lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 31 Dec 2017 08:08:09 +0200
From: Maor Shwartz <maors@...ondsecurity.com>
To: fulldisclosure@...lists.org
Cc: SecuriTeam Secure Disclosure <ssd@...ondsecurity.com>
Subject: [FD] SSD Advisory – Kingsoft Antivirus/Internet Security 9+ Privilege Escalation

SSD Advisory – Kingsoft Antivirus/Internet Security 9+ Privilege Escalation


Full report: https://blogs.securiteam.com/index.php/archives/3597
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

Vulnerability Summary
The following advisory describes a kernel stack buffer overflow that leads
to privilege escalation found in Kingsoft Antivirus/Internet Security 9+.

Kingsoft Antivirus “provides effective and efficient protection solution at
no cost to users. It applies cloud security technology to monitor, scan and
protect your systems without any worrying. The comprehensive defender and
anti-virus tools prevent and protect your computer from unwanted virus,
worms, and Trojans. With the simplest and easiest-to-use functions, users
find themselves no difficulty to handle Kingsoft Antivirus.”

Credit
An independent security researcher, Steven Seeley, has reported this
vulnerabilities to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
We tried to contact Kingsoft since October 8 2017, repeated attempts to
establish contact went unanswered. At this time there is no solution or
workaround for these vulnerability.

Vulnerability details
This vulnerability allows local attackers to escalate privileges on
vulnerable installations of Jungo WinDriver.

The specific flaws exists within the processing of IOCTL 0x80030004 or
0x80030008 by either the kavfm.sys (anti-virus) or the KWatch3.sys
(internet security) kernel driver.

The driver doesn’t properly validate user-supplied data which can result in
a kernel stack buffer overflow.

An attacker can leverage this vulnerability to execute arbitrary code under
the context of kernel.

===

; jumptable 000117C1 case 0

.text:000117C8 loc_117C8:                                      ; CODE XREF:
sub_11790+31

.text:000117C8

.text:000117C8                 push    ebx                     ; our input
buffer size

.text:000117C9                 lea     ecx, [esp+58h+var_40]   ; this is a
fixed size stack buffer of 0x40

.text:000117CD                 push    edi                     ; our input
buffer

.text:000117CE                 push    ecx                     ; char *

.text:000117CF                 call    strncpy                 ; stack
buffer overflow

.text:000117D4                 add     esp, 0Ch

.text:000117D7                 lea     edx, [esp+54h+var_40]

.text:000117DB                 push    edx                     ; char *

.text:000117DC                 mov     [esp+ebx+58h+var_40], 0

.text:000117E1                 call    sub_167B0

.text:000117E6                 pop     edi

.text:000117E7                 mov     esi, eax

.text:000117E9                 pop     esi

.text:000117EA                 pop     ebp

.text:000117EB                 pop     ebx

.text:000117EC                 add     esp, 44h

.text:000117EF                 retn    8

===





--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 6D273779F52A9FC2

Download attachment "SSD Advisory – Kingsoft Antivirus_Internet Security 9+ Privilege Escalation.pdf" of type "application/pdf" (145746 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists