<<< Date Index >>>     <<< Thread Index >>>

[TKADV2008-006] CA HIPS KmxFw.sys Kernel Memory Corruption



Please find attached a detailed advisory of the vulnerability.

Alternatively, the advisory can also be found at:
http://www.trapkit.de/advisories/TKADV2008-006.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:               CA HIPS KmxFw.sys Kernel Memory Corruption 
Advisory ID:            TKADV2008-006
Revision:               1.0
Release Date:           2008/08/12
Last Modified:          2008/08/12
Date Reported:          2008/03/08
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      CA Host-Based Intrusion Prevention System r8
                        CA Internet Security Suite 2007
                        CA Internet Security Suite 2008
                        CA Personal Firewall 2007
                        CA Personal Firewall 2008
Remotely Exploitable:   No
Locally Exploitable:    Yes
Vendor URL:             http://www.ca.com
Vendor Status:          Vendor has released an update
CVE-ID:                 CVE-2008-2926
Patch development time: 158 days


======================
Vulnerability details:
======================

The kernel driver KmxFw.sys shipped with various CA products contains a 
vulnerability in the code that handles IOCTL requests. Exploitation of 
this vulnerability can result in:

1) local denial of service attacks (system crash due to a kernel panic), or

2) local execution of arbitrary code at the kernel level (complete system 
   compromise)

The issue can be triggered by sending a specially crafted IOCTL request.

No special user rights are necessary to exploit the vulnerability.


======================
Technical description:
======================

The IOCTL call 0x85000030 of the KmxFw.sys kernel driver shipped with
various CA products accepts user supplied input that doesn't get validated 
enough. In consequence it is possible to pass arbitrary parameter values 
to some windows kernel functions (e.g. ExFreePoolWithTag). If these 
parameters are carefully crafted it is possible to force the windows kernel
into performing a memory corruption that leads to full control of the 
kernel execution flow. 

Disassembly of KmxFw.sys (version 6.5.5.5):

[...]
.text:00019800              mov     eax, [esp+IOCTLControlCode] <-- (1)
.text:00019804              sub     esp, 2Ch
.text:00019807              push    ebx
.text:00019808              push    esi
.text:00019809              push    edi
.text:0001980A              add     eax, 7AFFFFFCh
.text:0001980F              xor     edi, edi
.text:00019811              xor     ebx, ebx
.text:00019813              cmp     eax, 4Ch        ; switch 77 cases
.text:00019816              ja      loc_19943       ; default
[...]
.text:0001981C              movzx   eax, ds:byte_19BA0[eax]  <-- (2)
.text:00019823              jmp     ds:off_19B6C[eax*4] ; switch jump
[...]
.text:000199E1 loc_199E1:                              
.text:000199E1              cmp     [esp+38h+InputBufferSize], 10h  <-- (3)
.text:000199E6              jb      loc_19943       ; default
[...]
.text:000199EC              mov     eax, [esp+38h+InputBuffer]  <-- (4)
.text:000199F0              mov     ecx, [eax+8]  <-- (5)
.text:000199F3              mov     edx, [eax]  <-- (6)
.text:000199F5              push    ecx             ; BaseAddress  <-- (7) 
.text:000199F6              push    edx             ; Mdl  <-- (8)
.text:000199F7              mov     ecx, offset off_28600
.text:000199FC              call    sub_12B70  <-- (9)
[...]

(1) IOCTL control code is copied into EAX
(2) IOCTL control code switch cases
(3) Switch case of the vulnerable IOCTL control code 0x85000030. There's
    also a minor check of the IOCTL input buffer size (must be greater than
    0x10).
(4) Pointer to user controlled data is copied into EAX
(5) Part of the user controlled data is copied into ECX
(6) Part of the user controlled data is copied into EDX
(7) + (8) The user controlled values of ECX and EDX are used as parameters 
          for the following function (sub_12B70) that gets called
(9) The function sub_12B70 gets called

