[Reversemode advisory] CheckPoint Zonelabs - ZoneAlarm SRESCAN driver local privilege escalation

2007-04-24T00:00:00
ID SECURITYVULNS:DOC:16819
Type securityvulns
Reporter Securityvulns
Modified 2007-04-24T00:00:00

Description

      CHECK POINT ZONE LABS  PRODUCTS

MULTIPLE LOCAL PRIVILEGE ESCALATION VULNERABILITIES

Rubйn Santamarta <ruben@reversemode.com>

04.20.2007 Affected products: + ZoneAlarm (Srescan.sys v 5.0.155 and earlier )

Srescan.sys is exposed through the following Dos Device:“\\.\SreScan”. Restricted accounts ,including guest users, can access privileged IOCTLs implemented within the driver affected. In addition to this potential risk factor, the driver does not validate user-mode buffers in Type3 , thus leading to local privilege escalation due to arbitrary Kernel memory overwrite.

DosDevice: \\.\Srescan Driver: srescan.sys Version: 5.0.83.0

------------------------- IOCTL 0x2220CF .text:00013127 mov ecx, [ebp+arg_10] .text:0001312A cmp dword ptr [ecx], 4 ; .text:0001312D jnz short loc_1313F .text:0001312F mov edx, [ebp+FileInformation] .text:00013132 mov dword ptr [edx], 30000h ; edx controlled .text:00013138 xor esi, esi .text:0001313A mov [ebp+var_1C], esi .text:0001313D jmp short loc_1315F

------------------------- IOCTL 0x22208F text:00014091 mov ebp, ds:ExAllocatePoolWithTag .text:00014097 mov esi, 20000h .text:0001409C push 31565244h ; Tag .text:000140A1 push esi ; NumberOfBytes .text:000140A2 push 0 ; PoolType .text:000140A4 call ebp ; ExAllocatePoolWithTag .text:000140A6 mov ebx, eax .text:000140A8 test ebx, ebx .text:000140AA jz short loc_140F3 .text:000140AC mov edi, ds:ZwQuerySystemInformation .text:000140B2 .text:000140B2 loc_140B2: ; CODE XREF: sub_14070+81#j .text:000140B2 lea ecx, [esp+1Ch+ReturnLength] .text:000140B6 push ecx ; ReturnLength .text:000140B7 push esi ; SystemInformationLength .text:000140B8 push ebx ; SystemInformation .text:000140B9 push 5 ; SystemInformationClass .text:000140BB call edi ; ZwQuerySystemInformation .text:000140BD cmp eax, 0C0000023h .text:000140C2 mov [esp+1Ch+var_4], eax .text:000140C6 jz short loc_140D6 .text:000140C8 cmp eax, 80000005h .text:000140CD jz short loc_140D6 .text:000140CF cmp eax, 0C0000004h .text:000140D4 jnz short loc_14102 .text:0001411D loc_1411D: ; CODE XREF: sub_14070+112#j .text:0001411D mov eax, [edx+44h] .text:00014120 test eax, eax .text:00014122 jz short loc_1417A [...] .text:00014154 mov dword ptr [eax+4], 0 .text:0001415B mov esi, [edx+3Ch] .text:0001415E lea edi, [eax+0Ch] ; edi = OutputBuffer. Controlled .text:00014161 mov eax, ecx .text:00014163 shr ecx, 2 .text:00014166 rep movsd .text:00014168 mov ecx, eax .text:0001416A mov eax, [esp+1Ch+var_8] .text:0001416E and ecx, 3 .text:00014171 inc eax .text:00014172 rep movsb .text:00014174 mov [esp+1Ch+var_8], eax .text:00014178 mov edi, eax

Exploits No exploits are released. Ethical security companies can contact for requesting samples : contact (at) reversemode (dot) com [email concealed]

References: www.zonelabs.com http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=517 http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=48 (PDF)


Reversemode Advanced Reverse Engineering Services www.reversemode.com