[<prev] [next>] [day] [month] [year] [list]
Message-ID: <DUB128-W495F12428DD3C17E1A4F3CCF900@phx.gbl>
Date: Fri, 10 Jul 2015 02:33:39 +0300
From: Kyriakos Economou <arfproject@...mail.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CVE-2015-1438 – Panda Security Multiple Products Arbitrary Code Execution
CVE: CVE-2015-1438
Vendor: Panda Security
Product: Multiple Products
Affected version: 1.0.0.13 (PSKMAD.sys driver version)
Fixed version: 15.1.0 (Products Version)
Reported by: Kyriakos Economou
Details:
Panda Kernel Memory Access Driver doesn’t validate the size of data
to be copied to both an allocated kernel paged pool buffer and to an
allocated non-paged pool buffer. Furthermore, the attacker has control
over the start-to-copy index regarding the non-paged pool buffer which
allows an attacker to corrupt a kernel object with more precision, and
control the EIP via a hijacked function pointer.
Technical Details:
b5ae8cc5 8b7508 mov esi,dword ptr [ebp+8]<-- ESI input_buffer
b5ae8cc8 0fb7460c movzx eax,word ptr [esi+0Ch] <-- EAX read size of paged pool buffer to allocate from input buffer
b5ae8ccc 6685c0 test ax,ax
b5ae8ccf 7674 jbe PSKMAD_b5ae4000+0x4d45 (b5ae8d45)
b5ae8cd1 668b4e0e mov cx,word ptr [esi+0Eh]
b5ae8cd5 668945f4 mov word ptr [ebp-0Ch],ax
b5ae8cd9 0fb7c0 movzx eax,ax
b5ae8cdc 6850534d45 push 454D5350h <-- 'PSME' pool tag
b5ae8ce1 50 push eax <-- size of paged pool buffer to allocate
b5ae8ce2 6a01 push 1 <-- indicates paged pool
b5ae8ce4 66894df6 mov word ptr [ebp-0Ah],cx
b5ae8ce8 ff159ca6aeb5 call dword ptr [PSKMAD_b5ae4000+0x669c]={nt!ExAllocatePoolWithTag}
b5ae8cee 8945f8 mov dword ptr [ebp-8],eax
b5ae8cf1 85c0 test eax,eax
b5ae8cf3 7550 jne PSKMAD_b5ae4000+0x4d45 (b5ae8d45)
...
b5ae8d45 8d4608 lea eax,[esi+8]
b5ae8d48 50 push eax <-- ptr to input buffer for storing the length of the returned symbolic link target
b5ae8d49 8d45f4 lea eax,[ebp-0Ch]
b5ae8d4c 50 push eax <-- ptr to unitialized Unicode string to store
symbolic link target (the paged pool buffer previously allocated)
b5ae8d4d ff36 push dword ptr [esi] <-- handle to the symbolic link object
b5ae8d4f ff1514a7aeb5 call dword ptr
[PSKMAD_b5ae4000+0x6714]={nt!ZwQuerySymbolicLinkObject} <--- Heap
Overflow because we control the size of the paged pool buffer that was
allocated.
b5ae8d55 894604 mov dword ptr [esi+4],eax
b5ae8d58 85c0 test eax,eax
b5ae8d5a 7d09 jge PSKMAD_b5ae4000+0x4d65 (b5ae8d65)
...
b5ae8d65 0fb745f4 movzx eax,word ptr [ebp-0Ch]
b5ae8d69 50 push eax <-- EAX length of symbolic link target
b5ae8d6a 8b4610 mov eax,dword ptr [esi+10h] <-- EAX index to copy the
symbolic link target. this is also been read from our input buffer.
b5ae8d6d ff75f8 push dword ptr [ebp-8] <-- address of paged pool buffer where the symbolic link target is stored
b5ae8d70 03c6 add eax,esi <-- ESI points to our input buffer (non paged pool).
b5ae8d72 50 push eax <-- So we control the full address of where the
symbolic link target will start being copied into the buffer towards
higher addresses.
b5ae8d73 e864120000 call PSKMAD_b5ae4000+0x5fdc (b5ae9fdc) <-- jmp to
{nt!memcpy} <--- Heap Overflow because we can control where to start
copying in the non-paged pool buffer allocated during the call to
DeviceIoControl API.
Impact:
An exploit can potentially use either of the two aforementioned bugs
to trigger a heap overflow condition that would allow to execute code
with Kernel privileges. However, the second heap overflow bug is much
more interesting because it allows a precise control of the index to
start copying the symbolic link target returned by a call to the
nt!ZwQuerySymbolicLinkObject kernel function.
This allows an attacker to corrupt with precision a kernel object
that we control that has been previously put there by performing heap
spraying at the non-paged kernel pool. The attacker can use part of the
symbolic link target as a pointer to a predictable memory range in
userland where a trampoline to the payload is stored.
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-1438/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists