---------------------------------------------------------------------- Use WSUS to deploy 3rd party patches Public BETA http://secunia.com/vulnerability_scanning/corporate/wsus_3rd_third_party_patching/ ---------------------------------------------------------------------- TITLE: SUPERAntiSpyware Multiple Vulnerabilities SECUNIA ADVISORY ID: SA38917 VERIFY ADVISORY: http://secunia.com/advisories/38917/ DESCRIPTION: Luka Milkovic has reported some vulnerabilities in SUPERAntiSpyware, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. 1) The SASENUM.sys kernel driver passes user-space pointers in calls to e.g. ZwQueryObject(). This can be exploited to cause a NULL-pointer dereference and crash an affected system via specially crafted IOCTLs. 2) A boundary error exists in SASKUTIL.sys when processing user-space registration requests. This can be exploited to cause a buffer overflow with process ID values and cause a system crash. 3) An error exists in SASKUTIL.sys when processing IOCTL_SABKUTIL_ZWOPENPROCESS requests. This can be exploited to corrupt kernel memory and cause a system crash via invalid parameters passed to ZwOpenProcess(). 4) The SASKUTIL.sys driver passes user-mode parameters to the ZwQueryValueKey() function. This can be exploited to overwrite arbitrary memory and potentially gain escalated privileges via a specially crafted IOCTL_SABKUTIL_QUERY_VALUE request. 5) The SASKUTIL.sys driver provides wrappers against registry and file functions. This can be exploited to read arbitrary files and registry keys, and modify arbitrary registry keys via specially crafted IOCTLs. 6) SASKUTIL.sys allows unrestricted access to the SetVistaTokenInformation() function. This can be exploited to cause a crash or gain escalated privileges via a specially crafted IOCTL_SABKUTIL_SET_VISTA_TOKEN_INFORMATION request. 7) An error in SASKUTIL.sys can be exploited to gain escalated privileges via a specially crafted IOCTL_SABKUTIL_SET_VISTA_PRIVILEGES_FOR_CURRENT_PROCESS request. The vulnerabilities are reported in version 4.33.1000. Other versions may also be affected. SOLUTION: Update to version 4.34.1000, which fixes some of the vulnerabilities. Restrict local access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Luka Milkovic ORIGINAL ADVISORY: http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0195.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------