SHARE
TWEET

Symantec PGP Desktop 0day

a guest Dec 25th, 2012 4,327 Never
  1. 1.Description:
  2.  
  3. The pgpwded.sys kernel driver distributed with Symantec PGP Desktop contains
  4. an arbitrary memory overwrite vulnerability in the handling of IOCTL 0x80022058.
  5. Exploitation of this issue allows an attacker to execute arbitrary code
  6. within the kernel.
  7. An attacker would need local access to a vulnerable computer to exploit
  8. this vulnerability.
  9.  
  10. Affected application: Symantec PGP Desktop 10.2.0 Build 2599 (up-to date).
  11. Affected file: pgpwded.sys version 10.2.0.2599.
  12.  
  13. 2.Vulnerability details:
  14.  
  15. function at 0x10024C20 is responsible for dispatching ioctl codes:
  16.  
  17. .text:10024C20 ; int __thiscall ioctl_handler_deep(int this, int ioctl, PVOID inbuff, unsigned int inbuff_size, unsigned int outbuff_size, PDWORD bytes_to_return)
  18. .text:10024C20 ioctl_handler_deep proc near            ; CODE XREF: sub_10007520+6Ap
  19. .text:10024C20
  20. .text:10024C20 DestinationString= UNICODE_STRING ptr -3Ch
  21. .text:10024C20 var_31          = byte ptr -31h
  22. .text:10024C20 var_30          = dword ptr -30h
  23. .text:10024C20 some_var        = dword ptr -2Ch
  24. .text:10024C20 var_28          = dword ptr -28h
  25. .text:10024C20 var_24          = byte ptr -24h
  26. .text:10024C20 var_5           = byte ptr -5
  27. .text:10024C20 var_4           = dword ptr -4
  28. .text:10024C20 ioctl           = dword ptr  8
  29. .text:10024C20 inbuff          = dword ptr  0Ch
  30. .text:10024C20 inbuff_size     = dword ptr  10h
  31. .text:10024C20 outbuff_size    = dword ptr  14h
  32. .text:10024C20 bytes_to_return = dword ptr  18h
  33. .text:10024C20
  34. .text:10024C20                 push    ebp
  35. .text:10024C21                 mov     ebp, esp
  36. .text:10024C23                 sub     esp, 3Ch
  37. .text:10024C26                 mov     eax, BugCheckParameter2
  38. .text:10024C2B                 xor     eax, ebp
  39. .text:10024C2D                 mov     [ebp+var_4], eax
  40. .text:10024C30                 mov     eax, [ebp+ioctl]
  41. .text:10024C33                 push    ebx
  42. .text:10024C34                 mov     ebx, [ebp+inbuff]
  43. .text:10024C37                 push    esi
  44. .text:10024C38                 mov     esi, [ebp+bytes_to_return]
  45. .text:10024C3B                 add     eax, 7FFDDFD8h
  46. .text:10024C40                 push    edi
  47. .text:10024C41                 mov     edi, ecx
  48. .text:10024C43                 mov     [ebp+some_var], esi
  49. .text:10024C46                 mov     [ebp+var_28], 0
  50. .text:10024C4D                 cmp     eax, 0A4h       ; switch 165 cases
  51. .text:10024C52                 ja      loc_10025B18    ; jumptable 10024C5F default case
  52. .text:10024C58                 movzx   eax, ds:byte_10025BF0[eax]
  53. .text:10024C5F                 jmp     ds:off_10025B50[eax*4] ; switch jump
  54.  
  55. [..]
  56.  
  57. 0x80022058 case: no check for outbuff_size == 0! <--- FLAW!
  58.  
  59. .text:10024F5A                 lea     ecx, [edi+958h]
  60. .text:10024F60                 call    sub_100237B0
  61. .text:10024F65                 mov     [ebp+some_var], eax
  62. .text:10024F68                 test    eax, eax
  63. .text:10024F6A                 jnz     short loc_10024F7D
  64. .text:10024F6C                 mov     dword ptr [ebx], 0FFFFCFFAh
  65. .text:10024F72                 mov     dword ptr [esi], 10h <--- bytes to copy to output buffer
  66.  
  67. next in IofComplete request will be rep movsd at pointer, that is under attacker's control
  68.  
  69. Due the type of vulnerability (METHO_BUFFERED with output_size == 0) exploit works only on Winows XP/2k3, cause in later Windows OS I/O manager doesn't craft IRP if ioctl is METHOD_BUFFERED and output_size == 0.
RAW Paste Data
Top