lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <46C9C7C2.9060503@reversemode.com>
Date: Mon, 20 Aug 2007 18:56:34 +0200
From: Reversemode <advisories@...ersemode.com>
To: Securityfocus <bugtraq@...urityfocus.com>
Subject: [Reversemode Advisory] CheckPoint ZoneLabs Vsdatant.sys multiple
 local privilege escalation vulnerabilities

CHECK POINT ZONE LABS  PRODUCTS
MULTIPLE LOCAL PRIVILEGE ESCALATION VULNERABILITIES

Ruben Santamarta < ruben(at)reversemode(dot)com >

08.20.2007
Affected Products:  < ZoneAlarm 7.0.362

Vsdatant.sys is exposed via “\\.\vsdatant”. The permissive ACL allows
everyone to invoke privileged IOCTLs implemented in the driver.

The flaw exists due to insufficient buffer validation when the driver
processes  METHOD_NEITHER IOCTLs. Thus an attacker can send a specially
crafted I/O request in order to overwrite arbitrary kernel memory.

SymLink: \\.\vsdatant
Driver:  vsdatant.sys  	Version: 6.5.737.0

IOCTL: 0x8400000F
.text:0003B417 cmp [esp+18h+arg_14], 4 ;Output Buffer Size == 4 ?
.text:0003B41C jb loc_3BB85 ; default
.text:0003B422 mov eax, [esp+18h+arg_10]
.text:0003B426 test eax, eax
.text:0003B428 jz loc_3BB85 ; default
.text:0003B42E pop edi
.text:0003B42F mov dword ptr [ebx], 4
.text:0003B435 pop esi
.text:0003B436 mov dword ptr [eax], offset unk_60001 ;0x60001 - >
eax=controlled
.text:0003B43C pop ebp
.text:0003B43D mov al, 1
.text:0003B43F pop ebx
.text:0003B440 add esp, 8
.text:0003B443 retn 24h

IOCTL: 0x84000013
eax = ebp = controlled
.text:0003AC38 mov eax, ebp
.text:0003AC3A xor edx, edx
.text:0003AC3C mov ecx, 0Ah
.text:0003AC41 mov [eax], edx 			; FLAW
.text:0003AC43 lea edi, [esp+3Ch+var_28]
.text:0003AC47 mov esi, offset unk_59CC8
.text:0003AC4C mov [eax+4], edx /		;
.text:0003AC4F mov [eax+8], edx			;
.text:0003AC52 mov [eax+0Ch], edx		;
[...]
.text:0003AD11 mov edx, [esp+3Ch+var_2C] ; int
.text:0003AD15 mov eax, VirtualAddress
.text:0003AD1A push 0 ; int
.text:0003AD1C push edx ; int
.text:0003AD1D push offset sub_16A00 ; Length
.text:0003AD22 lea ecx, [esp+48h+var_28] ; int
.text:0003AD26 push eax ; VirtualAddress
.text:0003AD27 push ecx ; int
.text:0003AD28 call sub_33310 // Mdl - ZwQuerySystemInformation...
.text:0003AD2D test eax, eax
.text:0003AD2F mov [esp+3Ch+var_28], eax
.text:0003AD33 jz short loc_3AD97
.text:0003AD35 mov ecx, [esp+3Ch+var_24]
.text:0003AD39 mov edx, [esp+3Ch+var_20]
.text:0003AD3D mov esi, [esp+3Ch+var_1C]
.text:0003AD41 mov [ebp+0], eax 		; FLAW
.text:0003AD44 mov [ebp+4], ecx 		;
.text:0003AD47 mov [ebp+8], edx			;
.text:0003AD4A test ebx, ebx		
.text:0003AD4C mov [ebp+0Ch], esi		;


References:
www.zonelabs.com
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=585
http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=53
(PDF)

----
Reversemode
Advanced Reverse Engineering Services

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