[...]
.text:00012B70 sub_12B70       proc near            
.text:00012B70 Mdl_uc          = dword ptr  4
.text:00012B70 BaseAddress_uc  = dword ptr  8
.text:00012B70
.text:00012B70            push    esi
.text:00012B71            mov     esi, [esp+4+Mdl_uc]  <-- (10)
.text:00012B75            test    esi, esi
.text:00012B77            jz      short loc_12B90
.text:00012B79            mov     eax, [esp+4+BaseAddress_uc]  <-- (11)
.text:00012B7D            test    eax, eax
.text:00012B7F            jz      short loc_12B89
.text:00012B81            push    esi      ; MemoryDescriptorList  <-- (12)
.text:00012B82            push    eax      ; BaseAddress  <-- (13)
.text:00012B83            call    ds:MmUnmapLockedPages  <-- (14)
.text:00012B89
.text:00012B89 loc_12B89:                           
.text:00012B89            push    esi      ; Mdl  <-- (15)
.text:00012B8A            call    ds:IoFreeMdl  <-- (16)
[...]

(10) User controlled data gets copied into ESI
(11) User controlled data gets copied into EAX
(12) + (13) The user controlled values of ESI and EAX are used as 
            parameters for the windows kernel function MmUnmapLockedPages
(14) The windows kernel function MmUnmapLockedPages gets called
(15) The user controlled value in ESI is used as a parameter for the   
     windows kernel function IoFreeMdl
(16) The windows kernel function IoFreeMdl gets called

In the IoFreeMdl function of the windows kernel the ExFreePoolWithTag 
function gets called with user controlled parameters. 
 
Example of the IoFreeMdl function of the Windows 2000 Professional SP4 
kernel:
 
[...]
.text:0041E700 ; void __stdcall IoFreeMdl(PMDL Mdl)
.text:0041E700                 public IoFreeMdl
.text:0041E700 IoFreeMdl       proc near              
.text:0041E700
.text:0041E700 P               = dword ptr  4
.text:0041E700
.text:0041E700                 push    esi
.text:0041E701                 mov     esi, [esp+4+P]  <-- (17)
.text:0041E705                 test    byte ptr [esi+6], 20h
.text:0041E709                 jz      short loc_41E714
[...]
.text:0041E714 loc_41E714:                             
.text:0041E714                 mov     ax, [esi+6]
.text:0041E718                 test    al, 8
.text:0041E71A                 jz      short loc_41E72B
[...]
.text:0041E72B
.text:0041E72B loc_41E72B:
.text:0041E72B                 push    esi             ; P  <-- (18)
.text:0041E72C                 call    ExFreePool  <-- (19)
[...]

(17) The user controlled data gets copied into ESI
(18) + (19) ESI is used as a parameter for the ExFreePool kernel function 
            that calls ExFreePoolWithTag

If the user supplied parameter for ExFreePoolWithTag is carefully crafted 
it is possible to overwrite an arbitrary memory location with an arbitrary 
dword value (write4 primitive). This can be exploited to control the kernel
execution flow and to execute arbitrary code at the kernel level.


=========
Solution:
=========

  See vendor recommendations described under [1].


========
History:
========

  2008/03/06 - Vendor notified using vuln@xxxxxx
  2008/03/06 - Vendor response with PGP key
  2008/03/08 - Detailed vulnerability information sent to the vendor 
  2008/03/08 - Vendor acknowledges receipt of the information
  2008/08/12 - Coordinated disclosure


========
Credits:
========

  Vulnerability found and advisory written by Tobias Klein.


===========
References:
===========

  [1] http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36559
  [2] http://www.trapkit.de/advisories/TKADV2008-006.txt


========
Changes:
========

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release


===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


==================
PGP Signature Key:
==================

  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc


Copyright 2008 Tobias Klein. All rights reserved.


-----BEGIN PGP SIGNATURE-----

wj8DBQFIoc3GkXxgcAIbhEERAmChAJ9lINv4Ci5mKTsJFrseUDnRexS6cwCg1M9j
ZIxU4zrLI4z0saexLC/J9Dg=
=hYS2
-----END PGP SIGNATURE-----