[Reversemode advisory] Computer Associates HIPS Drivers - multiple local privilege escalation vulnerabilities.
Computer Associates "Host Intrusion Prevention System" Engine Drivers
are prone to multiple local privilege escalation vulnerabilities.
Unprivileged users can take advantage of these flaws in order to execute
arbitrary code with kernel privileges.
Two drivers are affected, kmxstart.sys and kmxfw.sys. These drivers hook
TDI and NDIS. Using a couple of privileged IOCTLs, unprivileged users
can overwrite several function pointers within these drivers.
Vendor was notified. No response received.
State: Unpatched.
Products affected: CA Internet Security, CA Personal Firewall...
Advisory
http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=38
Driver: kmxfw.sys Version: 6.5.4.31
Exploit #1
http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=39
Driver: kmxstart.sys Version: 6.5.4.10
Exploit #2
http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=40
Greets,
Rubén Santamarta
-------------------
www.reversemode.com
Advanced Reverse Engineering Services