<<< Date Index >>>     <<< Thread Index >>>

[Reversemode advisory] CheckPoint Zonelabs - ZoneAlarm SRESCAN driver local privilege escalation



          CHECK POINT ZONE LABS  PRODUCTS
 MULTIPLE LOCAL PRIVILEGE ESCALATION VULNERABILITIES
        
Rubén Santamarta <ruben@xxxxxxxxxxxxxxx>

04.20.2007
Affected products:
 + ZoneAlarm (Srescan.sys  v 5.0.155 and earlier )

Srescan.sys is exposed through the following Dos Device:“\\.\SreScan”.
Restricted accounts ,including guest users,  can access privileged
IOCTLs implemented within the driver affected.
In addition to this potential risk factor, the driver does not validate
user-mode buffers in Type3 , thus leading to local privilege escalation
due to arbitrary Kernel memory overwrite.

DosDevice: \\.\Srescan
Driver:  srescan.sys    Version: 5.0.83.0

------------------------- IOCTL 0x2220CF
.text:00013127                 mov     ecx, [ebp+arg_10]
.text:0001312A                 cmp     dword ptr [ecx], 4  ;
.text:0001312D                 jnz     short loc_1313F
.text:0001312F                 mov     edx, [ebp+FileInformation]
.text:00013132                 mov     dword ptr [edx], 30000h ;  edx
controlled
.text:00013138                 xor     esi, esi
.text:0001313A                 mov     [ebp+var_1C], esi
.text:0001313D                 jmp     short loc_1315F

------------------------- IOCTL 0x22208F
text:00014091                 mov     ebp, ds:ExAllocatePoolWithTag
.text:00014097                 mov     esi, 20000h
.text:0001409C                 push    31565244h       ; Tag
.text:000140A1                 push    esi             ; NumberOfBytes
.text:000140A2                 push    0               ; PoolType
.text:000140A4                 call    ebp ; ExAllocatePoolWithTag
.text:000140A6                 mov     ebx, eax
.text:000140A8                 test    ebx, ebx
.text:000140AA                 jz      short loc_140F3
.text:000140AC                 mov     edi, ds:ZwQuerySystemInformation
.text:000140B2
.text:000140B2 loc_140B2:                              ; CODE XREF:
sub_14070+81#j
.text:000140B2                 lea     ecx, [esp+1Ch+ReturnLength]
.text:000140B6                 push    ecx             ; ReturnLength
.text:000140B7                 push    esi             ;
SystemInformationLength
.text:000140B8                 push    ebx             ; SystemInformation
.text:000140B9                 push    5               ;
SystemInformationClass
.text:000140BB                 call    edi ; ZwQuerySystemInformation
.text:000140BD                 cmp     eax, 0C0000023h
.text:000140C2                 mov     [esp+1Ch+var_4], eax
.text:000140C6                 jz      short loc_140D6
.text:000140C8                 cmp     eax, 80000005h
.text:000140CD                 jz      short loc_140D6
.text:000140CF                 cmp     eax, 0C0000004h
.text:000140D4                 jnz     short loc_14102
.text:0001411D loc_1411D:                              ; CODE XREF:
sub_14070+112#j
.text:0001411D                 mov     eax, [edx+44h]
.text:00014120                 test    eax, eax
.text:00014122                 jz      short loc_1417A
[...]
.text:00014154                 mov     dword ptr [eax+4], 0
.text:0001415B                 mov     esi, [edx+3Ch]
.text:0001415E                 lea     edi, [eax+0Ch]    ; edi =
OutputBuffer. Controlled
.text:00014161                 mov     eax, ecx 
.text:00014163                 shr     ecx, 2
.text:00014166                 rep movsd
.text:00014168                 mov     ecx, eax
.text:0001416A                 mov     eax, [esp+1Ch+var_8]
.text:0001416E                 and     ecx, 3
.text:00014171                 inc     eax
.text:00014172                 rep movsb
.text:00014174                 mov     [esp+1Ch+var_8], eax
.text:00014178                 mov     edi, eax


Exploits
No exploits are released. Ethical security companies can contact for
requesting samples :
contact (at) reversemode (dot) com [email concealed]

References:
www.zonelabs.com
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=517
http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=48
(PDF)

-----------

Reversemode
Advanced Reverse Engineering Services
www.reversemode.com