Guest User

Gift for orthodox Christmas!

a guest
Jan 7th, 2013
881
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 1.Description:
  2.  
  3. The pgpwded.sys kernel driver distributed with Symantec PGP Desktop contains
  4. integer overflow vulnerability in the handling of IOCTL 0x80022094.
  5. Exploitation of this issue allows an attacker to execute arbitrary code
  6. within the kernel.
  7. An attacker would need local access to a vulnerable computer to exploit
  8. this vulnerability.
  9.  
  10. Affected application: Symantec PGP Desktop 10.2.0 Build 2599 (up-to date).
  11. Affected file: pgpwded.sys version 10.2.0.2599.
  12.  
  13. 2.Vulnerability details:
  14.  
  15. function at 0x10024C20 is responsible for dispatching ioctl codes:
  16.  
  17. .text:10024C20 ; int __thiscall ioctl_handler_deep(int this, int ioctl, PVOID inbuff, unsigned int inbuff_size, unsigned int outbuff_size, PDWORD bytes_to_return)
  18. .text:10024C20 ioctl_handler_deep proc near ; CODE XREF: sub_10007520+6Ap
  19. .text:10024C20
  20. .text:10024C20 DestinationString= UNICODE_STRING ptr -3Ch
  21. .text:10024C20 var_31 = byte ptr -31h
  22. .text:10024C20 var_30 = dword ptr -30h
  23. .text:10024C20 some_var = dword ptr -2Ch
  24. .text:10024C20 var_28 = dword ptr -28h
  25. .text:10024C20 var_24 = byte ptr -24h
  26. .text:10024C20 var_5 = byte ptr -5
  27. .text:10024C20 var_4 = dword ptr -4
  28. .text:10024C20 ioctl = dword ptr 8
  29. .text:10024C20 inbuff = dword ptr 0Ch
  30. .text:10024C20 inbuff_size = dword ptr 10h
  31. .text:10024C20 outbuff_size = dword ptr 14h
  32. .text:10024C20 bytes_to_return = dword ptr 18h
  33. .text:10024C20
  34. .text:10024C20 push ebp
  35. .text:10024C21 mov ebp, esp
  36. .text:10024C23 sub esp, 3Ch
  37. .text:10024C26 mov eax, BugCheckParameter2
  38. .text:10024C2B xor eax, ebp
  39. .text:10024C2D mov [ebp+var_4], eax
  40. .text:10024C30 mov eax, [ebp+ioctl]
  41. .text:10024C33 push ebx
  42. .text:10024C34 mov ebx, [ebp+inbuff]
  43. .text:10024C37 push esi
  44. .text:10024C38 mov esi, [ebp+bytes_to_return]
  45. .text:10024C3B add eax, 7FFDDFD8h
  46. .text:10024C40 push edi
  47. .text:10024C41 mov edi, ecx
  48. .text:10024C43 mov [ebp+some_var], esi
  49. .text:10024C46 mov [ebp+var_28], 0
  50. .text:10024C4D cmp eax, 0A4h ; switch 165 cases
  51. .text:10024C52 ja loc_10025B18 ; jumptable 10024C5F default case
  52. .text:10024C58 movzx eax, ds:byte_10025BF0[eax]
  53. .text:10024C5F jmp ds:off_10025B50[eax*4] ; switch jump
  54.  
  55. [..]
  56.  
  57. 0x80022094 case:
  58.  
  59. .text:10025823 loc_10025823: ; CODE XREF: ioctl_handler_deep+3Fj
  60. .text:10025823 ; DATA XREF: .text:off_10025B50o
  61. .text:10025823 test ebx, ebx ; jumptable 10024C5F case 108
  62. .text:10025825 jz loc_10025B18 ; jumptable 10024C5F default case
  63. .text:1002582B test esi, esi
  64. .text:1002582D jz loc_10025B18 ; jumptable 10024C5F default case
  65. .text:10025833 mov ecx, [ebp+inbuff_size]
  66. .text:10025836 cmp ecx, 30h ; inbuff must be greater or equal 0x30
  67. .text:10025839 jb loc_10025B18 ; jumptable 10024C5F default case
  68. .text:1002583F mov eax, [ebx+20h]
  69. .text:10025842 lea edx, [eax+30h]
  70. .text:10025845 cmp edx, ecx
  71. .text:10025847 ja loc_1002537E
  72. .text:1002584D mov ecx, [ebx+8] ; pushing DWORDs from inbuff
  73. .text:10025850 mov edx, [ebx+1Ch]
  74. .text:10025853 push eax ; size_t
  75. .text:10025854 lea eax, [ebx+24h]
  76. .text:10025857 push eax ; void *
  77. .text:10025858 mov eax, [ebx+18h]
  78. .text:1002585B push ecx ; int
  79. .text:1002585C mov ecx, [ebx+0Ch]
  80. .text:1002585F push edx ; int
  81. .text:10025860 push eax ; int
  82. .text:10025861 push ecx ; int
  83. .text:10025862 mov ecx, edi
  84. .text:10025864 call sub_10022EF0
  85.  
  86. [..]
  87.  
  88. .text:10022EF0 ; int __stdcall sub_10022EF0(int, int, int, int, void *, size_t)
  89. .text:10022EF0 sub_10022EF0 proc near ; CODE XREF: sub_10006B00+4Ap
  90. .text:10022EF0 ; sub_10006B60+69p ...
  91. .text:10022EF0
  92. .text:10022EF0 arg_0 = dword ptr 8
  93. .text:10022EF0 arg_4 = dword ptr 0Ch
  94. .text:10022EF0 arg_8 = dword ptr 10h
  95. .text:10022EF0 arg_C = dword ptr 14h
  96. .text:10022EF0 arg_10 = dword ptr 18h
  97. .text:10022EF0 arg_14 = dword ptr 1Ch
  98. .text:10022EF0
  99. .text:10022EF0 push ebp
  100. .text:10022EF1 mov ebp, esp
  101. .text:10022EF3 mov eax, [ebp+arg_14]
  102. .text:10022EF6 mov edx, [ebp+arg_C]
  103. .text:10022EF9 push esi
  104. .text:10022EFA push eax ; size_t
  105. .text:10022EFB mov eax, [ebp+arg_8]
  106. .text:10022EFE mov esi, ecx
  107. .text:10022F00 mov ecx, [ebp+arg_10]
  108. .text:10022F03 push ecx ; void *
  109. .text:10022F04 mov ecx, [ebp+arg_4]
  110. .text:10022F07 push edx ; int
  111. .text:10022F08 mov edx, [ebp+arg_0]
  112. .text:10022F0B push eax ; int
  113. .text:10022F0C push ecx ; int
  114. .text:10022F0D push edx ; int
  115. .text:10022F0E lea ecx, [esi+0FE0h]
  116. .text:10022F14 call vuln_int_over
  117.  
  118. [..]
  119.  
  120. .text:10025CB0 ; int __stdcall vuln_int_over(int, int, int, int, void *, size_t)
  121. .text:10025CB0 vuln_int_over proc near ; CODE XREF: sub_10022EF0+24p
  122. .text:10025CB0
  123. .text:10025CB0 arg_0 = dword ptr 8
  124. .text:10025CB0 arg_4 = dword ptr 0Ch
  125. .text:10025CB0 arg_8 = dword ptr 10h
  126. .text:10025CB0 arg_C = dword ptr 14h
  127. .text:10025CB0 arg_10 = dword ptr 18h
  128. .text:10025CB0 arg_14 = dword ptr 1Ch
  129. .text:10025CB0
  130. .text:10025CB0 push ebp
  131. .text:10025CB1 mov ebp, esp
  132. .text:10025CB3 push ebx
  133. .text:10025CB4 push esi
  134. .text:10025CB5 push edi
  135. .text:10025CB6 mov edi, [ebp+arg_14]
  136. .text:10025CB9 push 0 ; int
  137. .text:10025CBB lea eax, [edi+30h] <---- Integer overflow vulnerability!!!
  138. .text:10025CBE push eax ; NumberOfBytes
  139. .text:10025CBF mov ebx, ecx
  140. .text:10025CC1 call alloc_and_zero_out
  141. .text:10025CC6 mov esi, eax
  142. .text:10025CC8 test esi, esi
  143. .text:10025CCA jnz short loc_10025CD5
  144.  
  145. [..]
  146.  
  147. .text:10025CD5 loc_10025CD5: ; CODE XREF: vuln_int_over+1Aj
  148. .text:10025CD5 mov ecx, [ebp+arg_C]
  149. .text:10025CD8 mov edx, [ebp+arg_0]
  150. .text:10025CDB mov [esi+8], ecx
  151. .text:10025CDE mov [esi+0Ch], edx
  152. .text:10025CE1 call sub_10007980
  153. .text:10025CE6 mov ecx, [ebp+arg_8]
  154. .text:10025CE9 mov [esi+10h], eax
  155. .text:10025CEC mov eax, [ebp+arg_4]
  156. .text:10025CEF mov [esi+14h], edx
  157. .text:10025CF2 mov [esi+18h], eax
  158. .text:10025CF5 mov [esi+1Ch], ecx
  159. .text:10025CF8 mov [esi+20h], edi
  160. .text:10025CFB test edi, edi
  161. .text:10025CFD jz short loc_10025D10
  162. .text:10025CFF mov edx, [ebp+arg_10]
  163. .text:10025D02 push edi ; size_t
  164. .text:10025D03 push edx ; void *
  165. .text:10025D04 lea eax, [esi+24h]
  166. .text:10025D07 push eax ; void *
  167. .text:10025D08 call memcpy <---- Pool Corruption happens here
RAW Paste Data