Windows Macromedia Security Driver Buffer Overflow Lets Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1018833
|
|
SecurityTracker URL: http://securitytracker.com/id?1018833
|
|
CVE Reference: CVE-2007-5587
(Links to External Site)
|
Updated: Nov 6 2007
|
Original Entry Date: Oct 18 2007
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: Microsoft Security Advisory
|
Version(s): 2003 SP2, XP SP2; and prior service packs
|
Description: A vulnerability was reported in Windows. A local user can obtain elevated privileges on the target system.
A local user can trigger a buffer overflow in the Macromedia Security Driver (secdrv.sys) to execute arbitrary code on the target
system with System level privileges.
A demonstration exploit is available at:
http://kartoffel.reversemode.com/downloads.php
This
vulnerability is being actively exploited.
Symantec and Ruben from reversemode.com reported this vulnerability.
The original
advisory is available at:
http://www.symantec.com/enterprise/security_response/weblog/2007/10/privilege_escalation_exploit_i.html
|
Impact: A local user can obtain elevated privileges on the target system.
|
Solution: Macromedia has issued a fix, available at:
http://www.macrovision.com/webdocuments/Downloads/SECDRVSYS.zip
Microsoft plans
to issue a fix as part of the Microsoft monthly security update process.
The Macromedia advisory is available at:
http://www.macrovision.com/promolanding/7352.htm
The Microsoft advisory is available at:
http://www.microsoft.com/technet/security/advisory/944653.mspx
|
Vendor URL: www.microsoft.com/technet/security/advisory/944653.mspx (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (2003), Windows (XP)
|
Reported By: Reversemode <advisories@reversemode.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 18 Oct 2007 18:04:16 +0200
From: Reversemode <advisories@reversemode.com>
Subject: [CORRECTED] Microsoft Windows XP SP2/2003 - Macrovision SecDrv.sys
|
Hi,
Symantec researcher Elia Florio has warned, at the company's weblog,of a
0day attack in Windows XP and 2003 that allows unprivileged users to
gain SYSTEM privileges via a buggy driver installed by default.
In his/her post, Elia brings us an important clue:"At the moment, it’s
still not clear how the driver is used by Windows because this file does
not have the typical Microsoft file properties present in other Windows
system files". Such a file is not common so looking for this sort of
.sys we come across a couple of them. One of those drivers is
secdrv.sys, which is developed by Macrovision as part of SafeDisc.
Mario Ballano (48bits.com) and I we have been taking a look at the
driver and quickly found this interesting piece of code.
.text:00015E2C cmp [ebp+var_10], 0CA002813h
.text:00015E33 jz short loc_15E69
As you can see the IOCTL is METHOD_NEITHER which is a potential
vulnerability by itself (few drivers are correctly handling this
method). Let's see whether this time is different...
.text:00015ED9 call dword ptr [eax+10h] ; Internal
Dispatcher
.text:00015EDC mov [ebp+var_1C], eax
.text:00015EDF cmp [ebp+var_1C], 0Ah
.text:00015EE3 jz short loc_15EFC
.text:00015EE5 mov eax, [ebp+arg_4]
.text:00015EE8 mov dword ptr [eax], 0C0000001h
.text:00015EEE mov eax, [ebp+arg_4]
.text:00015EF1 and dword ptr [eax+4], 0
.text:00015EF5 mov eax, 0C0000001h
.text:00015EFA jmp short loc_15F21
.text:00015EFC ;
---------------------------------------------------------------------------
.text:00015EFC
.text:00015EFC loc_15EFC: ; CODE XREF:
sub_15E12+D1j
.text:00015EFC mov ecx, [ebp+var_4]
.text:00015EFF mov esi, [ebp+var_C]
.text:00015F02 mov eax, [ebp+arg_0]
.text:00015F05 mov edi, [eax+3Ch] ; Output Buffer
(Irp->UserBuffer)
.text:00015F08 mov eax, ecx ; Inline memcpy
.text:00015F0A shr ecx, 2
.text:00015F0D rep movsd
.text:00015F0F mov ecx, eax
.text:00015F11 and ecx, 3
.text:00015F14 rep movsb
No luck. As you can see the buffer supplied by the user is not properly
checked so you can overwrite any address you wish, even kernel
addresses. The first 4 DWORDs of the input buffer are copied into the
output buffer without any further validation. However,there is
restriction: InputBuffer[1] should be a fixed value in order to reach
this piece of code. No problem. Take a look at the exploit code.
The driver copies bytes into the output buffer but also into the input
buffer so both need to be sanitized. I've released a K-plugin for
kartoffel that exploits this flaw on Windows XP SP2 and 2003 (32-bit).
Download at http://kartoffel.reversemode.com/downloads.php.
This K-plugin can only be used for personal study and research purposes.
Do not email me requesting shellcodes, customized exploit or something
like that.
Despite there is no patch available, at the momment, we are disclosing
this information since an exploit has been caught in the wild so we see
no reason to hide information that can be useful for administrators and
researchers.
References:
[1]http://www.symantec.com/enterprise/security_response/weblog/2007/10/privilege_escalation_exploit_i
.html
[2]http://www.macrovision.com
[3]http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&task=show&action=vie
w&id=43&Itemid=15
[4]http://blog.48bits.com/?p=172
Regards,
Rubén.
|
|
