[NT] RealTek HD Audio Codec Driver Local Privilege Escalation
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 27 Apr 2008 13:08:54 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
RealTek HD Audio Codec Driver Local Privilege Escalation
------------------------------------------------------------------------
SUMMARY
" <http://www.realtek.com.tw/> Realtek devotes itself to offering a
comprehensive range of ICs of exceptional value for the communications
network, computer peripheral, and multimedia markets. By its continued
commitment to innovation, quality, and service, Realtek has successfully
built trust with its customers." Realtek HD Audio Codec Drivers are prone
to a local privilege escalation due to insufficient validation of
user-mode buffers. Successful exploitation grants SYSTEM privileges to
authenticated users, no special privileges are required to exploit the
flaw.
DETAILS
Vulnerable Systems:
* RTKVHDA.sys version prior to 6.0.1.5605 (32-bit) running on Windows
Vista
* RTKVHDA64.sys (signed) version prior to 6.0.1.5605 (64-bit) running on
Windows Vista
According to Realtek, the vulnerable code was originally intended to be
used at the development stage although, by error, the release version was
shipped still containing it.
These internal routines allow to user-mode applications to create, read or
write arbitrary registry keys by issuing a specially crafted IOCTL
request.
Module: RTKVHDA.sys (32-bit) Writing Arbitrary
Key
PAGE:001AAA88 mov esi, [ebp+Handle] ; user-controlled
PAGE:001AAA8B mov eax, [esi+10h]
PAGE:001AAA8E add eax, [esi+8]
PAGE:001AAA91 mov ecx, [esi+1Ch]
PAGE:001AAA94 mov ebx, [esi+4]
PAGE:001AAA97 lea eax, [eax+ecx+20h]
PAGE:001AAA9B add ebx, esi
PAGE:001AAA9D cmp [esi], eax
PAGE:001AAA9F jnb short loc_1AAAA8
PAGE:001AAAA1 mov eax, 0C0000023h
PAGE:001AAAA6 jmp short loc_1AAB22
PAGE:001AAAA8 ; ---------------
PAGE:001AAAA8
PAGE:001AAAA8 loc_1AAAA8: ; CODE XREF:
sub_1AAA7E+21j
PAGE:001AAAA8 mov eax, [esi+0Ch]
PAGE:001AAAAB push edi
PAGE:001AAAAC mov edi, ds:RtlInitUnicodeString
PAGE:001AAAB2 add eax, esi
PAGE:001AAAB4 push eax ; SourceString
PAGE:001AAAB5 lea eax, [ebp+ValueName]
PAGE:001AAAB8 push eax ; DestinationString
PAGE:001AAAB9 call edi ; RtlInitUnicodeString
PAGE:001AAABB push ebx ; SourceString
PAGE:001AAABC lea eax, [ebp+var_8]
PAGE:001AAABF push eax ; DestinationString
PAGE:001AAAC0 call edi ; RtlInitUnicodeString
PAGE:001AAAC2 lea eax, [ebp+var_8]
PAGE:001AAAC5 mov [ebp+ObjectAttributes.ObjectName],
eax
PAGE:001AAAC8 lea eax, [ebp+ObjectAttributes]
PAGE:001AAACB push eax ; ObjectAttributes
[...]
PAGE:001AAAEE call ds:ZwOpenKey
PAGE:001AAAF4 mov ebx, eax
PAGE:001AAAF6 cmp ebx, edi
PAGE:001AAAF8 jl short loc_1AAB1F
PAGE:001AAAFA push dword ptr [esi+1Ch] ; DataSize
PAGE:001AAAFD mov eax, [esi+18h]
PAGE:001AAB00 add eax, esi
PAGE:001AAB02 push eax ; Data
PAGE:001AAB03 push dword ptr [esi+14h] ; Type
PAGE:001AAB06 lea eax, [ebp+ValueName]
PAGE:001AAB09 push edi ; TitleIndex
PAGE:001AAB0A push eax ; ValueName
PAGE:001AAB0B push [ebp+Handle] ; KeyHandle
PAGE:001AAB0E call ds:ZwSetValueKey
In addition to these privileged routines, there is a flaw that lies in how
the user-mode buffers are validated. In the code above, certain arithmetic
calculations are performed without checking for integer overflows. These
values are controlled by the user so it could lead to an arbitrary memory
overwrite as we can see in the following piece of code, note the memory is
overwritten with controlled values.
Module: RTKVHDA.sys (32-bit) Reading Arbitrary Key into
controlled buffer
PAGE:001AABD1 lea eax, [ebp+ValueName]
PAGE:001AABD4 push edi ; KeyValueInformation
PAGE:001AABD5 push 2 ; KeyValueInformationClass
PAGE:001AABD7 push eax ; ValueName
PAGE:001AABD8 push [ebp+Handle] ; KeyHandle
PAGE:001AABDB call ds:ZwQueryValueKey
PAGE:001AABE1 cmp eax, ebx
PAGE:001AABE3 mov [ebp+arg_0], eax
PAGE:001AABE6 jl short loc_1AAC09
PAGE:001AABE8 mov eax, [edi+4]
PAGE:001AABEB mov [esi+14h], eax
PAGE:001AABEE mov eax, [edi+8]
PAGE:001AABF1 mov [esi+1Ch], eax
PAGE:001AABF4 push dword ptr [edi+8] ; size_t
PAGE:001AABF7 lea eax, [edi+0Ch]
PAGE:001AABFA push eax ; void *
PAGE:001AABFB mov eax, [esi+18h] ;(integer overflow
is possible)
PAGE:001AABFE add eax, esi ; base + offset
PAGE:001AAC00 push eax ; user-controlled
PAGE:001AAC01 call memcpy
Exploit:
We can choose between a couple of attack vectors, either to create an
arbitrary registry key (trival) or to take advantage of the arbitrary
memory overwrite to divert to flow towards a ring0 shellcode. Initially,
the problem with the arbitrary memory overwrite (by triggering an
integer overflow) approach, is that the IOCTL is METHOD_BUFFERED so we are
missing an important term in the equation (base) to control the first
address where the memory will be overwritten since we cannot accurately
predict the pool associated with our buffer (Mdl->MappedSystemVa).
Fortunately, the driver fails checking for NULL MDLs, thus allowing us to
solve this issue. NULL buffers are valid in METHOD_BUFFERED IRPs, so we
can emulate a fake MDL by allocating user-mode memory at 0x0, thus
controlling the pointer that will be returned by
MmGetSystemAddressForMdlSafe
Module: RTKVHDA.sys (32-bit)
PAGE:001AAC94 loc_1AAC94: ; CODE XREF: sub_1AAC32+24j
PAGE:001AAC94 mov eax, [esi+4]
PAGE:001AAC97 test byte ptr [eax+6], 5 ; IoManager s MDL NULL
PAGE:001AAC9B jz short loc_1AACA2
PAGE:001AAC9D mov eax, [eax+0Ch] ; FakeMdl->MappedSystemVa =>
controlled
Now, we have completed the last piece of the puzzle that allows us to
calculate accurately the offset needed to overwrite the kernel address we
desire.
For example, a simple exploit would be:
1. Create an arbitrary key that holds the address of our ring0 shellcode
2. Read that value into the desired kernel address by using the "integer
overflow" trick.
ADDITIONAL INFORMATION
The information has been provided by Ruben Santamarta.
The original article can be found at:
<http://www.wintercore.com/advisories/advisory_W010408.html>
http://www.wintercore.com/advisories/advisory_W010408.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] BadBlue uninst.exe DoS
- Next by Date: [REVS] Lateral SQL Injection: a New Class of Vulnerability in Oracle
- Previous by thread: [NT] BadBlue uninst.exe DoS
- Next by thread: [REVS] Lateral SQL Injection: a New Class of Vulnerability in Oracle
- Index(es):
Relevant Pages
|
|
