[ HTML VERSION ] http://www.wintercore.com/advisories/advisory_W020209.html
[ exploit code ]
Founded in 1997, Kaspersky Lab is an international information security
software vendor. Kaspersky Lab is headquartered in Moscow, Russia and
has regional offices in the UK, France, Germany, the Netherlands,
Poland, Japan, China, Korea, Romania and the United States. Further
expanding the company's reach is its large partner network comprising
over 500 companies globally.
2. Non-technical description
Klim5.sys is prone to a local privilege escalation due to invalid
user-supplied buffer checking.
A local attacker can take advantage of this vulnerability to elevate
privileges from Guest account to SYSTEM.
3. Technical Description.
This driver is in charge of intercepting when a packet arrives or is
sent. (Un)fortunately a simple user-mode program can modify some
callbacks in klim5.sys to point to a user-mode controlled address, just
by sending a specially crafted IOCTL request.So... we face a local
.text:00011774 cmp ecx, 80052110h ; IOCTL
.text:0001177A jnz short loc_117E9
.text:0001177C cmp ebp, 10h
.text:0001177F jnb short loc_1178E ; FLAW
.text:00011781 push 10h
.text:00011783 mov [esp+14h+Irp], 0C0000023h
.text:0001178B pop ebx
.text:0001178C jmp short loc_117E9
.text:0001178E loc_1178E: ; CODE XREF: sub_11730+4Fj
.text:0001178E push offset SpinLock ; SpinLock
.text:00011793 push offset dword_140A8 ; int
.text:00011798 push edi ; int
.text:00011799 call sub_11604 ; Flaw
.text:0001179E add edi, 8
.text:000117A1 push offset dword_140B8 ; SpinLock
.text:000117A6 or eax, 0FFFFFFFFh
.text:000117A9 sub eax, [edi]
.text:000117AB push offset dword_140B0 ; int
.text:000117B0 push edi ; int
.text:000117B1 mov [edi], eax
.text:000117B3 call sub_11604
.text:000115CB push [ebp+arg_0]
.text:000115CE call dword ptr [edi+8] ; Controlled
4. Exploiting it.
What it is interesting in this flaw is the way of exploiting it. NDIS
calls are "context-free" by definition, so when a packet arrives or is
sent, the NDIS call can be invoked in an arbitrary thread context.
Therefore, the callback we are modifying could be invoked in any other
thread than ours. There is an intrinsic race condition in the exploit.
Let's imagine a scenario where the exploit modifies the callback to
point to the address of its shellcode at 0x401000. However,before the
callback reachs our code in the exploit's context, another thread
triggers the callback and therefore, that address can contain anything,
note that also the memory referenced must be paged in since the callback
is dispatched at DISPATCH_LEVEL. To solve this scenario we must follow
the steps below:
+ Boost the priority of our exploit process/thread
+ Search common bytes in ring3 which are being shared by all the
processes,the modify them(in the exploit's context) to point to our
shellcode whilst in other processes that same address should point to a
"ret 4" instruction. (NtDeleteKey+n).
+ The shellcode must modify the callbacks to point to a "ret 4" address
that can be accessed in Ring0(ExGetSharedWaitersCount+n). While running
6. Products Affected
Kaspersky AV 2008
Kaspersky AV for WorkStations 6.0
Vulnerability discovered and researched by Ruben Santamarta, Wintercore.
C/ Isla de Salvora, 180.
28400 Collado Villalba.
Phone: +(34) 91 849 98 89