Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 1.Description:
- The pgpwded.sys kernel driver distributed with Symantec PGP Desktop contains
- integer overflow vulnerability in the handling of IOCTL 0x80022094.
- Exploitation of this issue allows an attacker to execute arbitrary code
- within the kernel.
- An attacker would need local access to a vulnerable computer to exploit
- this vulnerability.
- Affected application: Symantec PGP Desktop 10.2.0 Build 2599 (up-to date).
- Affected file: pgpwded.sys version 10.2.0.2599.
- 2.Vulnerability details:
- function at 0x10024C20 is responsible for dispatching ioctl codes:
- .text:10024C20 ; int __thiscall ioctl_handler_deep(int this, int ioctl, PVOID inbuff, unsigned int inbuff_size, unsigned int outbuff_size, PDWORD bytes_to_return)
- .text:10024C20 ioctl_handler_deep proc near ; CODE XREF: sub_10007520+6Ap
- .text:10024C20
- .text:10024C20 DestinationString= UNICODE_STRING ptr -3Ch
- .text:10024C20 var_31 = byte ptr -31h
- .text:10024C20 var_30 = dword ptr -30h
- .text:10024C20 some_var = dword ptr -2Ch
- .text:10024C20 var_28 = dword ptr -28h
- .text:10024C20 var_24 = byte ptr -24h
- .text:10024C20 var_5 = byte ptr -5
- .text:10024C20 var_4 = dword ptr -4
- .text:10024C20 ioctl = dword ptr 8
- .text:10024C20 inbuff = dword ptr 0Ch
- .text:10024C20 inbuff_size = dword ptr 10h
- .text:10024C20 outbuff_size = dword ptr 14h
- .text:10024C20 bytes_to_return = dword ptr 18h
- .text:10024C20
- .text:10024C20 push ebp
- .text:10024C21 mov ebp, esp
- .text:10024C23 sub esp, 3Ch
- .text:10024C26 mov eax, BugCheckParameter2
- .text:10024C2B xor eax, ebp
- .text:10024C2D mov [ebp+var_4], eax
- .text:10024C30 mov eax, [ebp+ioctl]
- .text:10024C33 push ebx
- .text:10024C34 mov ebx, [ebp+inbuff]
- .text:10024C37 push esi
- .text:10024C38 mov esi, [ebp+bytes_to_return]
- .text:10024C3B add eax, 7FFDDFD8h
- .text:10024C40 push edi
- .text:10024C41 mov edi, ecx
- .text:10024C43 mov [ebp+some_var], esi
- .text:10024C46 mov [ebp+var_28], 0
- .text:10024C4D cmp eax, 0A4h ; switch 165 cases
- .text:10024C52 ja loc_10025B18 ; jumptable 10024C5F default case
- .text:10024C58 movzx eax, ds:byte_10025BF0[eax]
- .text:10024C5F jmp ds:off_10025B50[eax*4] ; switch jump
- [..]
- 0x80022094 case:
- .text:10025823 loc_10025823: ; CODE XREF: ioctl_handler_deep+3Fj
- .text:10025823 ; DATA XREF: .text:off_10025B50o
- .text:10025823 test ebx, ebx ; jumptable 10024C5F case 108
- .text:10025825 jz loc_10025B18 ; jumptable 10024C5F default case
- .text:1002582B test esi, esi
- .text:1002582D jz loc_10025B18 ; jumptable 10024C5F default case
- .text:10025833 mov ecx, [ebp+inbuff_size]
- .text:10025836 cmp ecx, 30h ; inbuff must be greater or equal 0x30
- .text:10025839 jb loc_10025B18 ; jumptable 10024C5F default case
- .text:1002583F mov eax, [ebx+20h]
- .text:10025842 lea edx, [eax+30h]
- .text:10025845 cmp edx, ecx
- .text:10025847 ja loc_1002537E
- .text:1002584D mov ecx, [ebx+8] ; pushing DWORDs from inbuff
- .text:10025850 mov edx, [ebx+1Ch]
- .text:10025853 push eax ; size_t
- .text:10025854 lea eax, [ebx+24h]
- .text:10025857 push eax ; void *
- .text:10025858 mov eax, [ebx+18h]
- .text:1002585B push ecx ; int
- .text:1002585C mov ecx, [ebx+0Ch]
- .text:1002585F push edx ; int
- .text:10025860 push eax ; int
- .text:10025861 push ecx ; int
- .text:10025862 mov ecx, edi
- .text:10025864 call sub_10022EF0
- [..]
