Panda Security 1.0.0.13 Arbitrary Code Execution

Posted on Posted in Exploit

 

Panda Kernel Memory Access Driver does not validate the size of data to be copied to both an allocated kernel paged pool buffer and to an allocated non-paged pool buffer. Furthermore, the attacker has control over the start-to-copy index regarding the non-paged pool buffer which allows an attacker to corrupt a kernel object with more precision, and control the EIP via a hijacked function pointer.

advisories | CVE-2015-1438

Vulnerability title: Arbitrary Code Execution [PSKMAD.sys] In Panda Security - Multiple Products
CVE: CVE-2015-1438
Vendor: Panda Security
Product: Multiple Products
Affected version: 1.0.0.13
Fixed version: 15.1.0
Reported by: Kyriakos Economou

Details:

Panda Kernel Memory Access Driver doesn’t validate the size of data to be copied to both an allocated kernel paged pool buffer and to an allocated non-paged pool buffer. Furthermore, the attacker has control over the start-to-copy index regarding the non-paged pool buffer which allows an attacker to corrupt a kernel object with more precision, and control the EIP via a hijacked function pointer.

Technical Details

b5ae8cc5 8b7508 mov esi,dword ptr [ebp+8]<-- ESI input_buffer
b5ae8cc8 0fb7460c movzx eax,word ptr [esi+0Ch] <-- EAX read size of paged pool buffer to allocate from input buffer
b5ae8ccc 6685c0 test ax,ax
b5ae8ccf 7674 jbe PSKMAD_b5ae4000+0x4d45 (b5ae8d45)
b5ae8cd1 668b4e0e mov cx,word ptr [esi+0Eh]
b5ae8cd5 668945f4 mov word ptr [ebp-0Ch],ax
b5ae8cd9 0fb7c0 movzx eax,ax
b5ae8cdc 6850534d45 push 454D5350h <-- 'PSME' pool tag
b5ae8ce1 50 push eax <-- size of paged pool buffer to allocate
b5ae8ce2 6a01 push 1 <-- indicates paged pool 
b5ae8ce4 66894df6 mov word ptr [ebp-0Ah],cx
b5ae8ce8 ff159ca6aeb5 call dword ptr [PSKMAD_b5ae4000+0x669c]={nt!ExAllocatePoolWithTag}
b5ae8cee 8945f8 mov dword ptr [ebp-8],eax
b5ae8cf1 85c0 test eax,eax
b5ae8cf3 7550 jne PSKMAD_b5ae4000+0x4d45 (b5ae8d45)
...
b5ae8d45 8d4608 lea eax,[esi+8]
b5ae8d48 50 push eax <-- ptr to input buffer for storing the length of the returned symbolic link target
b5ae8d49 8d45f4 lea eax,[ebp-0Ch]
b5ae8d4c 50 push eax <-- ptr to unitialized Unicode string to store symbolic link target (the paged pool buffer previously allocated)
b5ae8d4d ff36 push dword ptr [esi] <-- handle to the symbolic link object
b5ae8d4f ff1514a7aeb5 call dword ptr [PSKMAD_b5ae4000+0x6714]={nt!ZwQuerySymbolicLinkObject} <--- Heap Overflow because we control the size of the paged pool buffer that was allocated.
b5ae8d55 894604 mov dword ptr [esi+4],eax
b5ae8d58 85c0 test eax,eax
b5ae8d5a 7d09 jge PSKMAD_b5ae4000+0x4d65 (b5ae8d65)
...
b5ae8d65 0fb745f4 movzx eax,word ptr [ebp-0Ch] 
b5ae8d69 50 push eax <-- EAX length of symbolic link target
b5ae8d6a 8b4610 mov eax,dword ptr [esi+10h] <-- EAX index to copy the symbolic link target. this is also been read from our input buffer.
b5ae8d6d ff75f8 push dword ptr [ebp-8] <-- address of paged pool buffer where the symbolic link target is stored
b5ae8d70 03c6 add eax,esi <-- ESI points to our input buffer (non paged pool).
b5ae8d72 50 push eax <-- So we control the full address of where the symbolic link target will start being copied into the buffer towards higher addresses.
b5ae8d73 e864120000 call PSKMAD_b5ae4000+0x5fdc (b5ae9fdc) <-- jmp to {nt!memcpy} <--- Heap Overflow because we can control where to start copying in the non-paged pool buffer allocated during the call to DeviceIoControl API.

Impact:

An exploit can potentially use either of the two aforementioned bugs to trigger a heap overflow condition that would allow to execute code with Kernel privileges. However, the second heap overflow bug is much more interesting because it allows a precise control of the index to start copying the symbolic link target returned by a call to the nt!ZwQuerySymbolicLinkObject kernel function.

This allows an attacker to corrupt with precision a kernel object that we control that has been previously put there by performing heap spraying at the non-paged kernel pool. The attacker can use part of the symbolic link target as a pointer to a predictable memory range in userland where a trampoline to the payload is stored.


Further details at:

https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-1438/

Copyright:
Copyright (c) Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.



###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company, 
registered in England in accordance with the Companies 
Act under number 02763799. The registered office 
address of Portcullis Computer Security Limited is: 
Portcullis House, 2 Century Court, Tolpits Lane, Watford, 
United Kingdom, WD18 9RS.  
The information in this email is confidential and may be 
legally privileged. It is intended solely for the addressee. 
Any opinions expressed are those of the individual and 
do not represent the opinion of the organisation. Access 
to this email by persons other than the intended recipient 
is strictly prohibited.
If you are not the intended recipient, any disclosure, 
copying, distribution or other action taken or omitted to be 
taken in reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice 
contained in this email is subject to the terms and 
conditions expressed in the applicable Portcullis Computer 
Security Limited terms of business.
###############################################################

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by MailMarshal.
#####################################################################################

Quelle: Packet storm Security

 

Facebooktwittergoogle_plus