Computer Associates "Host Intrusion Prevention System" Engine Drivers are prone to multiple local privilege escalation vulnerabilities. Unprivileged users can take advantage of these flaws in order to execute arbitrary code with kernel privileges. Two drivers are affected, kmxstart.sys and kmxfw.sys. These drivers hook TDI and NDIS. Using a couple of privileged IOCTLs, unprivileged users can overwrite several function pointers within these drivers. Vendor was notified. No response received. State: Unpatched. Products affected: CA Internet Security, CA Personal Firewall... Advisory http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=38 Driver: kmxfw.sys Version: 6.5.4.31 Exploit #1 http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=39 Driver: kmxstart.sys Version: 6.5.4.10 Exploit #2 http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=40 Greets, Rubén Santamarta ------------------- www.reversemode.com Advanced Reverse Engineering Services
