Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16819
HistoryApr 24, 2007 - 12:00 a.m.

[Reversemode advisory] CheckPoint Zonelabs - ZoneAlarm SRESCAN driver local privilege escalation

2007-04-2400:00:00
vulners.com
19
JSON
      CHECK POINT ZONE LABS  PRODUCTS

MULTIPLE LOCAL PRIVILEGE ESCALATION VULNERABILITIES

Rubйn Santamarta <[email protected]>

04.20.2007
Affected products:

  • ZoneAlarm (Srescan.sys v 5.0.155 and earlier )

Srescan.sys is exposed through the following Dos Device:“\\.\SreScan”.
Restricted accounts ,including guest users, can access privileged
IOCTLs implemented within the driver affected.
In addition to this potential risk factor, the driver does not validate
user-mode buffers in Type3 , thus leading to local privilege escalation
due to arbitrary Kernel memory overwrite.

DosDevice: \\.\Srescan
Driver: srescan.sys Version: 5.0.83.0

------------------------- IOCTL 0x2220CF
.text:00013127 mov ecx, [ebp+arg_10]
.text:0001312A cmp dword ptr [ecx], 4 ;
.text:0001312D jnz short loc_1313F
.text:0001312F mov edx, [ebp+FileInformation]
.text:00013132 mov dword ptr [edx], 30000h ; edx
controlled
.text:00013138 xor esi, esi
.text:0001313A mov [ebp+var_1C], esi
.text:0001313D jmp short loc_1315F

------------------------- IOCTL 0x22208F
text:00014091 mov ebp, ds:ExAllocatePoolWithTag
.text:00014097 mov esi, 20000h
.text:0001409C push 31565244h ; Tag
.text:000140A1 push esi ; NumberOfBytes
.text:000140A2 push 0 ; PoolType
.text:000140A4 call ebp ; ExAllocatePoolWithTag
.text:000140A6 mov ebx, eax
.text:000140A8 test ebx, ebx
.text:000140AA jz short loc_140F3
.text:000140AC mov edi, ds:ZwQuerySystemInformation
.text:000140B2
.text:000140B2 loc_140B2: ; CODE XREF:
sub_14070+81#j
.text:000140B2 lea ecx, [esp+1Ch+ReturnLength]
.text:000140B6 push ecx ; ReturnLength
.text:000140B7 push esi ;
SystemInformationLength
.text:000140B8 push ebx ; SystemInformation
.text:000140B9 push 5 ;
SystemInformationClass
.text:000140BB call edi ; ZwQuerySystemInformation
.text:000140BD cmp eax, 0C0000023h
.text:000140C2 mov [esp+1Ch+var_4], eax
.text:000140C6 jz short loc_140D6
.text:000140C8 cmp eax, 80000005h
.text:000140CD jz short loc_140D6
.text:000140CF cmp eax, 0C0000004h
.text:000140D4 jnz short loc_14102
.text:0001411D loc_1411D: ; CODE XREF:
sub_14070+112#j
.text:0001411D mov eax, [edx+44h]
.text:00014120 test eax, eax
.text:00014122 jz short loc_1417A
[…]
.text:00014154 mov dword ptr [eax+4], 0
.text:0001415B mov esi, [edx+3Ch]
.text:0001415E lea edi, [eax+0Ch] ; edi =
OutputBuffer. Controlled
.text:00014161 mov eax, ecx
.text:00014163 shr ecx, 2
.text:00014166 rep movsd
.text:00014168 mov ecx, eax
.text:0001416A mov eax, [esp+1Ch+var_8]
.text:0001416E and ecx, 3
.text:00014171 inc eax
.text:00014172 rep movsb
.text:00014174 mov [esp+1Ch+var_8], eax
.text:00014178 mov edi, eax

Exploits
No exploits are released. Ethical security companies can contact for
requesting samples :
contact (at) reversemode (dot) com [email concealed]

References:
www.zonelabs.com
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=517
http://www.reversemode.com/index.php?option=com_remository&amp;Itemid=2&amp;func=fileinfo&amp;id=48
(PDF)

Reversemode
Advanced Reverse Engineering Services
www.reversemode.com

JSON