Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Security App Flaws :: tb12198.htm

CheckPoint ZoneLabs Vsdatant.sys multiple local privilege escalation vulnerabilities



CheckPoint ZoneLabs Vsdatant.sys multiple local privilege escalation vulnerabilities
CheckPoint ZoneLabs Vsdatant.sys multiple local privilege escalation vulnerabilities



CHECK POINT ZONE LABS  PRODUCTS
MULTIPLE LOCAL PRIVILEGE ESCALATION VULNERABILITIES

Ruben Santamarta < ruben(at)reversemode(dot)com >

08.20.2007
Affected Products:  < ZoneAlarm 7.0.362

Vsdatant.sys is exposed via =93\\.\vsdatant=94. The permissive ACL allows
everyone to invoke privileged IOCTLs implemented in the driver.

The flaw exists due to insufficient buffer validation when the driver
processes  METHOD_NEITHER IOCTLs. Thus an attacker can send a specially
crafted I/O request in order to overwrite arbitrary kernel memory.

SymLink: \\.\vsdatant
Driver:  vsdatant.sys  	Version: 6.5.737.0

IOCTL: 0x8400000F
.text:0003B417 cmp [esp+18h+arg_14], 4 ;Output Buffer Size == 4 ?
.text:0003B41C jb loc_3BB85 ; default
.text:0003B422 mov eax, [esp+18h+arg_10]
.text:0003B426 test eax, eax
.text:0003B428 jz loc_3BB85 ; default
.text:0003B42E pop edi
.text:0003B42F mov dword ptr [ebx], 4
.text:0003B435 pop esi
.text:0003B436 mov dword ptr [eax], offset unk_60001 ;0x60001 - >
eax=controlled
.text:0003B43C pop ebp
.text:0003B43D mov al, 1
.text:0003B43F pop ebx
.text:0003B440 add esp, 8
.text:0003B443 retn 24h

IOCTL: 0x84000013
eax = ebp = controlled
.text:0003AC38 mov eax, ebp
.text:0003AC3A xor edx, edx
.text:0003AC3C mov ecx, 0Ah
.text:0003AC41 mov [eax], edx 			; FLAW
.text:0003AC43 lea edi, [esp+3Ch+var_28]
.text:0003AC47 mov esi, offset unk_59CC8
.text:0003AC4C mov [eax+4], edx /		;
.text:0003AC4F mov [eax+8], edx			;
.text:0003AC52 mov [eax+0Ch], edx		;
[...]
.text:0003AD11 mov edx, [esp+3Ch+var_2C] ; int
.text:0003AD15 mov eax, VirtualAddress
.text:0003AD1A push 0 ; int
.text:0003AD1C push edx ; int
.text:0003AD1D push offset sub_16A00 ; Length
.text:0003AD22 lea ecx, [esp+48h+var_28] ; int
.text:0003AD26 push eax ; VirtualAddress
.text:0003AD27 push ecx ; int
.text:0003AD28 call sub_33310 // Mdl - ZwQuerySystemInformation...
.text:0003AD2D test eax, eax
.text:0003AD2F mov [esp+3Ch+var_28], eax
.text:0003AD33 jz short loc_3AD97
.text:0003AD35 mov ecx, [esp+3Ch+var_24]
.text:0003AD39 mov edx, [esp+3Ch+var_20]
.text:0003AD3D mov esi, [esp+3Ch+var_1C]
.text:0003AD41 mov [ebp+0], eax 		; FLAW
.text:0003AD44 mov [ebp+4], ecx 		;
.text:0003AD47 mov [ebp+8], edx			;
.text:0003AD4A test ebx, ebx	=09
.text:0003AD4C mov [ebp+0Ch], esi		;


References:
www.zonelabs.com 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=585 
http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=53 
(PDF)

----
Reversemode
Advanced Reverse Engineering Services


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH