CHECK POINT ZONE LABS PRODUCTS MULTIPLE LOCAL PRIVILEGE ESCALATION VULNERABILITIES Ruben Santamarta < ruben(at)reversemode(dot)com > 08.20.2007 Affected Products: < ZoneAlarm 7.0.362 Vsdatant.sys is exposed via “\\.\vsdatant”. The permissive ACL allows everyone to invoke privileged IOCTLs implemented in the driver. The flaw exists due to insufficient buffer validation when the driver processes METHOD_NEITHER IOCTLs. Thus an attacker can send a specially crafted I/O request in order to overwrite arbitrary kernel memory. SymLink: \\.\vsdatant Driver: vsdatant.sys Version: 6.5.737.0 IOCTL: 0x8400000F .text:0003B417 cmp [esp+18h+arg_14], 4 ;Output Buffer Size == 4 ? .text:0003B41C jb loc_3BB85 ; default .text:0003B422 mov eax, [esp+18h+arg_10] .text:0003B426 test eax, eax .text:0003B428 jz loc_3BB85 ; default .text:0003B42E pop edi .text:0003B42F mov dword ptr [ebx], 4 .text:0003B435 pop esi .text:0003B436 mov dword ptr [eax], offset unk_60001 ;0x60001 - > eax=controlled .text:0003B43C pop ebp .text:0003B43D mov al, 1 .text:0003B43F pop ebx .text:0003B440 add esp, 8 .text:0003B443 retn 24h IOCTL: 0x84000013 eax = ebp = controlled .text:0003AC38 mov eax, ebp .text:0003AC3A xor edx, edx .text:0003AC3C mov ecx, 0Ah .text:0003AC41 mov [eax], edx ; FLAW .text:0003AC43 lea edi, [esp+3Ch+var_28] .text:0003AC47 mov esi, offset unk_59CC8 .text:0003AC4C mov [eax+4], edx / ; .text:0003AC4F mov [eax+8], edx ; .text:0003AC52 mov [eax+0Ch], edx ; [...] .text:0003AD11 mov edx, [esp+3Ch+var_2C] ; int .text:0003AD15 mov eax, VirtualAddress .text:0003AD1A push 0 ; int .text:0003AD1C push edx ; int .text:0003AD1D push offset sub_16A00 ; Length .text:0003AD22 lea ecx, [esp+48h+var_28] ; int .text:0003AD26 push eax ; VirtualAddress .text:0003AD27 push ecx ; int .text:0003AD28 call sub_33310 // Mdl - ZwQuerySystemInformation... .text:0003AD2D test eax, eax .text:0003AD2F mov [esp+3Ch+var_28], eax .text:0003AD33 jz short loc_3AD97 .text:0003AD35 mov ecx, [esp+3Ch+var_24] .text:0003AD39 mov edx, [esp+3Ch+var_20] .text:0003AD3D mov esi, [esp+3Ch+var_1C] .text:0003AD41 mov [ebp+0], eax ; FLAW .text:0003AD44 mov [ebp+4], ecx ; .text:0003AD47 mov [ebp+8], edx ; .text:0003AD4A test ebx, ebx .text:0003AD4C mov [ebp+0Ch], esi ; References: www.zonelabs.com http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=585 http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=53 (PDF) ---- Reversemode Advanced Reverse Engineering Services