[ HTML VERSION ] http://www.wintercore.com/advisories/advisory_W020209.html [ exploit code ] http://kartoffel.reversemode.com/downloads.php Background Non-technical description Technical Description Exploiting it References Products Affected Credits Disclosure Timeline Contact 1. Background Founded in 1997, Kaspersky Lab is an international information security software vendor. Kaspersky Lab is headquartered in Moscow, Russia and has regional offices in the UK, France, Germany, the Netherlands, Poland, Japan, China, Korea, Romania and the United States. Further expanding the company's reach is its large partner network comprising over 500 companies globally. 2. Non-technical description Klim5.sys is prone to a local privilege escalation due to invalid user-supplied buffer checking. A local attacker can take advantage of this vulnerability to elevate privileges from Guest account to SYSTEM. 3. Technical Description. This driver is in charge of intercepting when a packet arrives or is sent. (Un)fortunately a simple user-mode program can modify some callbacks in klim5.sys to point to a user-mode controlled address, just by sending a specially crafted IOCTL request.So... we face a local privilege escalation.Again. .text:00011774 cmp ecx, 80052110h ; IOCTL .text:0001177A jnz short loc_117E9 .text:0001177C cmp ebp, 10h .text:0001177F jnb short loc_1178E ; FLAW .text:00011781 push 10h .text:00011783 mov [esp+14h+Irp], 0C0000023h .text:0001178B pop ebx .text:0001178C jmp short loc_117E9 .text:0001178E ; --------------------------------------------------------------------------- .text:0001178E .text:0001178E loc_1178E: ; CODE XREF: sub_11730+4Fj .text:0001178E push offset SpinLock ; SpinLock .text:00011793 push offset dword_140A8 ; int .text:00011798 push edi ; int .text:00011799 call sub_11604 ; Flaw .text:0001179E add edi, 8 .text:000117A1 push offset dword_140B8 ; SpinLock .text:000117A6 or eax, 0FFFFFFFFh .text:000117A9 sub eax, [edi] .text:000117AB push offset dword_140B0 ; int .text:000117B0 push edi ; int .text:000117B1 mov [edi], eax .text:000117B3 call sub_11604 and finally .text:000115CB push [ebp+arg_0] .text:000115CE call dword ptr [edi+8] ; Controlled 4. Exploiting it. What it is interesting in this flaw is the way of exploiting it. NDIS calls are "context-free" by definition, so when a packet arrives or is sent, the NDIS call can be invoked in an arbitrary thread context. Therefore, the callback we are modifying could be invoked in any other thread than ours. There is an intrinsic race condition in the exploit. Let's imagine a scenario where the exploit modifies the callback to point to the address of its shellcode at 0x401000. However,before the callback reachs our code in the exploit's context, another thread triggers the callback and therefore, that address can contain anything, note that also the memory referenced must be paged in since the callback is dispatched at DISPATCH_LEVEL. To solve this scenario we must follow the steps below: + Boost the priority of our exploit process/thread + Search common bytes in ring3 which are being shared by all the processes,the modify them(in the exploit's context) to point to our shellcode whilst in other processes that same address should point to a "ret 4" instruction. (NtDeleteKey+n). + The shellcode must modify the callbacks to point to a "ret 4" address that can be accessed in Ring0(ExGetSharedWaitersCount+n). While running the exploit [IMAGES] 5. References http://www.reversemode.com/index.php?option=com_content&task=view&id=60&Itemid=1 6. Products Affected Kaspersky AV 2008 Kaspersky AV for WorkStations 6.0 7. Credits Vulnerability discovered and researched by Ruben Santamarta, Wintercore. -- Wintercore C/ Isla de Salvora, 180. 28400 Collado Villalba. Spain Phone: +(34) 91 849 98 89 www.wintercore.com