- .text:10022EF0 ; int __stdcall sub_10022EF0(int, int, int, int, void *, size_t)
- .text:10022EF0 sub_10022EF0 proc near ; CODE XREF: sub_10006B00+4Ap
- .text:10022EF0 ; sub_10006B60+69p ...
- .text:10022EF0
- .text:10022EF0 arg_0 = dword ptr 8
- .text:10022EF0 arg_4 = dword ptr 0Ch
- .text:10022EF0 arg_8 = dword ptr 10h
- .text:10022EF0 arg_C = dword ptr 14h
- .text:10022EF0 arg_10 = dword ptr 18h
- .text:10022EF0 arg_14 = dword ptr 1Ch
- .text:10022EF0
- .text:10022EF0 push ebp
- .text:10022EF1 mov ebp, esp
- .text:10022EF3 mov eax, [ebp+arg_14]
- .text:10022EF6 mov edx, [ebp+arg_C]
- .text:10022EF9 push esi
- .text:10022EFA push eax ; size_t
- .text:10022EFB mov eax, [ebp+arg_8]
- .text:10022EFE mov esi, ecx
- .text:10022F00 mov ecx, [ebp+arg_10]
- .text:10022F03 push ecx ; void *
- .text:10022F04 mov ecx, [ebp+arg_4]
- .text:10022F07 push edx ; int
- .text:10022F08 mov edx, [ebp+arg_0]
- .text:10022F0B push eax ; int
- .text:10022F0C push ecx ; int
- .text:10022F0D push edx ; int
- .text:10022F0E lea ecx, [esi+0FE0h]
- .text:10022F14 call vuln_int_over
- [..]
- .text:10025CB0 ; int __stdcall vuln_int_over(int, int, int, int, void *, size_t)
- .text:10025CB0 vuln_int_over proc near ; CODE XREF: sub_10022EF0+24p
- .text:10025CB0
- .text:10025CB0 arg_0 = dword ptr 8
- .text:10025CB0 arg_4 = dword ptr 0Ch
- .text:10025CB0 arg_8 = dword ptr 10h
- .text:10025CB0 arg_C = dword ptr 14h
- .text:10025CB0 arg_10 = dword ptr 18h
- .text:10025CB0 arg_14 = dword ptr 1Ch
- .text:10025CB0
- .text:10025CB0 push ebp
- .text:10025CB1 mov ebp, esp
- .text:10025CB3 push ebx
- .text:10025CB4 push esi
- .text:10025CB5 push edi
- .text:10025CB6 mov edi, [ebp+arg_14]
- .text:10025CB9 push 0 ; int
- .text:10025CBB lea eax, [edi+30h] <---- Integer overflow vulnerability!!!
- .text:10025CBE push eax ; NumberOfBytes
- .text:10025CBF mov ebx, ecx
- .text:10025CC1 call alloc_and_zero_out
- .text:10025CC6 mov esi, eax
- .text:10025CC8 test esi, esi
- .text:10025CCA jnz short loc_10025CD5
- [..]
- .text:10025CD5 loc_10025CD5: ; CODE XREF: vuln_int_over+1Aj
- .text:10025CD5 mov ecx, [ebp+arg_C]
- .text:10025CD8 mov edx, [ebp+arg_0]
- .text:10025CDB mov [esi+8], ecx
- .text:10025CDE mov [esi+0Ch], edx
- .text:10025CE1 call sub_10007980
- .text:10025CE6 mov ecx, [ebp+arg_8]
- .text:10025CE9 mov [esi+10h], eax
- .text:10025CEC mov eax, [ebp+arg_4]
- .text:10025CEF mov [esi+14h], edx
- .text:10025CF2 mov [esi+18h], eax
- .text:10025CF5 mov [esi+1Ch], ecx
- .text:10025CF8 mov [esi+20h], edi
- .text:10025CFB test edi, edi
- .text:10025CFD jz short loc_10025D10
- .text:10025CFF mov edx, [ebp+arg_10]
- .text:10025D02 push edi ; size_t
- .text:10025D03 push edx ; void *
- .text:10025D04 lea eax, [esi+24h]
- .text:10025D07 push eax ; void *
- .text:10025D08 call memcpy <---- Pool Corruption happens here
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement