Advertisement
Guest User

Symantec PGP Desktop 0day

a guest
Dec 25th, 2012
6,067
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.41 KB | None | 0 0
  1. 1.Description:
  2.  
  3. The pgpwded.sys kernel driver distributed with Symantec PGP Desktop contains
  4. an arbitrary memory overwrite vulnerability in the handling of IOCTL 0x80022058.
  5. Exploitation of this issue allows an attacker to execute arbitrary code
  6. within the kernel.
  7. An attacker would need local access to a vulnerable computer to exploit
  8. this vulnerability.
  9.  
  10. Affected application: Symantec PGP Desktop 10.2.0 Build 2599 (up-to date).
  11. Affected file: pgpwded.sys version 10.2.0.2599.
  12.  
  13. 2.Vulnerability details:
  14.  
  15. function at 0x10024C20 is responsible for dispatching ioctl codes:
  16.  
  17. .text:10024C20 ; int __thiscall ioctl_handler_deep(int this, int ioctl, PVOID inbuff, unsigned int inbuff_size, unsigned int outbuff_size, PDWORD bytes_to_return)
  18. .text:10024C20 ioctl_handler_deep proc near ; CODE XREF: sub_10007520+6Ap
  19. .text:10024C20
  20. .text:10024C20 DestinationString= UNICODE_STRING ptr -3Ch
  21. .text:10024C20 var_31 = byte ptr -31h
  22. .text:10024C20 var_30 = dword ptr -30h
  23. .text:10024C20 some_var = dword ptr -2Ch
  24. .text:10024C20 var_28 = dword ptr -28h
  25. .text:10024C20 var_24 = byte ptr -24h
  26. .text:10024C20 var_5 = byte ptr -5
  27. .text:10024C20 var_4 = dword ptr -4
  28. .text:10024C20 ioctl = dword ptr 8
  29. .text:10024C20 inbuff = dword ptr 0Ch
  30. .text:10024C20 inbuff_size = dword ptr 10h
  31. .text:10024C20 outbuff_size = dword ptr 14h
  32. .text:10024C20 bytes_to_return = dword ptr 18h
  33. .text:10024C20
  34. .text:10024C20 push ebp
  35. .text:10024C21 mov ebp, esp
  36. .text:10024C23 sub esp, 3Ch
  37. .text:10024C26 mov eax, BugCheckParameter2
  38. .text:10024C2B xor eax, ebp
  39. .text:10024C2D mov [ebp+var_4], eax
  40. .text:10024C30 mov eax, [ebp+ioctl]
  41. .text:10024C33 push ebx
  42. .text:10024C34 mov ebx, [ebp+inbuff]
  43. .text:10024C37 push esi
  44. .text:10024C38 mov esi, [ebp+bytes_to_return]
  45. .text:10024C3B add eax, 7FFDDFD8h
  46. .text:10024C40 push edi
  47. .text:10024C41 mov edi, ecx
  48. .text:10024C43 mov [ebp+some_var], esi
  49. .text:10024C46 mov [ebp+var_28], 0
  50. .text:10024C4D cmp eax, 0A4h ; switch 165 cases
  51. .text:10024C52 ja loc_10025B18 ; jumptable 10024C5F default case
  52. .text:10024C58 movzx eax, ds:byte_10025BF0[eax]
  53. .text:10024C5F jmp ds:off_10025B50[eax*4] ; switch jump
  54.  
  55. [..]
  56.  
  57. 0x80022058 case: no check for outbuff_size == 0! <--- FLAW!
  58.  
  59. .text:10024F5A lea ecx, [edi+958h]
  60. .text:10024F60 call sub_100237B0
  61. .text:10024F65 mov [ebp+some_var], eax
  62. .text:10024F68 test eax, eax
  63. .text:10024F6A jnz short loc_10024F7D
  64. .text:10024F6C mov dword ptr [ebx], 0FFFFCFFAh
  65. .text:10024F72 mov dword ptr [esi], 10h <--- bytes to copy to output buffer
  66.  
  67. next in IofComplete request will be rep movsd at pointer, that is under attacker's control
  68.  
  69. Due the type of vulnerability (METHO_BUFFERED with output_size == 0) exploit works only on Winows XP/2k3, cause in later Windows OS I/O manager doesn't craft IRP if ioctl is METHOD_BUFFERED and output_size == 0.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement