Copy protection scheme SafeDisc allows privilege escalation

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Copy protection scheme SafeDisc allows privilege escalation
From: yourname@xxxxxxxxxxxxxx
Date: 11 Mar 2006 10:29:28 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

I have a found a serious flaw in the well-known and widely deployed copy 
protection scheme SafeDisc. 

The issues arrises from the how the installation of the driver secdrv.sys is 
managed. When installed, the associated driver service is assigned the 
SE_CHANGE_CONFIG flag, which means that any user is able to modify the start-up 
behaviour (automatic, manually, on-demand, system, boot).
Luckily the default installation of Windows XP which also ships the secdrv.sys 
driver (bad thing, Microsoft!) is not vulnerable.

The bad thing is that, not so well documented, it also allows the user to 
change the binary that is assiocated with that service.

The exploit is obvious: change the configuration to point at your binary, 
change the start-up behaviour to what you like (means: automatically, system or 
boot) and wait until the next reboot. Tadaa, full SYSTEM access.


This is just one instance of a well-known class of exploits. See
http://seclists.org/lists/fulldisclosure/2006/Feb/0231.html
http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf
http://www.microsoft.com/technet/security/advisory/914457.mspx
http://www.securityfocus.com/bid/16472
for other known vulnerable services, detailed description and the srvcheck2.exe 
utility.

Prev by Date: XSS in vCard
Next by Date: SGI IRIX 6.*usr/sysadm/bin/runpriv local root exploit
Previous by thread: XSS in vCard
Next by thread: SGI IRIX 6.*usr/sysadm/bin/runpriv local root exploit
Index(es):
- Date
- Thread