[NT] Check Point Zonelabs - ZoneAlarm SRESCAN Driver Local Privilege Escalation

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Check Point Zonelabs - ZoneAlarm SRESCAN Driver Local Privilege Escalation
------------------------------------------------------------------------


SUMMARY

A vulnerability in ZoneAlarm's SRESCAN driver allows local attackers to
gain privileges by exploiting a vulnerability that allows attackers to
write content to any address they wish to and which the device driver has
access to.

DETAILS

Vulnerable Systems:
* ZoneAlarm with Srescan.sys version 5.0.155 and prior

Srescan.sys is exposed through the following Dos Device: \\.\SreScan.
Restricted accounts, including guest users, can access privileged IOCTLs
implemented within the driver affected. In addition to this potential risk
factor, the driver does not validate user-mode buffers in Type3 , thus
leading to local privilege escalation due to arbitrary Kernel memory
overwrite.

Assembly dump:
------------------------- IOCTL 0x2220CF
text:00013127 mov ecx, [ebp+arg_10]
text:0001312A cmp dword ptr [ecx], 4 ;
text:0001312D jnz short loc_1313F
text:0001312F mov edx, [ebp+FileInformation]
text:00013132 mov dword ptr [edx], 30000h ; edx
controlled
text:00013138 xor esi, esi
text:0001313A mov [ebp+var_1C], esi
text:0001313D jmp short loc_1315F

------------------------- IOCTL 0x22208F
text:00014091 mov ebp, ds:ExAllocatePoolWithTag
text:00014097 mov esi, 20000h
text:0001409C push 31565244h ; Tag
text:000140A1 push esi ; NumberOfBytes
text:000140A2 push 0 ; PoolType
text:000140A4 call ebp ; ExAllocatePoolWithTag
text:000140A6 mov ebx, eax
text:000140A8 test ebx, ebx
text:000140AA jz short loc_140F3
text:000140AC mov edi, ds:ZwQuerySystemInformation
text:000140B2
text:000140B2 loc_140B2: ; CODE
XREF:sub_14070+81#j
text:000140B2 lea ecx, [esp+1Ch+ReturnLength]
text:000140B6 push ecx ; ReturnLength
text:000140B7 push esi ;
SystemInformationLength
text:000140B8 push ebx ; SystemInformation
text:000140B9 push 5 ;
SystemInformationClass
text:000140BB call edi ; ZwQuerySystemInformation
text:000140BD cmp eax, 0C0000023h
text:000140C2 mov [esp+1Ch+var_4], eax
text:000140C6 jz short loc_140D6
text:000140C8 cmp eax, 80000005h
text:000140CD jz short loc_140D6
text:000140CF cmp eax, 0C0000004h
text:000140D4 jnz short loc_14102
text:0001411D loc_1411D: ; CODE XREF:
sub_14070+112#j
text:0001411D mov eax, [edx+44h]
text:00014120 test eax, eax
text:00014122 jz short loc_1417A
[...]
text:00014154 mov dword ptr [eax+4], 0
text:0001415B mov esi, [edx+3Ch]
text:0001415E lea edi, [eax+0Ch] ; edi =
OutputBuffer. Controlled
text:00014161 mov eax, ecx
text:00014163 shr ecx, 2
text:00014166 rep movsd
text:00014168 mov ecx, eax
text:0001416A mov eax, [esp+1Ch+var_8]
text:0001416E and ecx, 3
text:00014171 inc eax
text:00014172 rep movsb
text:00014174 mov [esp+1Ch+var_8], eax
text:00014178 mov edi, ea


ADDITIONAL INFORMATION

The information has been provided by <mailto:advisories@xxxxxxxxxxxxxxx>
Reversemode.
The original article can be found at:
<http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=48> http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=48



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages