Vulnerability title: Privilege Escalation In K7 Computing Multiple Products [K7Sentry.sys]
CVE: CVE-2014-8956
Vendor: K7 Computing
Product: Multiple Products [K7Sentry.sys]
Affected version: 12.8.0.110
Fixed version: 12.8.0.119
Reported by: Kyriakos Economou
Details:

Latest, and possibly earlier versions of K7Sentry.sys kernel mode driver, also named as the 'K7AV Sentry DeviceDriver', suffers from a Out-of-bounds Write condition that can be exploited locally by an attacker in order to execute code with kernel privileges. Successful exploitation of this bug results into vertical privilege escalation.

Technical Details:

The function handling IOCTL 0x9500259C does not validate the size of the input before it starts copying the data into a statically allocated array inside the driver module itself in the .data section at address K7Sentry + 0xdaec8.

b9d05da0 837e0404 cmp dword ptr [esi+4],4 <--- check if input buffer size < 4
b9d05da4 7233 jb K7Sentry+0x9dd9
b9d05da6 8b4608 mov eax,dword ptr [esi+8] <--- get address of input buffer
b9d05da9 85c0 test eax,eax <--- validate there is an input buffer allocated
b9d05dab 742c je K7Sentry+0x9dd9 (b9d05dd9)
b9d05dad bac86eddb9 mov edx,offset K7Sentry+0xdaec8 <--- get address of array in .data section
b9d05db2 2bd0 sub edx,eax
b9d05db4 8a08 mov cl,byte ptr [eax] <--- read each byte from input
b9d05db6 880c02 mov byte ptr [edx+eax],cl <--- write each byte to array
b9d05db9 40 inc eax <--- increment index
b9d05dba 84c9 test cl,cl <--- check for '/x00'
b9d05dbc 75f6 jne K7Sentry+0x9db4 <--- if '/x00' not found loop again
b9d05dbe 837e0c04 cmp dword ptr [esi+0Ch],4
b9d05dc2 7212 jb K7Sentry+0x9dd6
b9d05dc4 8b4610 mov eax,dword ptr [esi+10h]
b9d05dc7 8b4e14 mov ecx,dword ptr [esi+14h]
b9d05dca c70001000000 mov dword ptr [eax],1
b9d05dd0 c70104000000 mov dword ptr [ecx],4
b9d05dd6 33c0 xor eax,eax
b9d05dd8 c3 ret
b9d05dd9 b8010000c0 mov eax,0C0000001h
b9d05dde c3 ret

As shown above, this function will keep copying data to an array allocated in .data section of the driver which has a size of 0x800 bytes, until it finds a NULL byte which defines the end of an ASCII string, just like an inlined strcpy function. Since the function does not validate further the size of the data to copy against the size of the array, we are able to keep copying data that we fully control and overwrite other data and function pointers used by other functions.

Further details at:

https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-8956/

Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.


###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company, 
registered in England in accordance with the Companies 
Act under number 02763799. The registered office 
address of Portcullis Computer Security Limited is: 
Portcullis House, 2 Century Court, Tolpits Lane, Watford, 
United Kingdom, WD18 9RS.  
The information in this email is confidential and may be 
legally privileged. It is intended solely for the addressee. 
Any opinions expressed are those of the individual and 
do not represent the opinion of the organisation. Access 
to this email by persons other than the intended recipient 
is strictly prohibited.
If you are not the intended recipient, any disclosure, 
copying, distribution or other action taken or omitted to be 
taken in reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice 
contained in this email is subject to the terms and 
conditions expressed in the applicable Portcullis Computer 
Security Limited terms of business.
###############################################################

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by MailMarshal.
#####################################################################################