[Reversemode advisory] CheckPoint Zonelabs - ZoneAlarm SRESCAN driver local privilege escalation
CHECK POINT ZONE LABS PRODUCTS
MULTIPLE LOCAL PRIVILEGE ESCALATION VULNERABILITIES
Rubén Santamarta <ruben@xxxxxxxxxxxxxxx>
04.20.2007
Affected products:
+ ZoneAlarm (Srescan.sys v 5.0.155 and earlier )
Srescan.sys is exposed through the following Dos Device:“\\.\SreScan”.
Restricted accounts ,including guest users, can access privileged
IOCTLs implemented within the driver affected.
In addition to this potential risk factor, the driver does not validate
user-mode buffers in Type3 , thus leading to local privilege escalation
due to arbitrary Kernel memory overwrite.
DosDevice: \\.\Srescan
Driver: srescan.sys Version: 5.0.83.0
------------------------- IOCTL 0x2220CF
.text:00013127 mov ecx, [ebp+arg_10]
.text:0001312A cmp dword ptr [ecx], 4 ;
.text:0001312D jnz short loc_1313F
.text:0001312F mov edx, [ebp+FileInformation]
.text:00013132 mov dword ptr [edx], 30000h ; edx
controlled
.text:00013138 xor esi, esi
.text:0001313A mov [ebp+var_1C], esi
.text:0001313D jmp short loc_1315F
------------------------- IOCTL 0x22208F
text:00014091 mov ebp, ds:ExAllocatePoolWithTag
.text:00014097 mov esi, 20000h
.text:0001409C push 31565244h ; Tag
.text:000140A1 push esi ; NumberOfBytes
.text:000140A2 push 0 ; PoolType
.text:000140A4 call ebp ; ExAllocatePoolWithTag
.text:000140A6 mov ebx, eax
.text:000140A8 test ebx, ebx
.text:000140AA jz short loc_140F3
.text:000140AC mov edi, ds:ZwQuerySystemInformation
.text:000140B2
.text:000140B2 loc_140B2: ; CODE XREF:
sub_14070+81#j
.text:000140B2 lea ecx, [esp+1Ch+ReturnLength]
.text:000140B6 push ecx ; ReturnLength
.text:000140B7 push esi ;
SystemInformationLength
.text:000140B8 push ebx ; SystemInformation
.text:000140B9 push 5 ;
SystemInformationClass
.text:000140BB call edi ; ZwQuerySystemInformation
.text:000140BD cmp eax, 0C0000023h
.text:000140C2 mov [esp+1Ch+var_4], eax
.text:000140C6 jz short loc_140D6
.text:000140C8 cmp eax, 80000005h
.text:000140CD jz short loc_140D6
.text:000140CF cmp eax, 0C0000004h
.text:000140D4 jnz short loc_14102
.text:0001411D loc_1411D: ; CODE XREF:
sub_14070+112#j
.text:0001411D mov eax, [edx+44h]
.text:00014120 test eax, eax
.text:00014122 jz short loc_1417A
[...]
.text:00014154 mov dword ptr [eax+4], 0
.text:0001415B mov esi, [edx+3Ch]
.text:0001415E lea edi, [eax+0Ch] ; edi =
OutputBuffer. Controlled
.text:00014161 mov eax, ecx
.text:00014163 shr ecx, 2
.text:00014166 rep movsd
.text:00014168 mov ecx, eax
.text:0001416A mov eax, [esp+1Ch+var_8]
.text:0001416E and ecx, 3
.text:00014171 inc eax
.text:00014172 rep movsb
.text:00014174 mov [esp+1Ch+var_8], eax
.text:00014178 mov edi, eax
Exploits
No exploits are released. Ethical security companies can contact for
requesting samples :
contact (at) reversemode (dot) com [email concealed]
References:
www.zonelabs.com
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=517
http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=48
(PDF)
-----------
Reversemode
Advanced Reverse Engineering Services
www.reversemode.com