| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAnZqX9wqX6CUX8GwK4jbYecaf1Er7WnrtUwjsZ7dK3kFgSPJA@mail.gmail.com>
Date: Sun, 31 Dec 2017 08:08:09 +0200
From: Maor Shwartz <maors@...ondsecurity.com>
To: fulldisclosure@...lists.org
Cc: SecuriTeam Secure Disclosure <ssd@...ondsecurity.com>
Subject: [FD] SSD Advisory – Kingsoft Antivirus/Internet Security 9+ Privilege Escalation
SSD Advisory – Kingsoft Antivirus/Internet Security 9+ Privilege Escalation
Full report: https://blogs.securiteam.com/index.php/archives/3597
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD
Vulnerability Summary
The following advisory describes a kernel stack buffer overflow that leads
to privilege escalation found in Kingsoft Antivirus/Internet Security 9+.
Kingsoft Antivirus “provides effective and efficient protection solution at
no cost to users. It applies cloud security technology to monitor, scan and
protect your systems without any worrying. The comprehensive defender and
anti-virus tools prevent and protect your computer from unwanted virus,
worms, and Trojans. With the simplest and easiest-to-use functions, users
find themselves no difficulty to handle Kingsoft Antivirus.”
Credit
An independent security researcher, Steven Seeley, has reported this
vulnerabilities to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
We tried to contact Kingsoft since October 8 2017, repeated attempts to
establish contact went unanswered. At this time there is no solution or
workaround for these vulnerability.
Vulnerability details
This vulnerability allows local attackers to escalate privileges on
vulnerable installations of Jungo WinDriver.
The specific flaws exists within the processing of IOCTL 0x80030004 or
0x80030008 by either the kavfm.sys (anti-virus) or the KWatch3.sys
(internet security) kernel driver.
The driver doesn’t properly validate user-supplied data which can result in
a kernel stack buffer overflow.
An attacker can leverage this vulnerability to execute arbitrary code under
the context of kernel.
===
; jumptable 000117C1 case 0
.text:000117C8 loc_117C8: ; CODE XREF:
sub_11790+31
.text:000117C8
.text:000117C8 push ebx ; our input
buffer size
.text:000117C9 lea ecx, [esp+58h+var_40] ; this is a
fixed size stack buffer of 0x40
.text:000117CD push edi ; our input
buffer
.text:000117CE push ecx ; char *
.text:000117CF call strncpy ; stack
buffer overflow
.text:000117D4 add esp, 0Ch
.text:000117D7 lea edx, [esp+54h+var_40]
.text:000117DB push edx ; char *
.text:000117DC mov [esp+ebx+58h+var_40], 0
.text:000117E1 call sub_167B0
.text:000117E6 pop edi
.text:000117E7 mov esi, eax
.text:000117E9 pop esi
.text:000117EA pop ebp
.text:000117EB pop ebx
.text:000117EC add esp, 44h
.text:000117EF retn 8
===
--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 6D273779F52A9FC2
Download attachment "SSD Advisory – Kingsoft Antivirus_Internet Security 9+ Privilege Escalation.pdf" of type "application/pdf" (145746 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists