socket:soc, hostname:name);\nif(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\n# Grab the file version of the affected file.\nwinroot = hotfix_get_systemroot();\nif (!winroot) exit(1);\n\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:winroot);\nsys = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\System32\\drivers\\GEARAspiWDM.sys\", string:winroot);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\nif (rc != 1)\n{\n NetUseDel();\n exit(0);\n}\n\nfh = CreateFile(\n file:sys,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n);\nver = NULL;\nif (!isnull(fh))\n{\n ver = GetFileVersion(handle:fh);\n CloseFile(handle:fh);\n}\nNetUseDel();\n\n\n# Check the version number.\nif (!isnull(ver))\n{\n fix = split(\"2.0.7.5\", sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(ver); i++)\n if ((ver[i] < fix[i]))\n {\n if (report_verbosity)\n {\n report = string(\n \"\\n\",\n \"Path : \", winroot, \"\\\\system32\\\\drivers\\n\",\n \"Version : \", ver[0], \".\", ver[1], \".\", ver[2], \".\", ver[3], \"\\n\"\n );\n security_hole(port:get_kb_item(\"SMB/transport\"), extra:report);\n }\n else security_hole(get_kb_item(\"SMB/transport\"));\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n", "published": "2008-10-24T00:00:00", "pluginID": "34488", "references": ["http://www.nessus.org/u?fea106d5", "http://support.apple.com/kb/HT3025", "http://www.nessus.org/u?bb341a9b", "http://www.securityfocus.com/archive/1/497131/30/0/threaded", "http://www.symantec.com/avcenter/security/Content/2008.10.07a.html"], "reporter": "Tenable", "modified": "2017-06-26T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=34488"}
